Technical Team/Minutes/2014-02-04

Feb 4, 2014

Attendees

Effort underway to create a Maven plugin which creates an SPDX file from a Maven POM file
Reviewed issues from Maven mailing list
Issue with using POM license info
- not always filled in
- not always accurate
Feedback from Maven community is it would only be valuable if the code was scanned
- Discussed targeting the code originators and the value to the originators
suggestion to use the SPDX standard license short names in the POM file
Plugin currently uses the standard SPDX license URL's and there is some indication that Apache will use those URLs
where in a Maven repo would .spdx file(s) best land?
- one per GAV?
- one per GAVCP C=Classifier e.g. binary vs. sources.jar P=Packaging e.g. war or jar

- - apache-servicemix-web-3.2.3.war <- the binary
  - apache-servicemix-web-3.2.3.war.md5 <- md5 of the binary
  - apache-servicemix-web-3.2.3.war.sha1 <- sha1 of the binary
  - apache-servicemix-web-3.2.3.war.spdx <- SPDX of the binary

- - apache-servicemix-web-3.2.3.war.asc
  - apache-servicemix-web-3.2.3.war.asc.md5
  - apache-servicemix-web-3.2.3.war.asc.sha1

- - apache-servicemix-web-3.2.3-sources.jar
  - apache-servicemix-web-3.2.3-sources.jar.md5
  - apache-servicemix-web-3.2.3-sources.jar.sha1
  - apache-servicemix-web-3.2.3.war.spdx <- SPDX of the sources (SCANNED)

Apache Maven guys: anyone have connections with them to influence SPDX adoption?
- Here's a list of contributors to Maven https://www.ohloh.net/p/maven2/contributors?sort=latest_commit&time_span=12+months
- Maven License Plugin project we might join forces with? http://code.mycila.com/license-maven-plugin/
Other organizations originating or assembling code will face similar issues as the Maven/POM - could use this as a good test case

Next Week - Bill and Gary will not be on the call. Will check with Kate to see if we should have a call next week.