THE SPDX WIKI IS NO LONGER ACTIVE. ALL CONTENT HAS BEEN MOVED TO https://github.com/spdx
General Meeting/Minutes/2016-08-04
From SPDX Wiki
- Attendance: 12
- Lead by Phil Odence
- Minutes of July meeting approved
Contents
Special Guest - Alexios Zavras, Intel
- His role is open source compliance at Intel, based in Munich
- Now at open source tech center
- Will be talking about his previous role with Intel Mobile Comms
- Mobile Comms
- Based in Germany
- Germans are very process-oriented, well-documented
- His role was SW legal compliance.
- Ensuring all software legally compliant across all kinds of software
- They treat all compliance issues as a bug, just like any problem in the software
- Alexis learned of SPDX and was very pleased and excited about it
- Didn’t manage to get everything SPDX based
- Started slowly
- SPDX is very valuable at many levels
- Even just the license list and standard way of expressing was very helpful
- Quickly standardized on SPDX notations and it started appearing in their documentation etc
- Included in training that was mandatory for SW devs and later extended to marketing, legal, biz dev
- Everyone who touches software had to take on-line course with a deeper course available for some
- Have developed number of tools, tightly coupled with dev environment
- All developed internally
- very tightly controlled, eg can’t check out code without a ticket
- Tool chain includes license compliance
- Central team provides compliance services to dev
- too much for all devs to worry about
- Fits with org structure
- Internal teams reviews all code
- Started small, then more widespread and more automated
- Today every release goes though this license compliance check
- Requires ‘stamp of approval’ from central team
- To make the central team more efficient
- Save all results
- Including many of the SPDX fields
- Saved in database
- Last step, not yet taken, is to generate an SPDX doc for each release
- Just held up by organizational issues, technically feasible
- Being worked on
- Have started getting the request from customers
- Not mentioning SPDX by name, have not seen that yet,
- but asking for data that SPDX covers, files, license, etc
- (both are with Euro customers)
- When they generate SPDX
- Permissive license require attribution
- They’ve had an issue with that going back 5 years
- Their policy to handle is to deliver all OSS in source form
- So, therefore include attribution in comments
- They include a list of open source and model licenses, but the attribution is all in source code
- Example- Modem company
- Intel provides chips and software in binary form
- Packaging: With binary they include
- all source for open source in binary
- And, list of conditions for any 3td party proprietary code
- Are they being asked for security vulnerabilities associated with components
- Not yet, but they are thinking about it with respect to naming (CPEs, etc)
- AZ- “Thanks for the wonderful work. It’s really helpful.”
Tech Team Report - Kate
- Spec
- Collecting feedback
- Addressing as it comes it
- Gary has taken a pass at updating tools
- In the polishing stage
- One more round of feedback
- Into publishing mode as of Tuesday
- Bake Offs
- Possible SF 9/27 and Europe at LCon
- Needs to be nailed down in the next couple week.
Outreach Team Report - Jack
- Website
- Still working this week
- Will review at next week’s meeting
- Should be close with go live; shooting for Linux Con NA
- Still looking for some improvements that will require work from the Linux Foundation team
- No show stoppers
- Will send out link for review
Legal Team Report - Jilayne
- XML review
- Still plugging away
- Timeline set
- 2.5 release
- Just a few licenses
- Aiming for end of Oct
- See Legal Team meeting mins for detail
- Could use all the help they can get; lots to do
- To review new XML master format for every license
Cross Functional Topics - Phil
- Guest stars
- Always looking for more
Attendees
- Phil Odence, Black Duck
- Alexios Zavras, Intel
- Kate Stewart, Linux Foundation
- Jilayne Lovejoy, ARM
- Scott Sterling, Palamida
- Robin Gandhi, UNO
- Jack Manbeck, TI
- Yev Bronshteyn, Black Duck
- Matt Germonprez, UNO
- Michael Herzog- nexB
- Georg Link, UNO
- Mike Dolan, Linux Foundation