Technical Team/Minutes/2014-10-07

From SPDX Wiki
Jump to: navigation, search

October 10, 2014


  • Gary O'Neall
  • Bill Schineller
  • Kate Stewart
  • Jack Manbeck
  • Scott Sterling


  • Schedule for 2.0
  • External document references
  • Support for multiple checksum types

Schedule for 2.0

  • Key Dates:
    • November 14: SPDX 2.0 Draft complete, distributed for internal review/comment (internal to business, legal and technical committees)
    • Dec 1. Deadline for feedback
    • Dec. 1-17 incorporate feedback
    • Dec. 18 SPDX 2.0 release candidate for tools implementation and release to general mailing list
    • Dec 19th: Tool Implementation Kickoff
    • Feb. 18-20 Collab Summit - Tools implemented, Plug-and-Play event to test tool interoperability
      • compare SPDX 2.0 output of different tools for compatibility/consistency
      • supply chain example. Upstream SPDX consumed by downstream SPDX.
  • Won't make the current plan of LInuxCon Europe (which is next week)
  • Draft ready for Linux Open in December - either the first or 15th
    • Kate will be offline 3 weeks last part of Nov through Dec 1
    • Kate will publish draft before going offline - November 14th
    • Dec 1. - deadline for feedback
    • First 1/2 December gather feedback
    • Target December 18th for release candidate 1 (RC1) - ready for tools implementation
  • Remaining work - Kate will publish a list
    • Would like to get additional checksums
    • License identifiers in the code as an appendix
    • License Expressions Syntax
      • Jack will publish a draft for this section
  • Tools to be implemented by LinuxCon
    • Tools demo including use cases - supply chain examples
    • Bake-off/Plug-n-play/interoperability tests between tools
  • Migration from 1.0 to 2.0
    • Should the business team take on the migration collateral?
    • Highlights of 2.0 on the 18th
    • Migration details and "what's new in SPDX 2.0" papers should be published soon after the 18th.

External document references

  • Reviewed email proposal
  • Kate will do a more detailed review and email any changes
  • Gary will update the proposal to include an SPDX default namespace for those without their own creator website
  • We agreed not to implement the storage of SPDX documents now
    • We will discuss this at LinuxCon
    • we will add a page to describe the use of the document URIs to the SPDX web page that may be referenced from the default spdx namespace

Additional Checksum Types

  • Bruno proposed additional types
    • SHA-256
  • cardinality would be changed to 1 or more (from 1)
  • Do we also allow for other types to be used in the verification code (in addition to using the checksum types for the file checksums)?
  • Mandatory sha1, others are optional
  • Verification code would also be a mandatory sha1 with optional other
  • Should we change the mandatory from sha1 to sha256?
    • sha1 has been proven vulnerable
    • sha1 would be compatible with 1.2
    • vulnerability would not be too severe for our use cases