THE SPDX WIKI IS NO LONGER ACTIVE. ALL CONTENT HAS BEEN MOVED TO https://github.com/spdx
Technical Team/Minutes/2017-06-20
From SPDX Wiki
< Technical Team | Minutes
June 20, 2017
Attendees
- Gary O’Neall
- Thomas Steenberg
- Anna Buhman
- Krys Nuvadga
- Alexios Zavras
- Yev Bronshteyn
- Uday Korlimarla
GitHub SPDX Project Architecture
- Review architecture for github spdx project
- Proposal – use github webhooks for the user integration and integrate multiple back-end scanners through a REST based API
- Reference: https://github.com/spdx/spdx-github/wiki/Architecture
- Yev suggested integrating with a Continuous Integration system may be a better approach
- Yev suggested generating outside of github was an overkill, Thomas agreed
- Gary suggested focus could be on open source project originators where dependencies are not as prevalent – example, NodeJS where there are only 2-3 files
- Gary responded that there is a separate project proposal for integration system hooks, and this project is focused on github
- Discussion on the multiple scanner integration
- Could use the integration for a build oriented SPDX generator (such as the Maven build) – Gary will build an integration once the tool is available
- Existing scanners can be “wrapped” by the API – either a command line or a library call
- Discussion on authentication
- Primary mechanism would be github
- Need to authenticate external services if used
- First release, we could scope it to everything running on a local server
Other Topics
- Further discussion on next SPDX spec postponed to next week, waiting larger quorum
- Thomas has first draft of OpenChain specification 1.0 in Markdown, building HTML via GitBook: https://github.com/tsteenbe/openchain-spec
- work-in-progress; history being re-written
