From SPDX Wiki
- Bill Schineller
- Kirsten Newcomer
- Kate Stewart
- Nicholas Loke
- Peter Williams
- Gary O’Neall
Review of last week’s items
- Legal language updated from last week completed
- Review of document – Kate received some comments
- Spreadsheet example of the URI for artifactOf (Gary) – Still pending
- Spec updated with change to hasFile
- PackageVerificationCode – still pending
- SimpleLicensingInfo – pending
- Embedded Octect Stream - pending
Update on Kate’s conversation with Steve
- Need to capture a “supply chain” for the origin of the packages
- Can capture this as a reviewer, but would require a company – proposal to have Reviewer be an Agent. Agree to change the spec to accommodate company. We can change the definition of the string or we can implement Agent. For Beta, we can change the definition of the string. We would like to implement an Agent structure, but that would require a more detailed proposal and incrementing the version number. Kate will work on a proposal.
- Proposal to have a package level ArtifactOf. Agree that this will be useful. This may require two different properties to represent A) if the package is part of a larger project and B) the package originates in a particular project. We need some use cases written – Peter will write one of the use cases in a bug.
- Need to write-up usage of the spec
- Agree to create a Wiki page for usage guidelines. This would be structured around use cases and a description of the fields. The per-field would shadow the spec. Any contributed conversations to the per-field could be rolled into the spec itself at a later date. Would like to create a separate Beta web page which would include a link to the usage guidelines page. This could be added under participation. Kirsten will add after checking with Kim.
- Crypto flag request – need a proposal.
- Suggest that we add bugs for the new proposal.
- Open source or commercial package flag request – concern that different companies/organizations have different definitions of open source and commercial package
- Package version – request to make the version parseable. Agree to add a field, but there was concern on making it parseable – Kate will add this in the next draft
- Use of term package, raises questions about the hierarchy of packages. ArtifactOf at the package level will help.
- A third delivery model – 1) SPDX is a sidecar to the package archive, 2) SPDX is embedded in the package, 3) a third proposal would be to have the SPDX document itself contains the archive.