THE SPDX WIKI IS NO LONGER ACTIVE. ALL CONTENT HAS BEEN MOVED TO https://github.com/spdx
General Meeting/Minutes/2016-07-07
From SPDX Wiki
< General Meeting | Minutes
- Attendance: 13
- Lead by Phil Odence
- Minutes of June meeting approved
Contents
Special Guest - Sam Ellis, ARM
- Sam works in ARM’s Cambridge HQ
- SW Engineer/Mgr
- No legal training
- Has gotten involved just as part as his job
- Now acts as bridge between dev and legal teams
- They use a license scanning tool
- That’s the implementation of SPDX
- Keen on the license list for name consistency
- And using SPDX basis of repository of data about open source in products
- Dev process
- Similar to most
- Are careful to separate out open source archive
- Basis of license scanning
- Develop an SPDX tag format report for each product
- Legal Approval Process
- They use a custom tool internally
- When open source comes into the company, they assess risk
- Recently put a new system in place
- Asks the type of questions that SPDX captures
- Package name, licenses, copyright notices, where downloaded, etc.
- Goal is to to eventually import/export SPDX for this purposes
- Asks the type of questions that SPDX captures
- Tracks OSS use cases
- Two systems using
- Approval process
- Data from the build
- Will eventually try to compare to ensure sync
- Can be hard to maintain, particularly when removing stuff.
- Sam’s projects use and exceptionally large amount of OSS
- Need to explain to customers
- Ideally would like to auto-gen the list of licenses they publish
- Practical Problem: They don’t want to declare all
- For example, disjunctive license, may only want declare one
- Practical Problem: They don’t want to declare all
- Would like to ship SPDX
- Need to work out how much to declare
- They get a lot of queries
- Concern is does providing more info, generate more queries
- * Certainly they feel that SPDX is the right format
- Observations
- Tag file is large - 130 MB for one product
- Too large to ship, but could include on website
- Too much info to be comprehensible
- People who need to use, don’t have the tools
- Need something that can open and filter/summarize
- Tag file is large - 130 MB for one product
- Learning
- In the past have developed one big SPDX file
- Probably a mistake, should have broken it down
- Discussion
- Tooling- perhaps the convertor to spreadsheet
- Supply chain partners are really interested in use cases, not just what’s in product
- Any sharing SPDX docs within company yet? - No, not yet.
Tech Team Report - Kate/Gary
- Spec
- 2.1 draft is out for review
- open until the end of the month
- assuming no show stoppers, that should be it
- 2.1 draft is out for review
- Tooling
- Started updating for 2.1 last week
- External references implementation taking more time than anticipated
- Tooling first pass should be ready with 2.1 release timeframe
- Gary is keen for feedback on our tools and any issues in implementing other tools
Outreach Team Report - Jack
- Website
- Very close to wrapping up
- Looking at final review next week
Legal Team Report - Jilayne
- XML templates
- Review continuing
- Call today will checkpoint where we are and remaining work
- 2.5 list release
- Should be live in the next day or two
- Not too many new licenses
Cross Functional Topics - Phil
- Guest stars
- Always looking for more
- LinuxCon
- Looks light nothing official
Attendees
- Phil Odence, Black Duck
- Kate Stewart, Linux Foundation
- Jilayne Lovejoy, ARM
- Scott Sterling, Palamida
- Robin Gandhi, UNO
- Jack Manbeck, TI
- Yev Bronshteyn, Black Duck
- Gary O’Neill, SourceAuditor
- Mark Gisi, Wind River
- Dave Marr, Qualcomm
- Matt Germonprez, UNO
- Michael Herzog- nexB
- Sam Ellis, ARM