Technical Team/Minutes/2013-03-19

General Upates

Jack requests we walk through the website / wiki next time

Kate wants to start a draft of SPDX 2.0 documentation

Kate mentions that the UNO folks felt need for a reviewer comment at every level (e.g. File Level, not just the Doc level)

Modeling

Next steps would be to do an instance diagram.

Kate suggests use case of Time 1.7 upstream getting consumed by Ubuntu who applies patches to it. http://archive.ubuntu.com/ubuntu/pool/main/t/time/

Items for discussion about the updated model

Document Relationship: the 'downstream' Document includes the relationship, and propose it carries the SHA-1 hash of the document it refers to. And optionally the digitally signed hash...

Specifier: let's get concrete about this...

Gary thinks Specifier is a pair of a URI plus some sort of checksum that can be used to validate what the URI refers to.

SPDXDoc can't have a Specifier inside itself. But SPDXElements / SPDXPackage / could reference a specifier.

Bill points out that Ed's Adopted Proposal indicates influence of Maven guys who do similar.

Perhaps our Spec / Best Practices can point to how we recommend people publish their public keys...

https://docs.sonatype.org/display/Repository/How+To+Generate+PGP+Signatures+With+Maven

Here's an excerpt from that post talking about digital signatures:

Distribute Your Public Key

Since other people need your public key to verify your files, you have to distribute your public key to a key server:

   $ gpg --keyserver hkp://pool.sks-keyservers.net --send-keys C6EED57A

Here I distributed my public key to hkp://pool.sks-keyservers.net, use --keyserver along with a key server address, and use --send-keys along with a keyid. You can get your keyid by listing the public keys.

Note

Public keys are synced among key servers, but it may take a while.

Now other people can import your public key from the key server to their local machines:

   $ gpg --keyserver hkp://pool.sks-keyservers.net --recv-keys C6EED57A