General Meeting/Minutes/2019-09-05

• Attendance: 17
• Lead by Phil Odence
• Minutes of Aug meeting approved

Special Presentations - Hiro Fukuchi, Sony

• SPDX- Lite
  • Open Chain Japan Work Group
    • Member companies- Toyota, Denso, Panasonic, Pioneer, Sony, Fujitsu, Olympus, Renesas
  • Common Problem- Can’t get OSS information from suppliers (HW vendors, ODMs, SOC, partners…in Asia (China/Taiwan) and Japan
    • They don’t have complete information
    • Don’t have the tools to generate and evaluate
  • SPDX Lite is part of guidelines
    • Fits in at a fairly high level of maturity
      • OpenChain - “Making Process”
      • SPDX (and OSS tooling) - “Improving Process”
      • Most suppliers are at low levels of maturity
    • Looking not to fork, but to expand usage of SPDX Lite
  • Lite Description
    • Subset of SPDX
    • Minimum requirement
    • Can be manually generated
    • Proved in actual business use
  • Scenarios
    • 1 Unskilled suppliers
      • Useful at a lower level of maturity than SPDX requires
    • 2 Non-engineering Staff
      • More understandable by Legal and Procurement staff.
    • Skilled suppliers would still use full SPDX
      • OpenChain compliant suppliers would be sophisticated enough
  • Question: Is SPDX Lite fully SPDX compliant
    • Yes, all mandatory fields are included in SPDX Lite plus some of the optional fields may be included.

Tech Team Report - Gary

• Spec
  • Being worked in a GitHub repo
    • Set up for pull requests for 2.2
    • Anyone who has ideas or proposed changes, please submit as a pull request
    • One in place is SPDX Lite
      • Proposal is as an Appendix
      • Thought is a profile for a specific use case
      • Could be first of a number of profiles
• Tools
  • Successful conclusion to GSoC
    • All passed
    • A number of new libraries including Python, Golang
    • Mentors and students were great
    • Record number of projects
  • Challenge now is integrating and putting into production
    • All legal team tools have been submitted as pull requests
      • Should be up and running in a month or so.

Legal Team Report - Jilayne/Paul/Steve

• Legal Team License Submittal Demo (GSoC)
  • Video and minutes available
  • Need to update contribution instructions
• Team call today
• License List
  • 3.7 release at end of month
    • Fewer licenses in release that some recents
  • Recent discussions have been more high level on principles than specific licenses

Outreach Team Report - Jack

• Survey
  • Has been out for a few months
  • 37 responses so far
  • Will make one more pass
  • Looking at presenting at Gen Meeting in Nov
• Philipe has been talking to the Python community about using SPDX License IDs and expressions in Python package manifest
  • Could be a model for other communities
    • …some of which have been using formally or informally
    • Potentially high leverage
    • RUST and Go are using sporadically

Cross Functional -

• None

Attendees

• Phil Odence, Black Duck/Synopsys
• Steve Winslow, LF
• Gary O’Neall, SourceAuditor
• Jack Manbeck, TI
• Nicolas Toussaint, Orange
• Mark Atwood, Amazon
• Jilayne Lovejoy, Canonical
• Hiro Fukuchi, Sony
• Shinsuke Kato, Panasonic
• Philippe Ombrédanne- nexB
• Michael Herzog, NexB
• Patrice-Emmanuel Schmitz, Trasys International, European Commission
• Richard Fontana, Red Hat
• Mark Baushke, Juniper
• Paul Madick, Dimension Data
• Nisha Kumar, VMWare
• David Marr, Qualcomm