Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Activity
    nisha
    @nishakm
    Hello seabass, do we have a build profile meeting today?
    seabass
    @seabass:fosdem.org
    [m]
    yes, we do!
    Alexios Zavras (zvr)
    @zvr
    Thanks to all who submitted proposals!
    Reejo Joseph
    @ReejoJoseph1244
    Hi , I have successfully submitted my proposal for Private license management system. Thanks @zvr for helping me understanding for some technical terms and guiding me
    kindly please review my proporsal and please let me know . I'm so excited to work on the Private license management System. since websites always excites me a lot i would even like to contribute to the project even if i didn't get selected in this year. Mentioning my mailid in the reply kindly feel free to contact for regarding the project , the proporsal or any projects issues in future too.
    regards,
    Reejo Joseph
    1 reply
    Alexios Zavras (zvr)
    @zvr
    As can be seen in the GSoC Timeline, results will be announced on May 20th, 18:00 UTC
    Akash Thota
    @g00g1y5p4
    Hello @zvr !
    Can we connect through hangouts regarding the Private License Management System?
    my email id. g00g1y5p4@gmail.com
    Alexios Zavras (zvr)
    @zvr
    @g00g1y5p4 I am not sure what you are asking about. Are you interested in working on the project regardless of GSoC ? As mentioned above, we are now in the phase of evaluating all the proposals and results will be published in May.
    Akash Thota
    @g00g1y5p4
    Yeah @zvr, I'm very interested to work with SPDX Team. In the above, I'm trying to connect with you for my proposal submission. I just want to explain more about my proposal.
    2 replies
    seabass
    @seabass:fosdem.org
    [m]
    @g00g1y5p4: you could also join some of the SPDX meetings; they are open to everyone and will let you get to know the SPDX team better. That should hope you if your proposal is accepted and might even work in your favour for when the submissions are reviewed :)
    Osiris Pedroso
    @opedroso
    Hello all.
    I am looking for guidance adding SPDX info for my existing software product.
    My current understanding is that I should create TAG file for each DLL/EXEs that my CI/CD generate and then use some tool(?) to concatenate them into a an SPDX file.
    Appreciate any feedback received.
    Catalin Stratu
    @catalinstratu:matrix.org
    [m]
    Hi @opedroso:
    This is a good example to use SPDX tag
    Catalin Stratu
    @catalinstratu:matrix.org
    [m]
    Hi
    I add YAML documentation, please review it spdx/tools-golang#141
    nisha
    @nishakm
    @seabass:fosdem.org is there a canonicalization committee meeting today? I seem to have lost the invite
    seabass
    @seabass:fosdem.org
    [m]
    yup! please feel free to join at: https://meet.jit.si/SPDXCanonicalMeeting
    Catalin Stratu
    @catalinstratu:matrix.org
    [m]
    Hi, do you know what about GSOC?
    Alexios Zavras (zvr)
    @zvr
    On GSoC, as can be seen in the program timeline https://developers.google.com/open-source/gsoc/timeline yesterday the organizations submitted their requests to Google. Next Friday (May 20 - 18:00 UTC) the accepted projects will be announced.
    2 replies
    Alexios Zavras (zvr)
    @zvr
    Well, Google announced the results some minutes ago: SPDX Project received 2 Contributor Project slots for GSoC 2022!
    Congratulations to everyone who got involved and submitted proposals; I am sure they contributed to your learning!
    Catalin Stratu
    @catalinstratu:matrix.org
    [m]
    Congratulations ๐Ÿฅณ๐Ÿ‘๐Ÿ‘
    Reejo Joseph
    @ReejoJoseph1244
    How to know who got selected and all ?
    Catalin Stratu
    @catalinstratu:matrix.org
    [m]
    Hi, this year I was not lucky enough to be accepted at GSOC, if one of my two proposals is good, I could continue working on spdx/tools-golang. @zvr , Kate Stewart , seabass, @RishabhBhatnagar @tsteenbe @goneall swinslow I am waiting for your opinions
    1 reply
    Felix Winterhalter
    @Blackclaws

    Hey there everyone, I was wondering whether there is any sort of best practice for annotating proprietary licensed or not-yet open licensed code with spdx identifiers aside from saying LicenseRef-XYZ

    I'm currently annotating part of our codebase and there are simply parts that are not yet open to the public but I want to make sure that they are properly prepared and annotated.

    1 reply
    seabass
    @seabass:fosdem.org
    [m]

    (Ping pombredanne (Philippe Ombredanne); this sounds like your kind of thing ๐Ÿ˜€)

    Welcome, @Blackclaws!

    If you intend to release the codebase to the public for the first time as open source software, I would suggest labelling the code with the appropriate SPDX License Identifier for the open source license you intend to release it as. Then, you can simply withhold the SPDX document and release it with the software.

    On the other hand, if you want to release your codebase now (as proprietary software) with an accompanying SPDX document, you could indeed use LicenseRef-XYZ as you suggested. Alternatively, you could use NOASSERTION, which means that your customers have to assume it is proprietary until you say otherwise.

    I hope that helps in some way! Let me know if I've misunderstood or missed something. ๐Ÿ˜€

    Alexios Zavras (zvr)
    @zvr
    @Blackclaws I'd strongly recommend that you think about what the license of your code actually is (or might be, in all cases). In our case, we ended up deciding that proprietary code should not have any label about license, since the same code could be released to general public under EULA-1, to special customer X under Special-NDA-License-X, etc. etc. We definitely did not want to be changing annotations for each release.
    seabass
    @seabass:fosdem.org
    [m]
    Catalin Stratu: hasn't Steve Winslow sent you an email about this? He mentioned something about that to me
    I understand the content was an enthusiastic 'yes', which I would certainly second ๐Ÿ˜„
    1 reply
    Catalin Stratu
    @catalinstratu:matrix.org
    [m]
    I wanted to see what the other members think about this subject
    uszeiss
    @uszeiss

    Hi all,

    What would be the recommended properties in an SPDX 2.2 document for storing information on the following package attributes:

    1. a package's usage in a product, so something like 'dynamically linked' or 'statically linked'
    2. a package's attribution notice, which is shown in the attribution report produced from the BOM.

    Looking at the specs, I could not find a suitable package property. I could use the 'comment' attribute, of course, or maybe an external reference, but I am hoping for a more specific property.

    If this is not the right place to post this question, just let me know. I'd appreciate any feedback.

    Cheers,
    Uwe

    Kate Stewart
    @kestewart
    Hi Uwe, in SPDX 2.2
    re: 1. way to represent static vs. dynamic link is via a relationship (see: https://spdx.github.io/spdx-spec/relationships-between-SPDX-elements/ STATIC_LINK, DYNAMIC_LINK)
    re: 2: attribution notice can be represented in https://spdx.github.io/spdx-spec/package-information/#723-package-attribution-text-field
    Hope this helps,
    Kate
    2 replies
    Catalin Stratu
    @catalinstratu:matrix.org
    [m]
    Hi @kestewart:
    jpew
    @jpew:matrix.org
    [m]
    We had talked about making the working group meetings more visible in the last General meeting, has that been done yet? I still can't find any info on them
    seabass
    @seabass:fosdem.org
    [m]
    jpew: the Outreach Team meeting has just started, if you want to join :)
    jpew
    @jpew:matrix.org
    [m]
    seabass: Wasn't specifically what I was looking for, but the reminder reminded me to ask :)
    seabass
    @seabass:fosdem.org
    [m]
    We've made a start with the meeting information visibility: https://github.com/spdx/meetings
    Amith KK
    @amithkk
    Hey! Just curious - why was the spdx sbom generator moved out into it's own github project. Is the spdx org on github primarily meant to house standards and helper libraries now?
    seabass
    @seabass:fosdem.org
    [m]
    Hello @amithkk! Yup, that's right - here's the email in which Gary explained the move: https://lists.spdx.org/g/Spdx-tech/message/4226
    Amith KK
    @amithkk
    Ah okay! Thanks @seabass:fosdem.org
    uszeiss
    @uszeiss

    Hi all,

    What's the recommended way to include the license text of a package that has a SPDX-listed license (e.g. Apache-2.0) with an extra paragraph added below the original license text? Note that the extra paragraph is not intended to change the license itself (so it remains an Apache 2.0 license), but provides extra information like contact details or something similar the developers of the package wanted to include.

    I would like my SPDX JSON representation of this package to include or reference the full license text while the 'licenseDeclared' attribute is set to the license's SPDX-listed license ID.
    I don't think I can add an ExtractedLicenseInfo in this case as it this seems to require a license ID that starts with 'LicenseRef-' which I don't have. The 'licenseComments' attribute might serve as a workaround here, but I'm looking for better approaches.

    I could not find any resources for this scenario so I'd appreciate any recommendations.

    Thanks!

    seabass
    @seabass:fosdem.org
    [m]
    @nishakm: Canonicalisation Committee now on ;)
    Amith KK
    @amithkk

    Hi all,

    What's the recommended way to include the license text of a package that has a SPDX-listed license (e.g. Apache-2.0) with an extra paragraph added below the original license text? Note that the extra paragraph is not intended to change the license itself (so it remains an Apache 2.0 license), but provides extra information like contact details or something similar the developers of the package wanted to include.

    I would like my SPDX JSON representation of this package to include or reference the full license text while the 'licenseDeclared' attribute is set to the license's SPDX-listed license ID.
    I don't think I can add an ExtractedLicenseInfo in this case as it this seems to require a license ID that starts with 'LicenseRef-' which I don't have. The 'licenseComments' attribute might serve as a workaround here, but I'm looking for better approaches.

    I could not find any resources for this scenario so I'd appreciate any recommendations.

    Thanks!

    I'm interested in knowing this as well

    Philippe Ombredanne
    @pombredanne
    @uszeiss @amithkk the extra paragraph added is by construction not part of the Apache license (otherwise it would not be extra)... so the license becomes Apache-2.0 AND LicenseRef-xxxx for the extra para IMHO.... Do you have a link to such paragraph?
    6 replies
    Maximilian Huber
    @maxhbr
    Hey, what is the difference between DEPENDENCY_MANIFEST_OF and METAFILE_OF, the descriptions sound pretty similar and for me pom.xml and package.json live in the same bucket:
    • METAFILE_OF sais A SOURCE file pom.xml is a metafile of the APPLICATION โ€˜Apache Xercesโ€™.
    • DEPENDENCY_MANIFEST_OF sais A file package.json is the dependency manifest of a package foo.
    Maximilian Huber
    @maxhbr
    Another question on relations: there is CONTAINS which suggests to be used on archives (An ARCHIVE file bar.tgz contains a SOURCE file foo.c.). But then it does the same thing as EXPANDED_FROM_ARCHIVE? Can CONTAINS be used for non-archives, e.g. a iso-image contains a file?
    Maximilian Huber
    @maxhbr

    And as a potentially last question I would like to understand the relation types FILE_ADDED and FILE_DELETED. They feel like ternary relations, since I always would want to say "from archive A.tgz in deleted file B.txt and the result was the archive C.tgz".

    Or in other words: in the example "A SOURCE file foo.diff has been deleted from package ARCHIVE bar.tgz." does the archive still contain the foo.diff or not? How to reference the original input or the output?

    I do not understand how to interpret or use these relations if I would see them in the wild.