THE SPDX WIKI IS NO LONGER ACTIVE. ALL CONTENT HAS BEEN MOVED TO https://github.com/spdx

General Meeting/Minutes/2017-03-02

From SPDX Wiki
< General Meeting‎ | Minutes
Revision as of 16:59, 2 March 2017 by Podence (Talk | contribs)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search
  • Attendance: 11
  • Lead by Phil Odence
  • Minutes of Feb meeting approved


Special Presentation- Mark Charlebois / Rashmi Chitrakar, Qualcomm

  • Mark from corp R&D, Rashmi from the open source group
  • Mark works on Dronecode
    • Goal is to build with Yocto
    • Want to provide good license info
    • At the outset Yocto build only supported SPDX 1.0 and uses FOSSology for scanning
      • Yocto is a distribution that comes with recipes for custom builds
    • Motivation
      • reducing scan times was key
      • FOSSology was taking as much as 6 days
      • Introducing LiD to address
  • (Deck is available)
  • Yocto
    • has a number of build stages
    • current integration was inserted after patch stage to only scan what’s patched
    • but that doesn’t allow for reusability
    • So, the approach was to scan upstream sources and focus scan on only patches
    • Uses Yocto archiver
  • FOSSology integration
    • Mark was not able to even get it going
    • Old, did not seem well maintained
  • New integration
    • Implements approach to
    • Leverage newer SPDX capabilities
      • Relationships between files
      • Usage info (e.g. dynamic library)
    • Allows for parallelizing across machines
    • Can flag discrepancies (e.g. two different licenses declared)
    • Goal
      • create a federated commons of pre-scanned code
      • so, everyone’s work is cut by, say, 90% (as they only need to scan their customer 10%)
  • LiD
    • Main Features of Scanners
      • They have access to FOSSology tools (Nomos, Monk)
      • Evaluated using Qualcomm code for testing
      • Nomos was pretty good at detecting license language (94%)
      • Monk, only about 25%
      • Used SPDX license list as source for license matching
    • Goal
      • Aiding in license compliance
      • Hope was to generate SPDX
  • Main functions
    • Scans source code to ID license language
    • Natural Language Process “Bag of words” approach
    • Jakarta index shows how well it matches
    • Levenstein measures to determine where to start/end
    • Output- color coded matches (and deviations)
    • Matched about as well as Noms
    • Accuracy
      • Right license
      • Right region
    • Better than Nomos at extracting full text; Monk really fell short
    • Can be tuned
      • Based on LiD Scores (1-perfect)
        • Scores of above .6 were pretty good, but user can adjust
      • Nomos, being REGEX based is very computationally expensive.
  • Will be available on GitHub
    • But available already
  • Q&A
    • What’s going on with Debian?
    • It’s being tested on Debian, not a lot of feedback yet


Tech Team Report - Kate

  • Spec
    • Have been working on reference examples
      • Filling in how to do examples
    • Spec being converted to docbooks for style
      • Mobile-friendly
    • Getting the spec up on GitHub so changes can be tracked, pull requests, etc
      • Eventually we’ll move there from Bugzilla for issue tracking
    • FacetoFace in Tahoe
      • Jilayne did a great presentation that is available as video, Kate’s as well
      • JSON format discussion
  • Tools
    • Talked through plans at Face to Face


Outreach Team Report - Jack

  • Accepted for Google Summer of Code
    • Starting to get interest
  • Short meeting last week
    • Talked about feedback from Matt’s project surveying companies
    • Need to decide if we will do a survey
    • Jack says we really need to look at the Ecosystem
      • Define user types and what to tell them they should do
      • Need to paint a picture of what success is with SPDX
      • Some feedback from site “I’m a developer, what do I do?”
  • Considering whether we need someone on the outreach team who is more OSS community-focused
    • Perhaps looking at “SPDX lite” (wrong word) sort of approach, and easy way to get started


Legal Team Report - Jilayne/Paul

  • Good meetings at Tahoe
    • 2 hour working session
      • Action plan for XML conversion
      • How to completely connect the dots and organize upcoming task
  • Today’s call will follow up
  • Brad Edmondson developing deck and presenting to ABA group


Attendees

  • Mark Charlebois, Qualcomm
  • Rashmi Chitrakar, Qualcomm
  • Phil Odence, Black Duck
  • Kate Stewart, Linux Foundation
  • Philippe Ombrédanne- nexB
  • Paul Madick, Dimension Data
  • Jilayne Lovejoy, ARM
  • Jack Manbeck, TI
  • Michael Herzog- nexB
  • Mark Gisi, Wind River
  • Thomas Steenbergen, HERE