THE SPDX WIKI IS NO LONGER ACTIVE. ALL CONTENT HAS BEEN MOVED TO https://github.com/spdx

General Meeting/Minutes/2016-07-07

From SPDX Wiki
Jump to: navigation, search
  • Attendance: 13
  • Lead by Phil Odence
  • Minutes of June meeting approved


Special Guest - Sam Ellis, ARM

  • Sam works in ARM’s Cambridge HQ
    • SW Engineer/Mgr
    • No legal training
    • Has gotten involved just as part as his job
    • Now acts as bridge between dev and legal teams
  • They use a license scanning tool
    • That’s the implementation of SPDX
    • Keen on the license list for name consistency
    • And using SPDX basis of repository of data about open source in products
  • Dev process
    • Similar to most
    • Are careful to separate out open source archive
      • Basis of license scanning
      • Develop an SPDX tag format report for each product
  • Legal Approval Process
    • They use a custom tool internally
    • When open source comes into the company, they assess risk
    • Recently put a new system in place
      • Asks the type of questions that SPDX captures
        • Package name, licenses, copyright notices, where downloaded, etc.
      • Goal is to to eventually import/export SPDX for this purposes
    • Tracks OSS use cases
  • Two systems using
    • Approval process
    • Data from the build
    • Will eventually try to compare to ensure sync
      • Can be hard to maintain, particularly when removing stuff.
  • Sam’s projects use and exceptionally large amount of OSS
    • Need to explain to customers
    • Ideally would like to auto-gen the list of licenses they publish
      • Practical Problem: They don’t want to declare all
        • For example, disjunctive license, may only want declare one
  • Would like to ship SPDX
    • Need to work out how much to declare
    • They get a lot of queries
      • Concern is does providing more info, generate more queries
    • * Certainly they feel that SPDX is the right format
  • Observations
    • Tag file is large - 130 MB for one product
      • Too large to ship, but could include on website
      • Too much info to be comprehensible
    • People who need to use, don’t have the tools
      • Need something that can open and filter/summarize
  • Learning
    • In the past have developed one big SPDX file
    • Probably a mistake, should have broken it down
  • Discussion
    • Tooling- perhaps the convertor to spreadsheet
    • Supply chain partners are really interested in use cases, not just what’s in product
    • Any sharing SPDX docs within company yet? - No, not yet.


Tech Team Report - Kate/Gary

  • Spec
    • 2.1 draft is out for review
      • open until the end of the month
      • assuming no show stoppers, that should be it
  • Tooling
    • Started updating for 2.1 last week
    • External references implementation taking more time than anticipated
    • Tooling first pass should be ready with 2.1 release timeframe
    • Gary is keen for feedback on our tools and any issues in implementing other tools

Outreach Team Report - Jack

  • Website
    • Very close to wrapping up
    • Looking at final review next week


Legal Team Report - Jilayne

  • XML templates
    • Review continuing
    • Call today will checkpoint where we are and remaining work
  • 2.5 list release
    • Should be live in the next day or two
    • Not too many new licenses


Cross Functional Topics - Phil

  • Guest stars
    • Always looking for more
  • LinuxCon
    • Looks light nothing official


Attendees

  • Phil Odence, Black Duck
  • Kate Stewart, Linux Foundation
  • Jilayne Lovejoy, ARM
  • Scott Sterling, Palamida
  • Robin Gandhi, UNO
  • Jack Manbeck, TI
  • Yev Bronshteyn, Black Duck
  • Gary O’Neill, SourceAuditor
  • Mark Gisi, Wind River
  • Dave Marr, Qualcomm
  • Matt Germonprez, UNO
  • Michael Herzog- nexB
  • Sam Ellis, ARM