Technical Team/Minutes/2015-03-24

From SPDX Wiki
Jump to: navigation, search

March 3, 2015


  • Gary O'Neall
  • Jack Manbeck
  • Scott Sterling
  • Bill Schineller
  • Kirsten Newcomer
  • Kate Stewart
  • Brandon Robinson
  • Hassib Khanafir
  • Michael Herzog


  • Review points for the SPDX 2.0 Press Release
  • Update on call with Github
  • Updates to the spec

Press Release Review

  • Reviewed email provided by Jack

Suggested Edits:

  • Multiple packages can now be described in a single SPDX document allowing aggregation of information that should be kept together.
  • Relationships between packages, files - and external SPDX documents - can now be described. This is a powerful capability that allows individual SPDX documents to reference each other. Relationships allow the modeling of software reuse and packaging of arbitrary complexity. For example, software passed through a supply chain, binary-only delivery, documenting a hierarchy of sub-packages, documenting the origin of an SPDX element (downstream relationship to upstream), and documenting modifications or corrections (annotations) to an SPDX element. Each SPDX document can then describe the licensing of just those pieces. As a consumer of these SPDX documents you should now be able to easily get a clearer picture of the licensing mix for relevant pieces.
  • Annotations have expanded upon and replaced Review comments, and can be provided on any specific element in an SPDX document. In previous versions there were specific comment fields. With annotations comments can be applied to anything including annotations allowing more flexibility.
  • A new License expression syntax has been introduced with improved license matching guidelines. The improved syntax makes it much easier and more reliable to capture complex licensing in a file.
  • Additional file types & checksum algorithms are now supported. The file types have been greatly expanded allowing for more precise identification of a file.
  • SPDX can now reference software pulled from Version Control Systems, in addition to software served as downloads. This recognizes alternative ways of distributing software.

License List

  • License list has been expanded significantly since SPDX 1.2 (from XXX licenses to YYY licenses and growing)
  • Exceptions to licenses are now captured separately and have their own list. This allows for greater flexibility in expressing xxx and reduces the number slightly different licenses on the main list.

Update on call with Github

  • Git repo's will be mirrored on Github
  • Brandon from Github is providing support for SPDX (mirroring the Git Repos, may do pull requests)
  • Discussed the need to clarify using the license list vs. creating SPDX document (will pick up discussion at the business team).

Spec update

  • License text - added example for when full license text is not available
  • Package file name - Updated to allow for subdirectories to be referenced for a package (bug 1190)

Next Week

  • Finalize any additional changes for SPDX 2.0
  • Snippets
  • Maven Artifact References