Re: Thursday SPDX General Meeting Reminder

Appologies,  have a work conflict today and not able to join in. Technical team activities: -  work continues on spec.   Have resolved out file types,  file usage portions. -  decision made to not include the RDF vocabulary in the SPEC going forward,   Gary is was having issues regenerating it in

Re: GitHub announces license selection in SPDX format

Hi Phil, I think that's just the drop down menu being shown (human readable), for selection. Key is what's being stored (which is probably the short form). But I'm just guessing here. Hi Nuno, Thanks for flagging! Kate On Thursday, September 18, 2014 5:37 AM, Philip Odence wrote:

Re: Exclusion of NONE and NOASSERTION from ABNF

Hi Terin, On Thu, Jun 11, 2015 at 10:52 AM, Terin Stock wrote: > The ABNF in Appendix IV of the 2.0 version of the specification allows for > short form identifiers, LicenseRef values or combinations to form a > license-expression. However the values "NONE" and "NOASSERTION" are not > valid in a

Re: Exclusion of NONE and NOASSERTION from ABNF

ree to join in to the call if you'd like. Thanks for raising this. Kate > -- > #Terin Stock > > > On Thu, Jun 11, 2015 at 9:07 AM, Kate Stewart > wrote: > > Hi Terin, > > > > On Thu, Jun 11, 2015 at 10:52 AM, Terin Stock > wrote: > >> >

Re: Proposed spec for external packages

Hi Yev, The spec you linked to was the one I created for las week's call. Is there a different document we should be refering to? Thanks, Kate On Mon, Aug 3, 2015 at 10:00 PM, Yev Bronshteyn < ybronsht...@blackducksoftware.com> wrote: > Here is the spec for the proposed EternalPackage elemen

Re: Proposed spec for external packages

Hi Philippe, The document you commented on was from last week's discussion. Your input is appreciated and you're opinion is lining up with some of the thoughts expressed as part of the external identifier proposal from 2 weeks ago from Bill Schineller. Kate On Tue, Aug 4, 2015 at 8:34 AM, Phi

Re: Proposed spec for external packages

On Tue, Aug 4, 2015 at 10:43 AM, Kate Stewart wrote: > Hi Philippe, > The document you commented on was from last week's discussion. > Your input is appreciated and you're opinion is lining up > with some of the thoughts expressed as part of the external identifier &

Re: Proposed spec for external packages

On Tue, Aug 4, 2015 at 10:45 AM, Mike Milinkovich < mike.milinkov...@eclipse.org> wrote: > On 04/08/2015 9:34 AM, Philippe Ombredanne wrote: > >> On Tue, Aug 4, 2015 at 5:00 AM, Yev Bronshteyn >> wrote: >> >>> Here is the spec for the proposed EternalPackage element. While I touch >>> on >>> usag

Re: Proposed spec for external packages

On Tue, Aug 4, 2015 at 11:40 AM, Mike Milinkovich < mike.milinkov...@eclipse.org> wrote: > On 04/08/2015 12:15 PM, Kate Stewart wrote: > >> I agree we should not depend on closed standards. However, the question >> is do we want to be able to reference to external packag

Re: Proposed spec for external packages

Hi Uday, On Tue, Aug 4, 2015 at 10:20 AM, Sai Uday Shankar Korlimarla < skorlima...@unomaha.edu> wrote: > Hi Philippe, HI Yev > > Philippe, You are right about SWID. > Yev, I may be biased over using CPEs and not using SWIDs. > Proposal was to permit use of either. It was not mandating that one

Re: Proposed spec for external packages

On Tue, Aug 4, 2015 at 3:18 PM, Jeremiah Foster < jeremiah.fos...@pelagicore.com> wrote: > > > On Tue, Aug 4, 2015 at 8:09 PM, Kate Stewart > wrote: > >> On Tue, Aug 4, 2015 at 11:40 AM, Mike Milinkovich < >> mike.milinkov...@eclipse.org> wrote: >> &

Re: Proposed spec for external packages

Hi Uday, On Mon, Aug 10, 2015 at 9:54 AM, Sai Uday Shankar Korlimarla < skorlima...@unomaha.edu> wrote: > Hi Kate, > > Thanks a ton for the clarification. It definitely helps, I am sorry for > this delayed response. > > I have one more question/doubt though. In 2.2.1 Corpus Tags, What I infer > i

Re: Using SPDX for firmware

Hi Richard, On Wed, Aug 12, 2015 at 9:23 AM, Philippe Ombredanne wrote: > On Wed, Aug 12, 2015 at 4:05 PM, Richard Hughes > wrote: > > Hi all, > > > > I've been using SPDX for years in the AppStream specification to > > describe applications that can be installed in software centers. I'm > > us

Re: Using SPDX for firmware

On Wed, Aug 12, 2015 at 2:00 PM, Richard Hughes wrote: > On 12 August 2015 at 17:40, Kate Stewart > wrote: > > typo? > > Is at: http://spdx.org/licenses/exceptions-index.html > > Its available from the http://spdx.org/licenses/ page > > On http://spdx.org/spdx-l

Re: SPDX General Meeting Thursday

tomorrow. Kate > Thanks, > Phil > > From: Kate Stewart > Date: Wednesday, September 2, 2015 at 4:55 PM > To: Phil Odence > Cc: "spdx@lists.spdx.org" > Subject: Re: SPDX General Meeting Thursday > > Hi, > As part of the discussion tomorrow I'd like to

Announce: Supply Chain Mini-Summit on October 8 in Dublin

ed on after LinuxCon on October 8th. *Agenda* 9:00 - Intro to Supply Chain mini-summit (Kate Stewart) 9:05 - Overview of OpenChain <https://wiki.linuxfoundation.org/openchain/start>, goals and status. (Dave Marr) 9:20 - Overview of SPDX <http://spdx.org/> project, review of 2.0 and plans for

Re: Hello

Hi Dave, Welcome. :-) Information on the general meetings and past minutes can be found on: http://wiki.spdx.org/view/General_Meeting Kate On Sat, Oct 17, 2015 at 9:11 AM, Marr, David wrote: > Hi, I just joined the mail list and look forward to working with folks! > > Dave Marr >

Re: Meeting Minutes

of the XML format is to > enable better tooling - the issue is only related to the phasing of the XML > format implementation > > · Some of the issues to external tool use would be the > inconsistency in the element and property names with the SPDX specification > > ·

Re: SPDX Tool Contributions

Hi Michael, Yes, feel free to join us on the weekly call (Tuesday at 1pm Eastern) details: http://wiki.spdx.org/view/Technical_Team for Q&A or send email to spdx-t...@lists.spdx.org with your questions. Bug fixes most welcome! :-) Kate On Thu, Sep 1, 2016 at 12:17 PM, STAIR, MICHAEL A

SPDX Bake off to compare tools generating code for the SPDX 2.1 specification on October 6, 2016.

Hi, The SPDX tech team will be hosting an SPDX Tools BakeOff at LinuxCon Europe on 6 October 2016. Participation can be remote by phone or in person. The Bake-off (also known by some as a Plugfest) will focus on comparing SPDX Documents generated with SPDX specification 2.1

Re: SPDX Bake off to compare tools generating code for the SPDX 2.1 specification on October 6, 2016.

Hi Bradley, On Thu, Sep 22, 2016 at 5:30 PM, Bradley M. Kuhn wrote: > Kate, > > Kate Stewart wrote at 11:58 (PDT): > > For more information on how to participate, please read Background info > > for the SPDX 2.1 Bake-off in LinuxCon Europe. > > I and my colleagues

Re: Open Source Leadership Summit (formerly known as Collab Summit)

ople need to make travel plans soon, thought I’d reach out via > email. I am planning on being there, FWIW. > > Cheers, > Jilayne > > > SPDX Legal Team co-lead > opensou...@jilayne.com > > > > ___ > Spdx mailing lis

Re: MarkDown conversion of specification live on SPDX GitHub

Great work Thomas! Thank you very much for your efforts to get our current (and future) specifications into a more community friendly format! :-) Kate On Mon, Jul 3, 2017 at 3:53 PM, Steenbergen, Thomas < thomas.steenber...@here.com> wrote: > > > Hi all, > > > > Wanted to let you all know that

"License Clearance in Software Product Governance"

Just spotted a very nice reference to SPDX in Dirk Riehle's paper, and thought those on the list might find the paper interesting as well. http://dirkriehle.com/publications/2017-2/license-clearance-in-software-product-governance/ > > The first step is to have a standard format for a bill of mate

SPDX recommendations from other communities! :-D

Hi, Just thought some of you might be interested in some recent announcements with SPDX showing up in them. FSFE just launched a new site today recommending use of SPDX license identifiers in the source files, and generating a manifest from an SPDX document. :-) see: htt

Re: SPDX recommendations from other communities! :-D

On Wed, Sep 6, 2017 at 7:51 AM, Neal Gompa wrote: > > I'd like to point out that this recommendation is contingent on being > able to automatically scan and generate it. No one is suggesting > manual inventory of code to generate SPDX document. Hi Neal, We agree, some tooling is needed to g

Re: Package, mandatory?

Hi Jonas On Tue, Sep 26, 2017 at 7:11 AM, Jonas Oberg wrote: > Hi everyone, > > as you know, the FSFE is working on a project, REUSE, which has as one of > its recommendations to produce a SPDX conformant bill of materials, if one > can be generated automatically. > > As part of this project, I'

Re: Minutes of Nov SPDX General Meeting

ions on “or later” issue > - On hold for the moment as Jilayne is out > > Outreach Team Report[edit > <https://wiki.spdx.org/index.php?title=General_Meeting/Minutes/2017-11-02&action=edit§ion=3> > ] > >- Jack still working on testing tools > > > &

SPDXTeam - new dial in number for meetings, same web link.

Hi, We were able to get the SPDXTeam Uberconference updated last Thursday to remove the limit on number of people attending the call. Yay!!! However, as a result of this, we had to change the dial in number. New dial in number: 415-881-1586 No PIN needed The weblink for screenshare will

SPDX license identifiers in the Linux kernel

Some of you have already noticed that this started in 2016 but as of 4.14, we had a major breakthrough and cleanup of all the files without a license reference all had SDPX identifiers added to them. There are some good writeups of the work emerging. LWN has an excellent summary with links to mor

FreeBSD adding in SPDX license identifers too...

And in addition to Linux getting serious in terms of adding SPDX identifiers, we also have FreeBSD applying them to their code base. Kate -- Forwarded message -- From: Pedro Giffuni Date: Thu, Dec 7, 2017 at 11:31 AM Subject: SPDX ID-tag as part of FreeBSD preferred license To: S

SPDX servers rebooting over the weekend for Spectre/Meltdown remediation.

Hi, Just heard from LF IT that our SPDX site & wiki will be rebooting this weekend, as the apply the Meltdown/Spectre remediation. It should just be down for 5 minutes early this weekend, so this is mostly for your information, in case you notice something. Kate ___

Re: Spdx Digest, Vol 93, Issue 2

g Website to Wordpress > ? Content > ? Looking at a variety of ways > ? Looking at audio/video recordings > ? Could include monthly talks > ? Yev volunteered to do his > ? Looking for more people involvement in OTeam > Legal Team Report - Paul[edit<https://wiki.spdx. > org/

Re: [spdx] Need Help for contrubuting in GSOC 2019 #spdx

vernment Organization. I have fair knowledge in Javascript, > NodeJs, Typescript, Spring Boot, Laravel , Docker and apache thrift. It > woukd be great if could if someone could help me get started > > > > > -- Kate Stewart Sr. Director of Strategic Programs, The Linux Foundatio

Re: [spdx] Standalone license tools for scanning debian/ubuntu apps?

On Mon, Feb 4, 2019 at 8:47 PM Jeremiah C. Foster wrote: > Have you looked at the binary analysis tool? > http://www.binaryanalysis.org/old/home > There's also BANG! (Binary Analysis Next Generation) that is in beta now. see: https://github.com/armijnhemel/binaryanalysis-ng Kate -=-=-=-=-=-=-

Re: [spdx] Standalone license tools for scanning debian/ubuntu apps?

On Tue, Feb 5, 2019 at 5:32 PM Dan Kegel wrote: > On Tue, Feb 5, 2019 at 1:30 PM Jeremiah C. Foster > wrote: > > If I'm not mistaken, copyright has to be a string because it has to be > legible by humans. This means you can likely grep through source code as > scancode does with a fair degree of

Re: [spdx] SPDX Feb General Meeting Minutes

> > · Challenges > > · Doesn’t cary text > > · Companies’ names may change through M&A and may lose domains in > the process > > · How to ensure that a company doesn’t change license text > > · Sentiment is in favor o

Re: [spdx] Thursday's SPDX General Meeting Reminder

Hi Phil, all Quick update, we will have a guest speaker this week. Matthew Crawford will be discussing "Arm’s SPDX compliance file" Thanks, Kate On Wed, Mar 4, 2020 at 3:20 PM Phil Odence wrote: > No guest speakers this month. > > And, I will be out so Kate will chair in my stead. > > >

Re: [spdx] Chime instead of Zoom, a modest proposal

Hi Mark, Thanks for the generous offer. :-) We're not paying for zoom, however I'm definitely up for doing an experiment during our spdx-tech meeting tomorrow, and if it works for the regular attendees, changing to a system with better security. Can you send me the details for the account

[spdx] SPDX 2.2 Specification Review Window - ends May 1, 2020

Hi all, The SPDX 2.2 specification is now in the final 2 week public review window. The SPDX tech-list participants have been working on polishing it for the last couple of months and adding in the outstanding pull requests that have been completed. If you are interested in reviewing this fina

[spdx] Usage profile for SPDX3.0 - proposal from OpenChain Japan WG -

Thanks for sending this Takahashi-san. I'm forwarding this email for discussion on the spdx-tech mailing list where the usage profile will be discussed. spdx-tech is where we are discussing the profiles. spdx-general is low volume, and more for announcements. Will follow up on the spdx-tech m

[spdx] SBOM's going mainstream - Biden Cybersecurity EO

Last night Biden signed Executive Order (EO) on Improving the Nation’s Cybersecurity . As part of this Executive order the concept of SBOM is getting widespread visibil

Re: [spdx] [spdx-tech] Should SPDX endorse SCA tools?

We've got a lot of historical cruft in our SPDX repo as well. Coming up with some criteria for inclusion & removal is overdue. After we settle the 3.0 template issue, you up for dedicating part of a call to sketch out the repository inclusion criteria? Then we'll do an assessment/clean up pass.

Re: [spdx] SPDX Goes ISO

The content that went into the standard is the same as what is in our github repo today, and a pretty version is at: https://spdx.github.io/spdx-spec/. The sources for the 2.2.1 are at: https://github.com/spdx/spdx-spec that fed into the review process. There's some editorial changes we incorpora

Re: [spdx] Taxonomy of software supply chain ecosystem?

There's been some industry wide agreement on the taxonomy to use to classify tools here: https://www.ntia.gov/files/ntia/publications/ntia_sbom_tooling_taxonomy-2021mar30.pdf I think the path of least pain is to align with it, unless there are some tools that just don't fit in the taxonomy. We'v

Re: [spdx] SPDX Thurs General Meeting Reminder

The video has been posted here: https://www.youtube.com/watch?v=8X5PWa7A6pY&list=PLciqFgcGu7TvR_f3aKZHkozX0WIs-N7vc&index=7 Thanks again to Joshua for sharing with us! On Wed, May 4, 2022 at 4:22 PM Christopher Lusk wrote: > Hello, > > > > Is it possible to get the recording from the April SP

Re: [spdx] End Of Life Tag in spdx #spdx

Hi Sandeep, There is a pull request expected shortly from the Usage profile team, to add this specific field to 2.3. When it comes in, please feel free to review and make sure it's going to suffice for your needs. For now, with 2.2 documents, suggest you use the Package Comment field ( htt

Re: [spdx] End Of Life Tag in spdx #spdx

On Fri, May 20, 2022 at 2:32 AM Steve Kilbane wrote: > Armijn said: > > > Current information inside SPDX documents is largely static […] > > > This would make SPDX a lot more cumbersome, as not only do the documents > need to be generated, but they also need to be updated all the time to > avoid

[spdx] Please participate: "State of Open Standards Survey"

The Linux Foundation (LF) has launched The State of Open Standards Survey to capture how different organizations are involved in open standards adoption and contribution, with the aim of measuring the development, use, growth, and value of standards across industries and technologies. As SPDX is o

Re: [spdx] SPDXMerge Tool #spdx

Very cool Sandeep! Thanks for sharing this! On Wed, Mar 29, 2023 at 11:33 AM Patil, Sandeep via lists.spdx.org wrote: > Hi All, > > We are excited to announce that we have open sourced our SBoM Merge tool > on GitHub. This tool allows you to merge multiple Software Bills of > Materials (SBOMs)

Re: [spdx] GitHub blogged they are creating SBOMs in SPDX format

Moving this thread to the spdx-tech list. The main spdx mail list is supposed to be low volume, for announcements. The developers at github are working to address the issues, let's give them some time to roll out fixes. On Thu, Mar 30, 2023 at 1:02 PM Anthony Harrison < anthony.p.harri...@gmai

[spdx] Free webinar tomorrow (8/30) highlighting SPDX safety profile

For those interested in seeing what is emerging, and how we're planning on applying it to open source projects, on Aug 30 at 9-10 am PT, there will be a presentation about how to structure safety analysis using the work being done by the SPDX safety profile team.The ELISA and Zephyr projects w

[spdx] SPDX 3.0 Available; Progress to Approved Specification status

Following our announcements at Open Source Summit North America last month

[spdx] SPDX 3.0.1 Available; Progress to Approved Specification Status

We’re pleased to announce that SPDX 3.0.1 Specification is now available at: https://spdx.github.io/spdx-spec/v3.0.1-draft/. This update of SPDX 3.0 fixes the issues that implementers have seen when migrating their tools to support this version, as well as incorporating the feedback on the model

Re: [spdx] SPDX 3.0.1 Available; Progress to Approved Specification Status

Hi Miroslav, On Thu, Aug 22, 2024, 2:17 AM Miroslav Suchý via lists.spdx.org wrote: > Is this a final version or a draft? > > I am asking because the url state "draft" and I do not see it as a release > in https://github.com/spdx/spdx-spec/releases > "This also confirms the start of the formal t