General Meeting/Minutes/2016-07-07

• Attendance: 13
• Lead by Phil Odence
• Minutes of June meeting approved

Special Guest - Sam Ellis, ARM

• Sam works in ARM’s Cambridge HQ
  • SW Engineer/Mgr
  • No legal training
  • Has gotten involved just as part as his job
  • Now acts as bridge between dev and legal teams
• They use a license scanning tool
  • That’s the implementation of SPDX
  • Keen on the license list for name consistency
  • And using SPDX basis of repository of data about open source in products
• Dev process
  • Similar to most
  • Are careful to separate out open source archive
    • Basis of license scanning
    • Develop an SPDX tag format report for each product
• Legal Approval Process
  • They use a custom tool internally
  • When open source comes into the company, they assess risk
  • Recently put a new system in place
    • Asks the type of questions that SPDX captures
      • Package name, licenses, copyright notices, where downloaded, etc.
    • Goal is to to eventually import/export SPDX for this purposes
  • Tracks OSS use cases
• Two systems using
  • Approval process
  • Data from the build
  • Will eventually try to compare to ensure sync
    • Can be hard to maintain, particularly when removing stuff.
• Sam’s projects use and exceptionally large amount of OSS
  • Need to explain to customers
  • Ideally would like to auto-gen the list of licenses they publish
    • Practical Problem: They don’t want to declare all
      • For example, disjunctive license, may only want declare one
• Would like to ship SPDX
  • Need to work out how much to declare
  • They get a lot of queries
    • Concern is does providing more info, generate more queries
  • * Certainly they feel that SPDX is the right format
• Observations
  • Tag file is large - 130 MB for one product
    • Too large to ship, but could include on website
    • Too much info to be comprehensible
  • People who need to use, don’t have the tools
    • Need something that can open and filter/summarize
• Learning
  • In the past have developed one big SPDX file
  • Probably a mistake, should have broken it down
• Discussion
  • Tooling- perhaps the convertor to spreadsheet
  • Supply chain partners are really interested in use cases, not just what’s in product
  • Any sharing SPDX docs within company yet? - No, not yet.

Tech Team Report - Kate/Gary

• Spec
  • 2.1 draft is out for review
    • open until the end of the month
    • assuming no show stoppers, that should be it
• Tooling
  • Started updating for 2.1 last week
  • External references implementation taking more time than anticipated
  • Tooling first pass should be ready with 2.1 release timeframe
  • Gary is keen for feedback on our tools and any issues in implementing other tools

Outreach Team Report - Jack

• Website
  • Very close to wrapping up
  • Looking at final review next week

Legal Team Report - Jilayne

• XML templates
  • Review continuing
  • Call today will checkpoint where we are and remaining work
• 2.5 list release
  • Should be live in the next day or two
  • Not too many new licenses

Cross Functional Topics - Phil

• Guest stars
  • Always looking for more
• LinuxCon
  • Looks light nothing official

Attendees

• Phil Odence, Black Duck
• Kate Stewart, Linux Foundation
• Jilayne Lovejoy, ARM
• Scott Sterling, Palamida
• Robin Gandhi, UNO
• Jack Manbeck, TI
• Yev Bronshteyn, Black Duck
• Gary O’Neill, SourceAuditor
• Mark Gisi, Wind River
• Dave Marr, Qualcomm
• Matt Germonprez, UNO
• Michael Herzog- nexB
• Sam Ellis, ARM