Technical Team/Minutes/2014-03-04

From SPDX Wiki
Jump to: navigation, search

March 4, 2014


  • Gary O’Neall
  • Bill Schineller
  • Mark Gisi
  • Scott Sterling
  • Jack Manbeck
  • Kirsten Newcomer


  • Review instance diagrams
  • SPDX 2.0 next steps and discussion

Instance Diagrams

  • Walking trhough spdx-2-0-jar-supply-chain.pdf
  • Discussion on git repo - agree that SPDX refers to a specific "snapshot" or "commit level" and not a more general reference
  • Patch use case - spdx_2 is a description of the changes
  • binary / maven use case - maven url may point to a collection of files, not just a single jar
  • distribution - distribute a tarball - artifactof needs to be extended to describe the relationship
  • application which uses open source described by SPDX -
  • Discussion on the references to other SPDX docs - are the references to the doc, the element within the doc or both?
    • Both
    • Need to define the namespace
    • Need to include the concept of dynamic libraries where the artifacts are not copied, but the licensing is impacted by the reference - would be good to have an instance
  • What's missing from the current model:
    • SCM - may need more detail than in the current model
    • Patch - additions/deletions of artifacts
    • Relationships
      • do we need user defined relationships?
      • Does the relationship itself need more of a model?
  • Walking trhough spdx-2-0-jar-supply-chain-DocSharing.pdf
    • Diagram describes just what needs to be delivered to fully describe the delivered software from the right side of the previous diagram
    • Dotted lines are optional - would not need it if the docs were signed and available
  • Discussion on what SPDX document are included
    • do we need to include SPDX docs for files which are not distributed (but are used in creating the files which are distributed)?
    • Patch documents which show deltas?
    • URL references for docs - does that imply the document is accessible on the internet?
      • If it is internal, the doc should be included, if external it may go stale
    • Will the model support exclusions in the relationship?
  • Next Steps
    • Compare to current model - Gary
    • Try using protoge to model the properties for SPDX 2.0 - Bill
    • Start plugging the new properties into the current model - Gary