THE SPDX WIKI IS NO LONGER ACTIVE. ALL CONTENT HAS BEEN MOVED TO https://github.com/spdx
Technical Team/Minutes/2014-10-07
From SPDX Wiki
October 10, 2014
Contents
Attendees
- Gary O'Neall
- Bill Schineller
- Kate Stewart
- Jack Manbeck
- Scott Sterling
Agenda
- Schedule for 2.0
- External document references
- Support for multiple checksum types
Schedule for 2.0
- Key Dates:
- November 14: SPDX 2.0 Draft complete, distributed for internal review/comment (internal to business, legal and technical committees)
- Dec 1. Deadline for feedback
- Dec. 1-17 incorporate feedback
- Dec. 18 SPDX 2.0 release candidate for tools implementation and release to general mailing list
- Dec 19th: Tool Implementation Kickoff
- Feb. 18-20 Collab Summit - Tools implemented, Plug-and-Play event to test tool interoperability
- compare SPDX 2.0 output of different tools for compatibility/consistency
- supply chain example. Upstream SPDX consumed by downstream SPDX.
- Won't make the current plan of LInuxCon Europe (which is next week)
- Draft ready for Linux Open in December - either the first or 15th
- Kate will be offline 3 weeks last part of Nov through Dec 1
- Kate will publish draft before going offline - November 14th
- Dec 1. - deadline for feedback
- First 1/2 December gather feedback
- Target December 18th for release candidate 1 (RC1) - ready for tools implementation
- Remaining work - Kate will publish a list
- Would like to get additional checksums
- License identifiers in the code as an appendix
- License Expressions Syntax
- Jack will publish a draft for this section
- Tools to be implemented by LinuxCon
- Tools demo including use cases - supply chain examples
- Bake-off/Plug-n-play/interoperability tests between tools
- Migration from 1.0 to 2.0
- Should the business team take on the migration collateral?
- Highlights of 2.0 on the 18th
- Migration details and "what's new in SPDX 2.0" papers should be published soon after the 18th.
External document references
- Reviewed email proposal
- Kate will do a more detailed review and email any changes
- Gary will update the proposal to include an SPDX default namespace for those without their own creator website
- We agreed not to implement the storage of SPDX documents now
- We will discuss this at LinuxCon
- we will add a page to describe the use of the document URIs to the SPDX web page that may be referenced from the default spdx namespace
Additional Checksum Types
- Bruno proposed additional types
- SHA-256
- cardinality would be changed to 1 or more (from 1)
- Do we also allow for other types to be used in the verification code (in addition to using the checksum types for the file checksums)?
- Mandatory sha1, others are optional
- Verification code would also be a mandatory sha1 with optional other
- Should we change the mandatory from sha1 to sha256?
- sha1 has been proven vulnerable
- sha1 would be compatible with 1.2
- vulnerability would not be too severe for our use cases