Hi Paul,
Thank you very much for the input!
Several of us have been immersed in this for many years, and
have a hard time seeing how it appears to a new person.
On Thu, Feb 16, 2017 at 12:40 PM, Paul Sherwood <
[email protected]> wrote:
> Hi all,
> I attended a couple of SPDX-relvant talks at OSLS and am now trying to get
> from 'vaguely aware and positive' to 'practitioner/advocate' in the
> shortest possible time.
>
> I'll begin by stating I'm supportive of anything that will actually
> improve the reliability, efficiency and effectiveness of complex software
> delivery. In theory SPDX can be that, so here I am.
>
:-) Welcome.
>
> Now - I'm a newbie and you can only get first-impressions from those, so
> here are mine:
>
> - the website is no use to me at all. I need to know how to get started in
> the smallest number of steps
>
Good input, the project is switching from creation to "adoption" focus, and
yes, the above is missing.
> - don't force me to read all the background, explain licensing etc... just
> tell me what i need to DO
>
We had talked about crafting the message for different perspectives
(roles), ie. developer, maintainer,
release manager, open source office, legal, so based on your comments
and some of the comments
I received from Thomas, Mark and Jack - lets start drafting how this
should look to be most helpful.
> - you've moved to GitHub but there are still bugzilla links lying around.
> please use GitHub issues and be done
>
We just managed the transition at the end of January for the repositories,
so its just a question of bandwidth
and volunteers, but from hallway discussions yesterday moving over the bugs
from bugzilla to github issues
is definitely the direction to go. At this point its just bandwidth.
> - maybe worth trying to get a CII badge for SPDX :)
>
For spdx-tools - yes, worth discussing. We are interacting with the CII
project
and have been taking input on how to hook up security information into
SPDX, as well
as providing input to them on best practices for projects from a licensing
perspective. ;-)
> Moving onto my own experiences with SPDX so far
> - interesting conversation with Gary O'Neall, as a result of which I
> understand some of the context and issues more
> - so far I'm failing to understand what to *do* with it for the projects I
> am involved in
>
> I'm traveling today, but will try to start to draft up some of the roles
as google docs for discussion to see if
its addressing your insights. Will send an email to the list when there
is something to review, and provide input on.
Once we agree, we can work with Jack to get the info added to the web
site. Biasing information to concrete actions
as you suggest, is what is missing.
> At Kate's talk [1] (can't find the slides online, btw) she showed a Wind
> River dashboard which mentioned that the WR scanner (proprietary?)
> identified keyring as having no license info.
>
> While the talk was happening I raised this as an issue upstream [2].
>
> Basically, he would be an ideal candidate for adopting SPDX - he wants to
> avoid confusion and licensing errors. But he has gone his own way (even
> while acknowledging the 'too many standards' joke) because when he checked
> out the SPDX project it 'seems it's not well defined what it means to
> include SPDX metadata."
>
> I completely agree with him. On the SPDX homepage, there should be the
> equivalent of hello world instructions, for maintainers to follow, in clear
> english.
>
Agree.
>
> Bonus points if the text answers all of the following questions:
>
> - can I just create one file, and leave everything else as-is, or do i
> need to edit all my copyrightable files to insert metadata?
> - what precisely do I put in my files? (and bear in mind I have C, python,
> Assembler, Go, Javascript, haskell, generated code, yaml, json, bitmaps etc)
> - should i delete existing license texts? what if someone else put them
> there?
> - do i still need LICENSE, COPYING or similar files?
> - is this a one-shot deal? once i've 'done SPDX' do i ever need to think
> about it again for my project?
> - if I make a mistake (eg spurious license files lying around) what
> happens?
>
Excellent input. Some of what you're asking is covered in a free online
course (Compliance Basics for Developers
<https://training.linuxfoundation.org/linux-courses/open-source-compliance-courses/compliance-basics-for-developers>)
that is available, but it can certainly be summarized here. Will use the
above questions to start of the first draft, and then you can comment there
how well (or not) we're addressing them, and we can itterate from there.
ok?
>
> Thanks for reading
>
Thank you for taking the time to provide input to help us. :-)
Kate
_______________________________________________
Spdx-tech mailing list
[email protected]
https://lists.spdx.org/mailman/listinfo/spdx-tech
