THE SPDX WIKI IS NO LONGER ACTIVE. ALL CONTENT HAS BEEN MOVED TO https://github.com/spdx
Technical Team/Minutes/2020-08-18
From SPDX Wiki
< Technical Team | Minutes
August 18, 2020
Attendees
- Kate Stewart
- Thomas Steenbergen
- John Horan
- Gary O’Neall
- Peter Shin
- Philippe Ombredanne
Topics:
- Google Summer of Code
- Legal profile – continuing discussion
- Gitlab support of SPDX
GSoC
- Philip’s project should be able to present next General meeting – Kate will arrange
- Philippe will meet with Philip and check on progress
Legal Profile
- Communicating between tools
- Example: How well was the match to the license – would be helpful for a tool to tool relationship
- Issue – loss of information detail
- Snippets don’t really work – will capture the line range, but isn’t always correct
- Should it be simplified or include a lot of detail?
- Thomas: I found this license in this file at this line number
- Would like to communicate scanning results from Scancode to SW360
- Would help with audits and detecting errors/bugs
- All on the call it would be useful
- Kate created a Google doc to track the license scanning tooling profile: https://docs.google.com/document/d/1p24qf2uNk5b1rU0m_Tvj2cD-lioFaaeJKh9PmnPbhwo/edit
- Kate also added a dependency tree profiles: https://docs.google.com/document/d/1IfcSlrDou-8KLqkLr568DKGaQiHXmt_EFsZRfcf0Ej8/edit
- Kate also created a Google doc for the vulnerabilities profile: https://docs.google.com/document/d/11S8FTG5zSwmH-o_Conp9-mkzWyOuxC_KXx3VNHlhbws/edit
- Will also create an issue
- Question on how to represent a source file: I have a question on how to handle declared license. If it's a short reference to a license, for example, how should SPDX or tool handle "See the license file" snippet. Should the SPDX handle it as a declared and none?
- Thomas, Gary and Philippe think it would be declared, but the discussion in legal was interpreted as “None” or “LicenseRef-“ with the text found in the file
- Discussion on having a primary license for a package
- Philippe will propose an extension to the license expression
- Introduce “PLUS” operator with the same semantics as AND except the expression to the left of the operator is the primary license for the package
Gitlab
- Gitlab jobs do not support SPDX
- Issue logged at https://gitlab.com/gitlab-org/gitlab/-/issues/218521
- Thomas requested support and comments on the issue in support of SPDX
- Steve is active with Gitlab and should be able to help
- Kate will add some pointers in the issue
DCO signoff on SPDX Spec
- Currently not enabled for the spec
- Agreed we will enable the DCO BOT
- Will be turn on Sept. 1
- Kate will send out an email
- Thomas will submit a PR
Next Week
- Vulnerabilities Profile
