THE SPDX WIKI IS NO LONGER ACTIVE. ALL CONTENT HAS BEEN MOVED TO https://github.com/spdx

Technical Team/Minutes/2014-04-08

From SPDX Wiki
Jump to: navigation, search

April 8, 2014

Attendees

  • Gary O’Neall
  • Bill Schineller
  • Michael Herzog
  • Mark Gisi
  • Scott Sterling
  • Jack Manbeck
  • Sameer Ahmed
  • Kate Stewart
  • Matt Germonprez

Agenda

  • Relationship and Usage

Relationship and Usage

Sameer's use case and relationship list from April 8

  • Gary - what’s contained in source offer?
  • Ahmed: build from and build script - can include configuration of makefile in there.
  • Mark: what ever you need to satisfy the obligation of the distribution would go there.
  • Gary: was reading it as being restricted to source code.
  • Mark: open to refining. refinement: “Source, archive, and any other”.
  • Add this use case to our set of SPDX 2.0 use cases?
    • No objections. So yes will include with refinement.
  • MetaFile vs. SPDXFile vs. SourceOffer - need to call them out extra?
    • Mark - finds from early experiences, likes to see pulled out.
    • Jack - is MetaFile more a usage? Mark - notices.txt, license.txt - can use this to create a dependency. That is the motivation.
    • Kate - multiple ways may lead to confusion? What happens if multiples - is ok?
    • Mark: yes, it should work. This is part of relationship identifiers.
    • Jack: If we want to get source offer added to the spec, we need get legal team involved. What about buildFrom? Mark: ok with name change. Maybe distribution artifact. Jack: SoureOffer is a loaded term. Uses it as here are the notices, and source code. which constitutes the SourceOffer.


    • Jack: if bsd code and link with bsd binary. I have a binary and here is all my information.
    • Mark: Adding LGPL, etc makes it more interesting. In the supply chain this has value.
    • Michael: In some point people will do actual builds, but if they don’t do builds but just use prebuilt binaries - what are the inherited obligations. Its a way to pass the compliance relationship downstream.
    • Jack: Its a relationship - has to point to another element of “something”. Whether this is built from or source offer. Semantically different, but sort of same.
    • Michael: Source Offer - example of distributing a toolchain. Relationship isn’t always apparent.

Mark: End user may not care about how the building works, just the obligations.


    • Bill: is this file types or relationships?
    • Mark: we view this as relationships.
    • Bill: is everything point from one SPDX element to another?
    • Mark: yes.


    • Jack: We need another term than SourceOffer - will be a lightening term.
    • Mark: OK with DistributionArtifact.
    • Gary: Possibly we should have LicenseFile, NoticeFile - instead of MetaFile?
    • Possible definition: MetaFile - any file that has a description of a package that is not required for compilation….
    • Mark: Have shown what we have found useful, not exactly what gets put in the Spec. Key is be able to represnt what we are finding today.
    • Gary: OK, we’ll just come up with a more general definition, rather than do the splitting.
    • Mark: Went through parameters of usage for zlib. Raw analysis shows what can do in modify and don’t modify cases. Once you use it (“usage”), then you have to start interpreting the licensing information. Analysis results are what is documented in usage.

Review Usage and Relationship Enumerations from Gary's Email on April 4

  • If anyone has existing definition for these, chime up.


  • _partOf and _contained - may be redundant.
  • _generatedFrom - could be same as buildFrom.
  • _revisionOf may overlap with _modifies


  • Kate: favoring keeping _partOf _generatedFrom _modifiedBy _revisionOf
  • Gary: with the inverse between _partOf and _contains.
  • Mark: contains is good because we are starting to think about packages as container.

_contains and _containedBy

  • Mark: maybe _containedWithin
  • Jack: we are effectively creating a BOM with elements - maybe we should see if we can see if there is some folk that have solved. ACTION: Jack: volunteering to look for prior art that might fit.


  • Jack - can you be a part of something without being contained within? Gary: need to come up with example to illustrate this before we keep it in.


  • Basically - we want to have bidirectional.


    • _generates and _generatedFrom
  • Basically close enough to builtFrom so lets go with the more general which is _generated.


    • Bill: XML and JAVA file, transformation from XML to JAVA class of Beans.


  • Next week: pick up Usage from Gary’s note.
Retrieved from "https://wiki.spdx.org/index.php?title=Technical_Team/Minutes/2014-04-08&oldid=3161"