Technical Team/Minutes/2017-06-20

From SPDX Wiki
Jump to: navigation, search

June 20, 2017


  • Gary O’Neall
  • Thomas Steenberg
  • Anna Buhman
  • Krys Nuvadga
  • Alexios Zavras
  • Yev Bronshteyn
  • Uday Korlimarla

GitHub SPDX Project Architecture

  • Review architecture for github spdx project
  • Proposal – use github webhooks for the user integration and integrate multiple back-end scanners through a REST based API
  • Reference:
  • Yev suggested integrating with a Continuous Integration system may be a better approach
    • Yev suggested generating outside of github was an overkill, Thomas agreed
    • Gary suggested focus could be on open source project originators where dependencies are not as prevalent – example, NodeJS where there are only 2-3 files
    • Gary responded that there is a separate project proposal for integration system hooks, and this project is focused on github
  • Discussion on the multiple scanner integration
    • Could use the integration for a build oriented SPDX generator (such as the Maven build) – Gary will build an integration once the tool is available
    • Existing scanners can be “wrapped” by the API – either a command line or a library call
  • Discussion on authentication
    • Primary mechanism would be github
    • Need to authenticate external services if used
    • First release, we could scope it to everything running on a local server

Other Topics

  • Further discussion on next SPDX spec postponed to next week, waiting larger quorum
  • Thomas has first draft of OpenChain specification 1.0 in Markdown, building HTML via GitBook:
    • work-in-progress; history being re-written