Hi all,
I attended a couple of SPDX-relvant talks at OSLS and am now trying to
get from 'vaguely aware and positive' to 'practitioner/advocate' in the
shortest possible time.
I'll begin by stating I'm supportive of anything that will actually
improve the reliability, efficiency and effectiveness of complex
software delivery. In theory SPDX can be that, so here I am.
Now - I'm a newbie and you can only get first-impressions from those, so
here are mine:
- the website is no use to me at all. I need to know how to get started
in the smallest number of steps
- don't force me to read all the background, explain licensing etc...
just tell me what i need to DO
- you've moved to GitHub but there are still bugzilla links lying
around. please use GitHub issues and be done
- maybe worth trying to get a CII badge for SPDX :)
Moving onto my own experiences with SPDX so far
- interesting conversation with Gary O'Neall, as a result of which I
understand some of the context and issues more
- so far I'm failing to understand what to *do* with it for the projects
I am involved in
At Kate's talk [1] (can't find the slides online, btw) she showed a Wind
River dashboard which mentioned that the WR scanner (proprietary?)
identified keyring as having no license info.
While the talk was happening I raised this as an issue upstream [2].
Basically, he would be an ideal candidate for adopting SPDX - he wants
to avoid confusion and licensing errors. But he has gone his own way
(even while acknowledging the 'too many standards' joke) because when he
checked out the SPDX project it 'seems it's not well defined what it
means to include SPDX metadata."
I completely agree with him. On the SPDX homepage, there should be the
equivalent of hello world instructions, for maintainers to follow, in
clear english.
Bonus points if the text answers all of the following questions:
- can I just create one file, and leave everything else as-is, or do i
need to edit all my copyrightable files to insert metadata?
- what precisely do I put in my files? (and bear in mind I have C,
python, Assembler, Go, Javascript, haskell, generated code, yaml, json,
bitmaps etc)
- should i delete existing license texts? what if someone else put them
there?
- do i still need LICENSE, COPYING or similar files?
- is this a one-shot deal? once i've 'done SPDX' do i ever need to think
about it again for my project?
- if I make a mistake (eg spurious license files lying around) what
happens?
Thanks for reading
br
Paul
[1] https://osleadershipsummit2017.sched.com/event/9Ki3?iframe=no
[2] https://github.com/jaraco/keyring/issues/263
[3] https://xkcd.com/927/
_______________________________________________
Spdx-tech mailing list
[email protected]
https://lists.spdx.org/mailman/listinfo/spdx-tech
