Re: [spdx-tech] [spdx] Does SPDX support attachment of signature ?

[Gary O'Neall]

I'm going to move this conversation to the SPDX tech mailing list since much of 
the discussion is tech related.  Please reply to the spdx-t...@list.spdx.org 
email for further conversation.

Thanks,
Gary

> -Original Message-
> From: s...@lists.spdx.org  On Behalf
> Of Henk Birkholz
> Sent: Thursday, August 1, 2024 3:59 AM
> To: s...@lists.spdx.org
> Subject: Re: [spdx] Does SPDX support attachment of
> signature ?
> 
> Hi all,
> 
> fwiw, in IETF SCITT [1] we wrap the to-be-signed bytes (an un-
> tampered payload that is a statement about artifacts in the
> software supply chain & some crypto/identity metadata) in a
> standardized signing envelope that scales well with
> constraint devices (i.e., COSE_Sign1 as defined in IETF STD 96
> => RFC9052 & RFC 9338).
> 
> It is of course possible to use XML DSig'esque approaches,
> but I think today we are trying to avoid that.
> 
> 
> Viele Grüße,
> 
> Henk
> 
> [1]
> https://www.ietf.org/archive/id/draft-ietf-scitt-architecture-
> 08.html#name-signed-statement-examples
> 
> On 31.07.24 20:15, Martin, Robert A wrote:
> > +1
> >
> > Get Outlook for iOS <https://aka.ms/o0ukef>
> > 
> > *From:* s...@lists.spdx.org  on
> behalf of Michael
> > Lieberman 
> > *Sent:* Wednesday, July 31, 2024 2:02:36 PM
> > *To:* s...@lists.spdx.org 
> > *Subject:* [EXT] Re: [spdx] Does SPDX support attachment
> of signature ?
> > I really think the option of having the signature live outside
> the SBOM
> > is a good idea. I think it's good if SBOMs are shipped as a
> bundle of
> > the signature and SBOM but including the signature in the
> SBOM itself
> > really does hit those issues
> > I really think the option of having the signature live outside
> the SBOM
> > is a good idea. I think it's good if SBOMs are shipped as a
> bundle of
> > the signature and SBOM but including the signature in the
> SBOM itself
> > really does hit those issues Gary raised. It also makes it
> easy to
> > support existing signature ecosystems without having to
> support those
> > ecosystems directly in the SBOM.
> >
> > On Wed, Jul 31, 2024 at 1:01 PM Jeffrey Otterson via
> lists.spdx.org
> > <http://lists.spdx.org>
>  > <mailto:gmail@lists.spdx.org>> wrote:
> >
> > FWIW, I kluged a digital signature into a spdx file by
> abusing
> > the "creator comment" field for a project I worked on.
> >
> > essentially, the entire spdx doc, _/except the creator
> comment/_ is
> > serialized and a digital signature generated, which is
> placed into
> > the creation info->creator comment, tagged with
> "Signature".
> > Validation works the same way, more or less.
> >
> > "It works."  It would be nice if there was a dedicated field
> for a
> > digital signature, but I think the approach generally
> works.
> >
> > spdx_doc.creation_info.creator_comment =
> f'Signature: {signature}'
> >
> >
> > python code, that works with 'tools-python' SPDX library
> here:
> >
> > https://github.com/jotterson/sbom-
> validator/blob/master/spdx_utilities.py#L456
> <https://github.com/jotterson/sbom-
> validator/blob/master/spdx_utilities.py#L456>
> > and
> > https://github.com/jotterson/sbom-
> validator/blob/master/signature_utilities.py#L40
> <https://github.com/jotterson/sbom-
> validator/blob/master/signature_utilities.py#L40>
> >
> > The approach uses a RSA keypair created with ssh-keygen
> for signing
> > and validation.
> >
> > Perhaps this will be useful to somebody.
> >
> > Jeff
> >
> > On Wed, Jul 31, 2024 at 8:35 AM Dick Brooks via
> lists.spdx.org
> > <http://lists.spdx.org>
> >  > <mailto:businesscyberguardian@lists.spdx.org>>
> wrote:
> >
> > Vivek,
> >
> > __ __
> >
> > I can offer a glimpse of how Business Cyber Guardian
> delivers
> > signed SBOM’s.
> >
> > __ __
> >
> > We provide parties with a “Vendor Response Form”
> (VRF)
> > containing links to attestation materials and other
> artifacts
> > needed to perform a software product risk assessment
> following
> > US Government requirements specified in the CISA
> “CISA Secure
> > Software Attestation Form”, a/k/

Re: [spdx-tech] [spdx] Does SPDX support attachment of signature ?

[Gary O'Neall]

Hi Vivek,

 

Thanks for posting the question.

 

We have discussed this topic in the SPDX technical team meetings.

 

I think you will find many of us believe signing SPDX document is key to 
preserving the integrity of the software supply chain.

 

We came to the conclusion that signing should be done with an external standard 
and facility – such as sigstore  .  There are two 
reasons I recall from the discussions:

*   The SBOM cannot store the digest for itself in itself so storing a 
signature within the SPDX serialized document can be challenging
*   There several already existing standards outside of SPDX which specify 
not only the digital signature formats, but also how to handle certificate 
authoring, self-signing, and other related processes

 

If you’d like to continue the discussion, I would suggest posting to the SPDX 
tech mailing list (added to the cc) or attending one of our weekly meetings.


Best regards,

 

From: s...@lists.spdx.org  On Behalf Of 
vivekkumarsahu...@gmail.com
Sent: Tuesday, July 30, 2024 1:02 AM
To: s...@lists.spdx.org
Subject: [spdx] Does SPDX support attachment of signature ?

 

Digital signatures are essential for ensuring document integrity. Given the 
critical role of Software Bill of Materials (SBOMs) in providing software 
component information, signing SBOMs with tools like GPG or Cosign is crucial. 
To facilitate verification, we need to determine the appropriate location 
within the SPDX format to incorporate these signatures. Does SPDX formatted 
SBOM supports fields for storing these signatures ?





-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#5683): https://lists.spdx.org/g/Spdx-tech/message/5683
Mute This Topic: https://lists.spdx.org/mt/107638408/21656
Group Owner: spdx-tech+ow...@lists.spdx.org
Unsubscribe: https://lists.spdx.org/g/Spdx-tech/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[spdx-tech] Reminder: Software as a Service Meeting Monday 10AM Pacific

[Gary O'Neall]

Just a reminder we will be having the next meeting for the Software as a
Service profile team at 10AM Pacific time on Monday.

 

Here's a link to the zoom invite for the call:
<https://us02web.zoom.us/j/87627432628?pwd=TmZzYk1UR3JVclJyYXlBREVNR0t4dz09>
https://us02web.zoom.us/j/87627432628?pwd=TmZzYk1UR3JVclJyYXlBREVNR0t4dz09 

 

Gary



-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#5651): https://lists.spdx.org/g/Spdx-tech/message/5651
Mute This Topic: https://lists.spdx.org/mt/106433041/21656
Group Owner: spdx-tech+ow...@lists.spdx.org
Unsubscribe: https://lists.spdx.org/g/Spdx-tech/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [spdx-tech] easy and simple way to express licenses in subdirectories

[Gary O'Neall]

Hi Oliver,

 

Looks like a good candidate for adding this to the examples repository
<https://github.com/spdx/spdx-examples> .

 

I opened issue #79 <https://github.com/spdx/spdx-examples/issues/79>  to
track the request.

 

We could add just the SPDX file, but it would be nice if we had some source
files to use in the example as well - if you happen to have a good open
source example, could you attach or reference that in the issue?

 

I'm just about to head out on a 10 day vacation, so it may be a while before
I can generate the associated SPDX file, but I will take a look at it when I
get back.

 

Best,
Gary

 

 

From: Spdx-tech@lists.spdx.org  On Behalf Of
Oliver Fendt via lists.spdx.org
Sent: Thursday, May 2, 2024 11:45 AM
To: Gary O'Neall ; spdx-tech@lists.spdx.org
Subject: Re: [spdx-tech] easy and simple way to express licenses in
subdirectories

 

Hi Gary,

 

thanks a lot.

Can you please give me an example with a valid syntax in tag value, if
possible?

 

Ciao

Oliver

 

Von: Gary O'Neall mailto:g...@sourceauditor.com> > 
Gesendet: Donnerstag, 2. Mai 2024 20:38
An: Fendt, Oliver (T SSP) mailto:oliver.fe...@siemens.com> >; spdx-tech@lists.spdx.org
<mailto:spdx-tech@lists.spdx.org> 
Betreff: RE: [spdx-tech] easy and simple way to express licenses in
subdirectories

 

Hi Oliver,

 

In SPDX, you can use the SPDX Package to represent a subdirectory of files
within a larger package.

 

In your scenario, one approach would be to create an SPDX package - if it
doesn't have a logical name, you could call it something like "C licensed
files" with a declared license of C.  Then use the "contains" relationship
from the parent package to the subdirectory.

 

Let me know if you need more context / description.

 

Best,
Gary

 

From: Spdx-tech@lists.spdx.org <mailto:Spdx-tech@lists.spdx.org>
mailto:Spdx-tech@lists.spdx.org> > On Behalf Of
Oliver Fendt via lists.spdx.org
Sent: Thursday, May 2, 2024 12:48 AM
To: spdx-tech@lists.spdx.org <mailto:spdx-tech@lists.spdx.org> 
Subject: [spdx-tech] easy and simple way to express licenses in
subdirectories

 

Dear Folks,

 

I have a simple question and I am wondering whether you can help me.

Sometimes you find in a package (lets assume the declared license is A) in
some subdirectory (lets assume SUB-DIR-X) a README file with the following
wording: "the files in this directory are licensed under license C", but
none of the files in this directory contain any license information and do
not contain any reference to the README file in this directory.

 

Is there an easy and simple way to express this in spdx 2.3 and in spdx 3.0
(but 2.3 is currently more important)

 

Thank you very much

 

Ciao

Oliver

 





-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#5625): https://lists.spdx.org/g/Spdx-tech/message/5625
Mute This Topic: https://lists.spdx.org/mt/105858877/21656
Group Owner: spdx-tech+ow...@lists.spdx.org
Unsubscribe: https://lists.spdx.org/g/Spdx-tech/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [spdx-tech] easy and simple way to express licenses in subdirectories

[Gary O'Neall]

Hi Oliver,

 

In SPDX, you can use the SPDX Package to represent a subdirectory of files
within a larger package.

 

In your scenario, one approach would be to create an SPDX package - if it
doesn't have a logical name, you could call it something like "C licensed
files" with a declared license of C.  Then use the "contains" relationship
from the parent package to the subdirectory.

 

Let me know if you need more context / description.

 

Best,
Gary

 

From: Spdx-tech@lists.spdx.org  On Behalf Of
Oliver Fendt via lists.spdx.org
Sent: Thursday, May 2, 2024 12:48 AM
To: spdx-tech@lists.spdx.org
Subject: [spdx-tech] easy and simple way to express licenses in
subdirectories

 

Dear Folks,

 

I have a simple question and I am wondering whether you can help me.

Sometimes you find in a package (lets assume the declared license is A) in
some subdirectory (lets assume SUB-DIR-X) a README file with the following
wording: "the files in this directory are licensed under license C", but
none of the files in this directory contain any license information and do
not contain any reference to the README file in this directory.

 

Is there an easy and simple way to express this in spdx 2.3 and in spdx 3.0
(but 2.3 is currently more important)

 

Thank you very much

 

Ciao

Oliver

 





-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#5623): https://lists.spdx.org/g/Spdx-tech/message/5623
Mute This Topic: https://lists.spdx.org/mt/105858877/21656
Group Owner: spdx-tech+ow...@lists.spdx.org
Unsubscribe: https://lists.spdx.org/g/Spdx-tech/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [spdx-tech] Update on website redirects

[Gary O'Neall]

The URL’s have been updated – let me know if you see any issues.
Gary

 

From: Spdx-tech@lists.spdx.org  On Behalf Of Joshua 
Watt
Sent: Tuesday, April 9, 2024 10:06 AM
To: Gary O'Neall 
Cc: SPDX Technical Mailing List ; Jeff Licquia 
; Steve Winslow ; Kate Stewart 

Subject: Re: [spdx-tech] Update on website redirects

 

Gary,

 

Due to changes in the output file names from the SPDX spec parser, some of 
these URLs need to be adjusted. Please change these redirects to the new URLs:

 

https://spdx.org/rdf/3.0.0/spdx-model.ttl -> 
https://spdx.github.io/spdx-spec/v3.0/model/spdx-model.ttl

https://spdx.org/rdf/3.0.0/spdx-context.jsonld -> 
https://spdx.github.io/spdx-spec/v3.0/model/spdx-context.jsonld

https://spdx.org/rdf/3.0.0/spdx-json-serialize-annotations.ttl -> 
https://spdx.github.io/spdx-spec/v3.0/model/jsonld-annotations.ttl

 

 

On Wed, Apr 3, 2024 at 12:42 PM Gary O'Neall mailto:g...@sourceauditor.com> > wrote:

Greetings all,

 

All of the redirects for the schemas/context files for the SPDX 3.0 release are 
now in place.

 

Below is the list of URL and the target of the redirects.

 

Let me know if you have any issues accessing the files.

 

Gary

 


URL

Redirect Target


https://spdx.org/schema/3.0.0/spdx-json-schema.json

https://spdx.github.io/spdx-spec/v3.0/model/schema.json


https://spdx.org/rdf/3.0.0/spdx-model.ttl

https://spdx.github.io/spdx-spec/v3.0/model/ontology.rdf.ttl


https://spdx.org/rdf/3.0.0/spdx-context.jsonld

https://spdx.github.io/spdx-spec/v3.0/model/context.jsonld





-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#5604): https://lists.spdx.org/g/Spdx-tech/message/5604
Mute This Topic: https://lists.spdx.org/mt/105313822/21656
Group Owner: spdx-tech+ow...@lists.spdx.org
Unsubscribe: https://lists.spdx.org/g/Spdx-tech/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [spdx-tech] Using sh:in for enums

[Gary O'Neall]

See https://github.com/spdx/spdx-3-model/issues/460

I personally think we should implement this - especially if Joshua has local 
changes.

Alexios - agree?

Gary

> -Original Message-
> From: Spdx-tech@lists.spdx.org  On Behalf Of
> Joshua Watt
> Sent: Wednesday, April 3, 2024 9:24 AM
> To: SPDX Technical Mailing List 
> Cc: Zavras, Alexios ; Sean Barnum
> ; Gary O'Neall 
> Subject: [spdx-tech] Using sh:in for enums
> 
> After some poking around in the SHACL model, I realized we may want to use
> the sh:in constraint for properties that reference an enum to restrict the
> possible values to actual enum values, as this will greatly aid end users in
> knowing if documents are valid.
> 
> This would generate SHACL for a property that looks like:
> 
> [ sh:class <https://rdf.spdx.org/v3/Core/PresenceType> ;
> sh:in (
><https://rdf.spdx.org/v3/Core/PresenceType/yes>
><https://rdf.spdx.org/v3/Core/PresenceType/no>
><https://rdf.spdx.org/v3/Core/PresenceType/noAssertion> ) ;
> sh:maxCount 1 ;
> sh:nodeKind sh:IRI ;
> sh:path <https://rdf.spdx.org/v3/AI/autonomyType> ],
> 
> I've already got a local change in spec parser repo I can push up as a PR if 
> we
> want to do this.
> 
> Thanks,
> Joshua Watt
> 
> 
> 




-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#5597): https://lists.spdx.org/g/Spdx-tech/message/5597
Mute This Topic: https://lists.spdx.org/mt/105312223/21656
Group Owner: spdx-tech+ow...@lists.spdx.org
Unsubscribe: https://lists.spdx.org/g/Spdx-tech/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[spdx-tech] Update on website redirects

[Gary O'Neall]

Greetings all,

 

All of the redirects for the schemas/context files for the SPDX 3.0 release
are now in place.

 

Below is the list of URL and the target of the redirects.

 

Let me know if you have any issues accessing the files.

 

Gary

 


URL

Redirect Target


https://spdx.org/schema/3.0.0/spdx-json-schema.json

https://spdx.github.io/spdx-spec/v3.0/model/schema.json


https://spdx.org/rdf/3.0.0/spdx-model.ttl

https://spdx.github.io/spdx-spec/v3.0/model/ontology.rdf.ttl


https://spdx.org/rdf/3.0.0/spdx-context.jsonld

https://spdx.github.io/spdx-spec/v3.0/model/context.jsonld



-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#5596): https://lists.spdx.org/g/Spdx-tech/message/5596
Mute This Topic: https://lists.spdx.org/mt/105313822/21656
Group Owner: spdx-tech+ow...@lists.spdx.org
Unsubscribe: https://lists.spdx.org/g/Spdx-tech/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [spdx-tech] Pre meeting topic: SPDX Serialization URLs

[Gary O'Neall]

+1 on spdx.org.

 

I can also help with maintaining files in the spdx.org website if we want to go 
in that direction.  I have setup redirects for the model URI’s referenced in 
the spec (example: spdx.org/rdf/Core/Annotation).  Note that the redirects 
changes the URL in the address bar.  If this approach is OK, I can setup 
similar redirects for these files. 

 

Currently, Steve and I can upload to spdx.org/licenses and spdx.org/rdf 
subdirectories.  If we want to use a different subdirectory or a subdomain 
(e.g. docs.spdx.org), we will likely need help from LF IT.

 

Any thoughts on specific subdomain or subdirectory names?  For the context 
file, putting it under the rdf subdirectory makes sense to me, but I’m not sure 
if this makes sense for the JSON schema since it is not RDF specific.

 

One other detail – in RDF we have the current released terms at 
spdx.org/rdf/terms and we have specific versions under 
spdx.org/rdf/ontology/spdx-X-Y.  Do we want to take a similar approach to host 
multiple versions of the schema and context files?

 

Gary

 

From: Spdx-tech@lists.spdx.org  On Behalf Of Steve 
Winslow
Sent: Monday, April 1, 2024 11:06 AM
To: Kate Stewart 
Cc: Gary O'Neall ; Joshua Watt ; 
SPDX Technical Mailing List 
Subject: Re: [spdx-tech] Pre meeting topic: SPDX Serialization URLs

 

I’d agree with Kate — putting these on the spdx.org <http://spdx.org>  domain 
probably makes sense. In addition to the License List, the RDF model files for 
2.3 are also on spdx.org <http://spdx.org>  (see 
https://spdx.org/rdf/ontology/spdx-2-3/)

 

The split of the website to spdx.dev, and all other SPDX assets remaining on 
spdx.org <http://spdx.org> , is kind of a historical artifact that I’m happy to 
describe in more detail if needed (hopefully it isn't needed).  :)

 

If you do want to push them to spdx.org <http://spdx.org> , I can likely assist 
with that. Though may also need some help from Linux Foundation IT support as 
they currently manage the hosting for that domain.

 

If it’s redirects you’re looking for, I know we have some set up as well so 
that we were able to preserve old links when the website moved to Wordpress / 
spdx.dev. For example, the old URL https://spdx.org/ids redirects to 
https://spdx.dev/learn/handling-license-info/. I’m assuming we could do the 
same to redirect to a GitHub Pages site if needed in the short term.

 

Steve





On Apr 1, 2024, at 1:15 PM, Kate Stewart mailto:kstew...@linuxfoundation.org> > wrote:

 

How about hosting them on the spdx.org <http://spdx.org/>  domain,  like we do 
the license list?  (https://spdx.org/licenses/)

 

On Mon, Apr 1, 2024 at 11:35 AM Gary O'Neall mailto:g...@sourceauditor.com> > wrote:

Note: the spdx.dev <http://spdx.dev/>  website uses WordPress.  I'm not 
proficient in WordPress myself and I'm not sure how to implement a redirect (I 
suspect there is a plugin for this), but I do have access to make the changes 
if we want to have the official URL have the spdx.dev <http://spdx.dev/> domain.

Gary

> -Original Message-
> From: Spdx-tech@lists.spdx.org <mailto:Spdx-tech@lists.spdx.org>  
> mailto:Spdx-tech@lists.spdx.org> > On Behalf Of
> Joshua Watt
> Sent: Friday, March 29, 2024 7:34 AM
> To: SPDX Technical Mailing List  <mailto:Spdx-tech@lists.spdx.org> >
> Subject: [spdx-tech] Pre meeting topic: SPDX Serialization URLs
> 
> All,
> 
> Since we are rapidly approaching the announcement date for SPDX 3, we need
> to make sure that we are able to have users write valid serialized SPDX 3
> documents on the day of announcement. In order for JSON-LD serialization to
> work properly, we need to provide URLs for the JSON-LD context file, the JSON
> schema to validate documents, and the RDF model. These are currently
> hosted at https://spdx.github.io/spdx-spec/v3.0/model/ . This URL will be
> encoded into serialized documents, so before we tell the masses that they
> should write SPDX 3 documents, these URLs need to be finalized and host
> actual content. I suspect that we will not want these URLs to live on GitHub,
> and some URL on spdx.dev <http://spdx.dev/>  would be a better choice, but I 
> do not know what
> that URL would be or how to make it "live". I think that making the actual
> URLs redirect to the GitHub ones will be sufficient until we are done 
> finalizing
> SPDX 3.0, as that might be easier than trying to have the current GitHub
> Actions pipeline publish somewhere else, but I have no idea how to set this
> up. This issue is captured in https://github.com/spdx/spdx-3-
> model/issues/679, please comment there if possible.
> 
> If we can sort this out before Tuesday's tech meeting, that would be great, 
> but
> if not we will discuss it there and try to reach a resolution. The two items 
> we
> need to sol

Re: [spdx-tech] Pre meeting topic: SPDX Serialization URLs

[Gary O'Neall]

Note: the spdx.dev website uses WordPress.  I'm not proficient in WordPress 
myself and I'm not sure how to implement a redirect (I suspect there is a 
plugin for this), but I do have access to make the changes if we want to have 
the official URL have the spdx.dev domain.

Gary

> -Original Message-
> From: Spdx-tech@lists.spdx.org  On Behalf Of
> Joshua Watt
> Sent: Friday, March 29, 2024 7:34 AM
> To: SPDX Technical Mailing List 
> Subject: [spdx-tech] Pre meeting topic: SPDX Serialization URLs
> 
> All,
> 
> Since we are rapidly approaching the announcement date for SPDX 3, we need
> to make sure that we are able to have users write valid serialized SPDX 3
> documents on the day of announcement. In order for JSON-LD serialization to
> work properly, we need to provide URLs for the JSON-LD context file, the JSON
> schema to validate documents, and the RDF model. These are currently
> hosted at https://spdx.github.io/spdx-spec/v3.0/model/ . This URL will be
> encoded into serialized documents, so before we tell the masses that they
> should write SPDX 3 documents, these URLs need to be finalized and host
> actual content. I suspect that we will not want these URLs to live on GitHub,
> and some URL on spdx.dev would be a better choice, but I do not know what
> that URL would be or how to make it "live". I think that making the actual
> URLs redirect to the GitHub ones will be sufficient until we are done 
> finalizing
> SPDX 3.0, as that might be easier than trying to have the current GitHub
> Actions pipeline publish somewhere else, but I have no idea how to set this
> up. This issue is captured in https://github.com/spdx/spdx-3-
> model/issues/679, please comment there if possible.
> 
> If we can sort this out before Tuesday's tech meeting, that would be great, 
> but
> if not we will discuss it there and try to reach a resolution. The two items 
> we
> need to solve are:
> 1. What are the file URLs for these items 2. Who is going to do the work to
> setup the redirects
> 
> Thanks,
> Joshua Watt
> 
> 
> 




-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#5588): https://lists.spdx.org/g/Spdx-tech/message/5588
Mute This Topic: https://lists.spdx.org/mt/105216516/21656
Group Owner: spdx-tech+ow...@lists.spdx.org
Unsubscribe: https://lists.spdx.org/g/Spdx-tech/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [spdx-tech] Questions about package checksum?

[Gary O'Neall]

Greetings,

 

 

From: Spdx-tech@lists.spdx.org  On Behalf Of Yasutake 
Kurita
Sent: Thursday, March 28, 2024 7:52 PM
To: Spdx-tech@lists.spdx.org
Subject: [spdx-tech] Questions about package checksum?

 

Questions about the following items.

https://spdx.github.io/spdx-spec/v2.3/package-information/#710-package-checksum-field

 

Am I correct in understanding that if a package consists of a single file, such 
as a ZIP file, the checksum of that file is described?

[G.O.] Yes

If a package consists of multiple files that are not compressed, what should be 
written in the checksum?

[G.O.] In this case, the Package Verification Code should be used in place of 
the checksum.  See 
https://github.com/spdx/spdx-spec/blob/development/v2.3.1/chapters/how-to-use.md#k3-verifying-spdx-packages
 for a more complete description.

 

Regards,

Yasutake Kurita.

 





-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#5587): https://lists.spdx.org/g/Spdx-tech/message/5587
Mute This Topic: https://lists.spdx.org/mt/105210336/21656
Group Owner: spdx-tech+ow...@lists.spdx.org
Unsubscribe: https://lists.spdx.org/g/Spdx-tech/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[spdx-tech] Serialization meeting agenda and context

[Gary O'Neall]

Greetings all,

 

Our next serialization meeting is tomorrow (Thursday) at 8AM Pacific Time
(3PM GMT).

 

We will be continuing the discussion from the tech call on how we specify
the handling of IDs for the serialized format (pull request 622).

 

To avoid re-opening old issues unless absolutely needed, below is a list of
previous decisions on the handling of ID based on reviewing the notes
(primarily based on the meeting minutes from 2023-07-21
<https://github.com/spdx/meetings/blob/main/serialisation/2023-07-21.md> ,
2023-08-01
<https://github.com/spdx/meetings/blob/main/tech/2023/2023-08-01.md> ,
2023-08-08
<https://github.com/spdx/meetings/blob/main/tech/2023/2023-08-08.md> ,
2023-8-10
<https://github.com/spdx/meetings/blob/main/serialisation/2023-08-10.md> ):

*   Every class will have an ID.  This includes both Element and
non-Element classes (e.g. CreationInfo, Hash).
*   Elements are required to have an ID which is a URI that can be
shared across serializations (Note: Sean may not have agreed to this
decision)
*   Serializations are allowed to use anonymous ID's / blank nodes (e.g.
they can inline the checksum class in JSON-LD) for non-Element classes
however, when deserializing they must be made unique within the internal
model representation (e.g. Skolomized
<https://en.wikipedia.org/wiki/Skolem_normal_form> ).
*   CreationInfo will use anonymous / blank node ID's in JSON-LD as the
compaction approach

 

Additional references:

*   Duplication of creation information was discussed on 2023-05-16
<https://github.com/spdx/meetings/blob/main/tech/2023/2023-05-16.md>  and
2023-06-27
<https://github.com/spdx/meetings/blob/main/tech/2023/2023-06-27.md> 
*   Issue comment
<https://github.com/spdx/spdx-3-model/issues/357#issuecomment-1656482951>
indicating we agreed to use anonymous nodes in JSON-LD for creation info
*   JSON example with significant comment / discussions on creation info
- pull request 376 <https://github.com/spdx/spdx-3-model/pull/376> 
*   Open issue describing various compaction algorithms

 

If anyone believe we did not make the above decisions, please raise this
before we dive into solutions - preferably via email before the meeting.

 

I've made a couple of conclusions (or perhaps assumptions) based on the
above - quite interested if others have come to different conclusions:

 

*   I don't recall if this was explicitly discussed, but based on the
fact we have in the model the SPDX ID on Element and not on any other class,
I believe Element IDs need to be treated differently than any other IDs
during serialization / deserialization (note that I did not say in the model
- just in serialization / deserialization) - for example - restrict the node
type to be a URI type and not allow blank nodes.  This would not be done in
serialization for the other non-Element classes which are allowed to be
blank.
*   Since CreationInfo was the only non-Element class discussed for
compaction, this would be the only element we allow to be referenced with an
internal ID in our serialization spec.  BTW - I'm completely open to making
this same compaction approach available to all non-Element classes.
*   Even though we allow blank nodes for non-Element classes when
serialized, this is not required - they can optionally be URI IDs.

 

We may or may not need to discuss the above conclusions / assumptions - just
listing them in case they become important in any of the proposed solutions.

 

If time, I would also like to go through the backlog of other pull requests
and issues:

  - Pull requests (2):
https://github.com/spdx/spdx-3-model/pulls?q=is%3Apr+is%3Aopen+-milestone%3A
3.1+label%3Aserialization

  - Issues (14):
https://github.com/spdx/spdx-3-model/issues?q=is%3Aissue+is%3Aopen+-mileston
e%3A3.1+label%3Aserialization

 

Gary

 



-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#5574): https://lists.spdx.org/g/Spdx-tech/message/5574
Mute This Topic: https://lists.spdx.org/mt/105053582/21656
Group Owner: spdx-tech+ow...@lists.spdx.org
Unsubscribe: https://lists.spdx.org/g/Spdx-tech/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[spdx-tech] SPDX meeting schedules

[Gary O'Neall]

With the completion of RC2, a number of the subgroup meetings have changed -
either changed frequency or have stopped meeting altogether due to their
work being completed.

 

I would like to ask all of the profile / sub-group leads to update the SPDX
Meetings GitHub repo README.md
<https://github.com/spdx/meetings/blob/main/README.md>  file with the
current meeting information using a pull request on the README file.

 

Kate, Rob and/or I will update the groups.io calendar to match the
information.

 

Thanks,

Gary



-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#5573): https://lists.spdx.org/g/Spdx-tech/message/5573
Mute This Topic: https://lists.spdx.org/mt/105047760/21656
Group Owner: spdx-tech+ow...@lists.spdx.org
Unsubscribe: https://lists.spdx.org/g/Spdx-tech/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [spdx-tech] Reminder - timezone change for SPDX tech call

[Gary O'Neall]

Just to clarify – the meeting is at 9AM PDT which is 30 minutes from now.

 

Gary

 

From: Spdx-tech@lists.spdx.org  On Behalf Of Venkat 
Ramakrishnan
Sent: Tuesday, March 12, 2024 7:54 AM
To: Martin, Robert A 
Cc: Spdx-tech@lists.spdx.org
Subject: Re: [spdx-tech] Reminder - timezone change for SPDX tech call

 

Hello all,

 

Currently the time in San Francisco is 7:53 AM. In how many minutes from now

would the meeting start? :)

 

Regards,

Venkat.

 

On Tue, Mar 12, 2024 at 5:30 PM Martin, Robert A mailto:ramar...@mitre.org> > wrote:

I beg to differ - the meeting is at 9am PDT - noon EDT.

Bob

Robert (Bob) Martin
Sr. Software and Supply Chain Assurance Principal Eng.
Cross Cutting Solutions and Innovation Dept
Cyber Solutions Innovation Center
MITRE Labs
MITRE Corporation
781-271-3001o
781-424-4095c

On 3/11/24 7:59 PM, Gary O'Neall wrote:

Just a reminder, the U. S. is now on daylight savings time, so the call may be 
an hour earlier depending on your location. The call is scheduled for 10AM PDT. 
Best regards, Gary _. _,_. _,_ Links: You receive all messages sent to this 
group. View/Reply 

Just a reminder, the U.S. is now on daylight savings time, so the call may be 
an hour earlier depending on your location.

 

The call is scheduled for 10AM PDT.

 

Best regards,

Gary





-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#5567): https://lists.spdx.org/g/Spdx-tech/message/5567
Mute This Topic: https://lists.spdx.org/mt/104875832/21656
Group Owner: spdx-tech+ow...@lists.spdx.org
Unsubscribe: https://lists.spdx.org/g/Spdx-tech/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [spdx-tech] Reminder - timezone change for SPDX tech call

[Gary O'Neall]

Correction: the call is at 9AM PDT - sorry for the extra confusion.

 

Gary

 

From: Spdx-tech@lists.spdx.org  On Behalf Of Gary
O'Neall
Sent: Monday, March 11, 2024 4:59 PM
To: spdx-tech@lists.spdx.org
Subject: [spdx-tech] Reminder - timezone change for SPDX tech call

 

Just a reminder, the U.S. is now on daylight savings time, so the call may
be an hour earlier depending on your location.

 

The call is scheduled for 10AM PDT.

 

Best regards,

Gary





-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#5566): https://lists.spdx.org/g/Spdx-tech/message/5566
Mute This Topic: https://lists.spdx.org/mt/104875832/21656
Group Owner: spdx-tech+ow...@lists.spdx.org
Unsubscribe: https://lists.spdx.org/g/Spdx-tech/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[spdx-tech] Reminder - timezone change for SPDX tech call

[Gary O'Neall]

Just a reminder, the U.S. is now on daylight savings time, so the call may
be an hour earlier depending on your location.

 

The call is scheduled for 10AM PDT.

 

Best regards,

Gary



-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#5563): https://lists.spdx.org/g/Spdx-tech/message/5563
Mute This Topic: https://lists.spdx.org/mt/104875832/21656
Group Owner: spdx-tech+ow...@lists.spdx.org
Unsubscribe: https://lists.spdx.org/g/Spdx-tech/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[spdx-tech] SPDX 3.0 Release Candidate 2 is released and ready for review

[Gary O'Neall]

Greeting SPDX community,

 

We are pleased to announce that the release candidate 2 for SPDX 3.0 is now
published and available online in HTML format:
https://spdx.github.io/spdx-spec/v3.0/

 

You can also find the associated SHACL and JSON LD artifacts at
https://github.com/spdx/spdx-spec/tree/v3.0-RC2/ontology 

 

Please review the specification and related artifacts.

 

For any issues identified in the model itself, please add an issue to the
SPDX 3 Model repo  .

 

For any issues with documentation outside of the model (e.g. Annexes),
please add an issue to the SPDX Spec repo
 .

 

For release candidate 2, we focused on supporting the JSON-LD serialization
format and fixed a number of issues identified in the RC1 review process.

 

Within the tech team, we are now discussing the need for additional
serialization formats and responding to any issues identified in the RC2
release.  Feel free to follow the discussion on the SPDX tech mailing
  list or join our weekly SPDX tech
calls  .

 

Best regards,

SPDX Tech Team



-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#5560): https://lists.spdx.org/g/Spdx-tech/message/5560
Mute This Topic: https://lists.spdx.org/mt/104780181/21656
Group Owner: spdx-tech+ow...@lists.spdx.org
Unsubscribe: https://lists.spdx.org/g/Spdx-tech/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [spdx-tech] Tuesday's tech call

[Gary O'Neall]

Hi Dick - the Tag/Value discussion is definitely on the radar.  We will pick
this up in the serialization meetings once Kate is back online.

 

Thanks,

Gary

 

From: Spdx-tech@lists.spdx.org  On Behalf Of Dick
Brooks
Sent: Tuesday, March 5, 2024 3:40 AM
To: 'Gary O'Neall' ; spdx-tech@lists.spdx.org
Subject: Re: [spdx-tech] Tuesday's tech call

 

Gary,

 

One additional request for us implementers;

 

Decide if Tag/Value serialization (and parsing) is supported or not. 

 

Thanks,

 

Dick Brooks

  

Active Member of the CISA Critical Manufacturing Sector, 

Sector Coordinating Council - A Public-Private Partnership

 

Never trust software, always verify and report!
<https://reliableenergyanalytics.com/products>  T

http://www.reliableenergyanalytics.com
<http://www.reliableenergyanalytics.com/> 

Email: d...@reliableenergyanalytics.com
<mailto:d...@reliableenergyanalytics.com> 

Tel: +1 978-696-1788

 

 

From: Spdx-tech@lists.spdx.org <mailto:Spdx-tech@lists.spdx.org>
mailto:Spdx-tech@lists.spdx.org> > On Behalf Of
Gary O'Neall
Sent: Monday, March 4, 2024 11:16 PM
To: spdx-tech@lists.spdx.org <mailto:spdx-tech@lists.spdx.org> 
Subject: [spdx-tech] Tuesday's tech call

 

For tomorrow's tech call, I have some topics I would like to discuss:

*   Issue 651 <https://github.com/spdx/spdx-3-model/issues/651> :
Conflicting property names prevents compaction
*   Issue 572 <https://github.com/spdx/spdx-3-model/issues/572> :
Confirm we have consensus on the data license - I think we can close this
issue

 

After reviewing all the open issues, there are a few candidates for
discussion on our call:

*   Issue 630 <https://github.com/spdx/spdx-3-model/issues/630> :
Consider extensibility for package "file" types
*   Integrity Method related issues and PR's - Issue 595
<https://github.com/spdx/spdx-3-model/issues/595> , 
*   Issue 561 <https://github.com/spdx/spdx-3-model/issues/561> : Add
Software Level of Support property to Software Package
*   Issue 522 <https://github.com/spdx/spdx-3-model/issues/522> :
Expressing conformance constraints - should this be moved to 3.1?

 

There are quite a few open issues and pull requests that we need to clean up
for the final SPDX 3.0 release (in addition to anything we find in the RC2
review).  I would encourage each of the profile teams to filter the open
issues and pull requests on the profile labels and review / resolve /
update.  If you decide to push the resolution to 3.1, please update the
milestone.

 

Best regards,
Gary





-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#5558): https://lists.spdx.org/g/Spdx-tech/message/5558
Mute This Topic: https://lists.spdx.org/mt/104738806/21656
Group Owner: spdx-tech+ow...@lists.spdx.org
Unsubscribe: https://lists.spdx.org/g/Spdx-tech/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[spdx-tech] Tuesday's tech call

[Gary O'Neall]

For tomorrow's tech call, I have some topics I would like to discuss:

*   Issue 651 <https://github.com/spdx/spdx-3-model/issues/651> :
Conflicting property names prevents compaction
*   Issue 572 <https://github.com/spdx/spdx-3-model/issues/572> :
Confirm we have consensus on the data license - I think we can close this
issue

 

After reviewing all the open issues, there are a few candidates for
discussion on our call:

*   Issue 630 <https://github.com/spdx/spdx-3-model/issues/630> :
Consider extensibility for package "file" types
*   Integrity Method related issues and PR's - Issue 595
<https://github.com/spdx/spdx-3-model/issues/595> , 
*   Issue 561 <https://github.com/spdx/spdx-3-model/issues/561> : Add
Software Level of Support property to Software Package
*   Issue 522 <https://github.com/spdx/spdx-3-model/issues/522> :
Expressing conformance constraints - should this be moved to 3.1?

 

There are quite a few open issues and pull requests that we need to clean up
for the final SPDX 3.0 release (in addition to anything we find in the RC2
review).  I would encourage each of the profile teams to filter the open
issues and pull requests on the profile labels and review / resolve /
update.  If you decide to push the resolution to 3.1, please update the
milestone.

 

Best regards,
Gary



-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#5554): https://lists.spdx.org/g/Spdx-tech/message/5554
Mute This Topic: https://lists.spdx.org/mt/104738806/21656
Group Owner: spdx-tech+ow...@lists.spdx.org
Unsubscribe: https://lists.spdx.org/g/Spdx-tech/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [spdx-tech] JSON schema for spdx-3-model

[Gary O'Neall]

Thanks Kobota-san!

I like the visualizations and the schemas.  It will really help in the
definition of the Lite profile.

Originally, I was thinking of coupling the "Lite Profile" to the tag/value
discussions, but I'm wondering if it may be more aligned with a "simple
JSON" discussion.

Something we could discuss on the next Asia SPDX call and the next
serialization call.

Should I go ahead and merge the pull request?  We could always create
subsequent pull requests / issues to add / correct anything we find in
reviews.

Best regards,
Gary

> -Original Message-
> From: Spdx-tech@lists.spdx.org  On Behalf Of
> Norio Kobota
> Sent: Sunday, February 25, 2024 8:41 PM
> To: spdx-tech@lists.spdx.org
> Subject: [spdx-tech] JSON schema for spdx-3-model
> 
> Dear SPDX tech team,
> 
> I tried to create and to visualize a JSON Schema for
> https://github.com/spdx/spdx-3-
> model/commit/ca9738bd0fa0f826f9cccac76ca18e326af84d35.
> You can find my PR on https://github.com/spdx/spdx-3-serialization-
> prototype-playground/pull/28 .
> There may be mistakes, but I hope these diagrams helps you understand the
> current specification.
> Also, I could not correctly represent some things, such as Constraints,
with
> JSON schema.
> I am not familiar with JSON LD, so if there is a way to solve with JSON
LD, it
> would be helpful if you could tell me those as well.
> 
> Best, regards,
>   -- Kobota
> 
> 
> 
> 




-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#5551): https://lists.spdx.org/g/Spdx-tech/message/5551
Mute This Topic: https://lists.spdx.org/mt/104577208/21656
Group Owner: spdx-tech+ow...@lists.spdx.org
Unsubscribe: https://lists.spdx.org/g/Spdx-tech/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [spdx-tech] Build Profile meeting invite pause

[Gary O'Neall]

I just paused the meetings - we should not get any additional reminders after 
this.

Gary

> -Original Message-
> From: Spdx-tech@lists.spdx.org  On Behalf Of
> Joshua Watt
> Sent: Monday, February 26, 2024 9:23 AM
> To: l...@google.com
> Cc: SPDX Technical Mailing List 
> Subject: Re: [spdx-tech] Build Profile meeting invite pause
> 
> Yes, AFAIK we are done now.
> 
> On Mon, Feb 26, 2024 at 10:19 AM Brandon Lum via lists.spdx.org
>  wrote:
> >
> > Hi,
> >
> > I believe the build profiles meeting is on pause right now, would it be
> possible to cancel the meeting invites for now?
> >
> > Cheers
> > Brandon
> >
> 
> 
> 




-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#5547): https://lists.spdx.org/g/Spdx-tech/message/5547
Mute This Topic: https://lists.spdx.org/mt/104586371/21656
Group Owner: spdx-tech+ow...@lists.spdx.org
Unsubscribe: https://lists.spdx.org/g/Spdx-tech/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [spdx-tech] SPDX 3.0

[Gary O'Neall]

Hi Benedicte,

 

Responses inline below.

 

 

From: Spdx-tech@lists.spdx.org  On Behalf Of 
Benedicte Presse
Sent: Wednesday, February 21, 2024 6:33 AM
To: spdx-tech@lists.spdx.org
Subject: [spdx-tech] SPDX 3.0

 

Hi all,

 

I read some informations about SPDX, and especially that the 3.0 SPDX model 
will soon be released (I saw that a release candidate has been publied).

Could you tell me when it will be delivered ?

[G.O.] We just released the RC2 version of the model.  This is the version we 
will be taking through the OMG standards process and we expect there will be 
some feedback requiring (hopefully minor) changes.  That being said, we would 
encourage anyone interested in SPDX 3.0 to start evaluating/using the RC2 
version.  This would help provide valuable feedback if you run into any issues. 
 Also note that we separate the model from the full spec.  The 3.0-RC2 version 
of the spec should be out very soon – within a week or so.  The spec will 
provide a more readable version of the model plus various supporting 
documentation.  We’ll send out a message on this distribution list once it is 
ready.

Will it be possible to migrate from 2.0 to 3.0 ? 

[G.O.] Yes – There is a draft document describing the migration from SPDX 2.X 
to SPDX 3.0: 
https://docs.google.com/document/d/1-olHRnX1CssUS67Psv_sAq9Vd-pc81HF8MM0hA7M0hg/edit#heading=h.uzojmh0kkl
 – I’m in the process of updating the document for the RC2 release.

 

Thank in advance for your answer,

Best regards,

Benedicte Presse





-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#5540): https://lists.spdx.org/g/Spdx-tech/message/5540
Mute This Topic: https://lists.spdx.org/mt/104489065/21656
Group Owner: spdx-tech+ow...@lists.spdx.org
Unsubscribe: https://lists.spdx.org/g/Spdx-tech/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[spdx-tech] RDF related issues

[Gary O'Neall]

As a follow-up to our tech call this morning, I would like to start a
separate thread on resolving the RDF specific issues.

 

These issues can be found using the following link:
https://github.com/spdx/spdx-3-model/issues?q=is%3Aopen+is%3Aissue+label%3AR
DF%2FOWL%2FSHACL

 

If you know of any issues not captured in the above link, please add the
"RDF/OWL/SHACL" label to the issue.

 

Anyone interested in working through these issues, please let me know if you
are available for a one or two real-time calls to work through these on
Zoom.  I'll follow-up with those who have expressed interest with a poll on
which days/times work best.  I'm thinking of starting with a 2 hour meeting
and see if we can't just work through all of the issues in one session.

 

Also, feel free to respond directly to the issues or reply to this email
thread with any thoughts.

 

Thanks,
Gary



-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#5538): https://lists.spdx.org/g/Spdx-tech/message/5538
Mute This Topic: https://lists.spdx.org/mt/104480287/21656
Group Owner: spdx-tech+ow...@lists.spdx.org
Unsubscribe: https://lists.spdx.org/g/Spdx-tech/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [spdx-tech] FYI - SPDX Online Tools Upgrade in progress

[Gary O'Neall]

The upgrade to the SPDX online tools is now complete.

 

The online tools has been updated to version 1.2.3.  See the release notes
<https://github.com/spdx/spdx-online-tools/releases/tag/v1.2.3>  for a
summary of the changes.

 

There is one known issue where the "check license" button on the submit new
license page does not work (issue #527
<https://github.com/spdx/spdx-online-tools/issues/527> ).

 

If you run into any issues - please submit a new issue
<https://github.com/spdx/spdx-online-tools/issues/new/choose>  in the SPDX
online tools git repository.

 

Gary

 

From: Spdx-tech@lists.spdx.org  On Behalf Of Gary
O'Neall
Sent: Sunday, January 21, 2024 8:46 AM
To: spdx-tech@lists.spdx.org; 'SPDX-legal' 
Subject: [spdx-tech] FYI - SPDX Online Tools Upgrade in progress

 

FYI - I'll be upgrading the SPDX online tools over the next hour or two - it
may be temporarily unavailable.  I'll send a follow-up email once the
upgrade is complete.


Gary





-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#5496): https://lists.spdx.org/g/Spdx-tech/message/5496
Mute This Topic: https://lists.spdx.org/mt/103869268/21656
Group Owner: spdx-tech+ow...@lists.spdx.org
Unsubscribe: https://lists.spdx.org/g/Spdx-tech/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[spdx-tech] FYI - SPDX Online Tools Upgrade in progress

[Gary O'Neall]

FYI - I'll be upgrading the SPDX online tools over the next hour or two - it
may be temporarily unavailable.  I'll send a follow-up email once the
upgrade is complete.


Gary



-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#5494): https://lists.spdx.org/g/Spdx-tech/message/5494
Mute This Topic: https://lists.spdx.org/mt/103869268/21656
Group Owner: spdx-tech+ow...@lists.spdx.org
Unsubscribe: https://lists.spdx.org/g/Spdx-tech/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[spdx-tech] CISA document on identifiers

[Gary O'Neall]

One of the proposed solutions for package verification is to use OMNIBor
identifiers for verification purposes (see PR #602
<https://github.com/spdx/spdx-3-model/pull/602>  for documentation on this
approach).

 

Since it relates to identifiers, I thought it might be useful to review the
recently release paper on identifiers from CISA
<https://www.cisa.gov/sites/default/files/2023-10/Software-Identification-Ec
osystem-Option-Analysis-508c.pdf>  - there is a request for comment.

 

Note that the goal of the paper seems focused on the correlation of package
artifacts with vulnerability management systems.  There are other use cases
which don't seem to be considered (or at least mentioned) in the paper.

 

A few things I noticed while scanning the paper related to the verification
code discussion:

*   It sadly doesn't reference Software Heritage ID's, which I
personally think is a well thought through identifier scheme.  I wonder how
SWHID's compare with OmniBOR in terms of some of the issues raised in the
paper.
*   No mention of using the identifiers for verification purpose,
although there is a mention of "Inherent Identifiers" whose properties
include the ability to verify
*   One of the criteria is "grouping" - which is stated to be unsolved
at this point
*   Section 2.5 "Path 5: Unidentified Software Descriptor to Augment
Paths 2, 3, and 4" describes a path which seems quite implementable using
our current SPDX 3.0 model

 

Gary



-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#5490): https://lists.spdx.org/g/Spdx-tech/message/5490
Mute This Topic: https://lists.spdx.org/mt/103815753/21656
Group Owner: spdx-tech+ow...@lists.spdx.org
Unsubscribe: https://lists.spdx.org/g/Spdx-tech/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[spdx-tech] Postponing serialization meetings until post RC2

[Gary O'Neall]

Greetings SPDX tech team,

 

With the focus on getting RC2 out and the fact we have worked through the
backlog of serialization issues for RC2, we will be pausing the
serialization meetings until after the RC2 release.

 

We will start them back up shortly after RC2 and start working on
serialization formats beyond JSON-LD.

 

If you do have any issues you think should be discussed in RC2 - please add
the issue to the spdx-3-model git repo and add serialization as a label and
a milestone of RC2.

 

Thanks,

Gary, Max and Alexios

 



-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#5487): https://lists.spdx.org/g/Spdx-tech/message/5487
Mute This Topic: https://lists.spdx.org/mt/103756046/21656
Group Owner: spdx-tech+ow...@lists.spdx.org
Unsubscribe: https://lists.spdx.org/g/Spdx-tech/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[spdx-tech] Software as a Service Subgroup meeting schedule

[Gary O'Neall]

We will not be having a Software as a Service meeting tomorrow (January 1)
since it is new years day.

 

We'll pick back up on January 15th and start working through the profile
definition based on our highest priority use cases.

 

Gary



-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#5471): https://lists.spdx.org/g/Spdx-tech/message/5471
Mute This Topic: https://lists.spdx.org/mt/103454514/21656
Group Owner: spdx-tech+ow...@lists.spdx.org
Unsubscribe: https://lists.spdx.org/g/Spdx-tech/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [spdx-tech] Commercial tools

[Gary O'Neall]

Hi Benedicte,

 

The SPDX outreach team maintains the website and the list of commercial tools.

 

Moving this email to the outreach team list.

 

I don’t believe there has been a request to add FNCI to the list.

 

To request the addition of the tool, an issue can be added to the outreach 
github repo: https://github.com/spdx/outreach/issues

 

Ideally, the request would be made by the owner of the tool.

 

The request should include all the necessary information for the tools (e.g. 
versions supported, scenarios).

 

Best regards,
Gary

 

From: Spdx-tech@lists.spdx.org  On Behalf Of 
Benedicte Presse
Sent: Thursday, November 23, 2023 9:31 AM
To: spdx-tech@lists.spdx.org
Subject: [spdx-tech] Commercial tools

 

Hello,

 

On the spdx website, we can see several commercial tools : BlackDuck, ...

 

Why isn't FNCI (FlexNet Code Insight) from Renevera (or old name : Palamida) in 
this list ?

 

Thank in advance for your ansswer,

Best regards, 





-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#5442): https://lists.spdx.org/g/Spdx-tech/message/5442
Mute This Topic: https://lists.spdx.org/mt/102770291/21656
Group Owner: spdx-tech+ow...@lists.spdx.org
Unsubscribe: https://lists.spdx.org/g/Spdx-tech/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[spdx-tech] FYI - cleaning up some of the serialization PR's and Issues

[Gary O'Neall]

Greeting tech team,

 

I went through and attempted to clean up some of the serialization issues
and pull requests to be consistent with the current solutions and decisions.

 

If you feel any of the close PR's are in error, consider opening a new issue
that describes the part of the issue not conflicting with the decisions
made.

 

I was a little uncomfortable we may loose some good discussion threads and
documentation, but closed issues are not really deleted so we can always
recover the information.  Perhaps we can copy some of the information to the
meetings repo?

 

If you have any questions or concerns, let me know before next Wednesday -
I'll be traveling after that with limited email access.

 

Thanks,


Gary

 



-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#5415): https://lists.spdx.org/g/Spdx-tech/message/5415
Mute This Topic: https://lists.spdx.org/mt/102369491/21656
Group Owner: spdx-tech+ow...@lists.spdx.org
Unsubscribe: https://lists.spdx.org/g/Spdx-tech/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [spdx-tech] Conversion spdx files from 2.2 to 2.3

[Gary O'Neall]

Greetings Benedicte,

 

The SPDX Java Libraries used by tools-java and the SPDX online tools does 
support upgrading from 2.2 to 2.3.  I just realized, however, there is no UI or 
command line option to enable this ☹

 

I’ve added an issue to tools-java to implement this: 
https://github.com/spdx/tools-java/issues/146

 

Gary

 

From: Spdx-tech@lists.spdx.org  On Behalf Of Dick 
Brooks
Sent: Friday, November 3, 2023 7:57 AM
To: 'Benedicte Presse' ; spdx-tech@lists.spdx.org
Subject: Re: [spdx-tech] Conversion spdx files from 2.2 to 2.3

 

That could be difficult to achieve as V 2.2 file objects do not contain 
“version” information, making it difficult to determine the version info when 
changing from a file object into a V 2.3 Package Object with a Primary Purpose 
= “File”

 

I don’t think it would help much to convert Files to Package’s with a Primary 
Purpose = “File” if the version field always contains “NO ASSERTION”.

 

Just my 0.02.

 

At REA, we just decided to create SPDX V 2.3 SBOM’s from scratch, but we also 
found it very easy to convert a CycloneDX SBOM into an SPDX V 2.3 SBOM, and 
vice versa.

 

Thanks,

 

Dick Brooks

  

Active Member of the CISA Critical Manufacturing Sector, 

Sector Coordinating Council – A Public-Private Partnership

 

 <https://reliableenergyanalytics.com/products> Never trust software, always 
verify and report! ™

 <http://www.reliableenergyanalytics.com/> 
http://www.reliableenergyanalytics.com

Email:  <mailto:d...@reliableenergyanalytics.com> 
d...@reliableenergyanalytics.com

Tel: +1 978-696-1788

 

 

From: Spdx-tech@lists.spdx.org <mailto:Spdx-tech@lists.spdx.org>  
mailto:Spdx-tech@lists.spdx.org> > On Behalf Of 
Benedicte Presse
Sent: Friday, November 3, 2023 10:40 AM
To: spdx-tech@lists.spdx.org <mailto:spdx-tech@lists.spdx.org> 
Subject: [spdx-tech] Conversion spdx files from 2.2 to 2.3

 

Hello,

 

Is there a tool that converts spdx files from 2.2 to 2.3 release ?

I find no tool in github.

 

Thank in advance for your answer,

Best regards,

Bénédicte





-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#5414): https://lists.spdx.org/g/Spdx-tech/message/5414
Mute This Topic: https://lists.spdx.org/mt/102365235/21656
Group Owner: spdx-tech+ow...@lists.spdx.org
Unsubscribe: https://lists.spdx.org/g/Spdx-tech/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[spdx-tech] Serialization Next Steps

[Gary O'Neall]

Greeting tech team,

 

On Tuesday's tech call, we agreed to an approach on serializations and have
a few follow-up steps we would like to complete before next Tuesday's tech
call:

 

*   Review 3 pull requests that implement the above decisions:

*   PR to document how we serialize data which may be implemented in the
native serialization format: https://github.com/spdx/spdx-3-model/pull/509 
*   PR to update the External Map to use Artifact and relationships to
the SpdxDocument: https://github.com/spdx/spdx-3-model/pull/542 
*   PR to document the SpdxDocument:
https://github.com/spdx/spdx-3-model/pull/490

 

*   Analyze current uses of SPDX External Document references to test
the External Map implementation.

*   I opened an issue we can use to add comments for each individual
analysis: https://github.com/spdx/spdx-3-model/issues/546

 

Please note that I will be on vacation away from email from Wednesday until
November 23.

 

I would like to ask that the serialization team continue with out me working
through the remaining issues - especially any that may impact RC2.  There's
quite a bit of cleanup on the current issues now that we made the recent
decisions.

 

Thanks,
Gary

 

 



-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#5411): https://lists.spdx.org/g/Spdx-tech/message/5411
Mute This Topic: https://lists.spdx.org/mt/102346345/21656
Group Owner: spdx-tech+ow...@lists.spdx.org
Unsubscribe: https://lists.spdx.org/g/Spdx-tech/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [spdx-tech] RDF range problem in SHACL model

[Gary O'Neall]

Hi Joshua,

 

>From the RDF spec definition of rdfs:SubclassOf 
><https://www.w3.org/TR/rdf12-schema/#ch_subclassof> , it looks like subclasses 
>should be allowed in the range since all instances of the subclass should also 
>be instances of the class.

 

We could try a different validator to see if this is an issue with PySHACL.  
Here’s an online validator: https://shacl.org/playground/

 

If you found any documentation to the contrary, let me know.

 

Sean, Alexios – any thoughts?

Gary

 

> -Original Message-

> From: Spdx-tech@lists.spdx.org  On Behalf Of

> Joshua Watt

> Sent: Wednesday, October 25, 2023 12:06 PM

> To: SPDX Technical Mailing List 

> Subject: [spdx-tech] RDF range problem in SHACL model

> 

> I dug further into trying to get my Yocto SPDX output to validate against the

> JSON LD SHACL model. I've made some progress, but I think maybe I've come

> up against a problem that don't know how to solve.

> 

> Disclaimer: I'm not an SHACL, RDF or ontology expert so please excuse my

> misuse of nomenclature.

> 

> It looks like there might be a problem in the model in regard to the usage of

> "rdfs:range" to validate the type values of object properties. Based on my

> reading and experiments, it looks like that field requires that the referenced

> object be of _exactly_ one of the listed types, and cannot be a subclass

> derived from that type. As an example, the "createdBy" property of

> core:CreationInfo has "rdfs:range" of "core:Agent". Practically speaking, this

> means that only an _exact_ core:Agent is allowed in this field, and classes

> derived from that class (such as core:Organization) are not allowed (or at

> least, pyshacl indicates a violation).

> 

> 

> 

 



-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#5398): https://lists.spdx.org/g/Spdx-tech/message/5398
Mute This Topic: https://lists.spdx.org/mt/102185295/21656
Group Owner: spdx-tech+ow...@lists.spdx.org
Unsubscribe: https://lists.spdx.org/g/Spdx-tech/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [spdx-tech] How and where (in spdx files) write the choosen licence ?

[Gary O'Neall]

Hi Bénédicte,

 

For the redistributed package, you can put your chosen license in the concluded 
license field.  The declared license should remain as described by the 
originator of the package.  I would also recommend that you add a license 
comment stating that the license was chosen for the redistribution.

 

Best,
Gary

 

From: Spdx-tech@lists.spdx.org  On Behalf Of 
Benedicte Presse
Sent: Thursday, October 26, 2023 12:26 AM
To: spdx-tech@lists.spdx.org
Subject: [spdx-tech] How and where (in spdx files) write the choosen licence ?

 

Hello,

 

As you know, a software component can have several licenses.

The SPDX standard defines 2 attributes

- One for the declared license

- One for the concluded license

 

When a person redistribute a package, he can choice the applicable license.

For example ("caricatural" example) : A software component is under GPL or MIT. 
He can choice the MIT license, he has to declare the MIT licence redistribution 
to avoid being required to provide the source files required by the GPL v3 
license.

 

How declare in spdx files the choosen licence : MIT, whereas the "declared 
licence can be "GPL v3 OR MIT" (caricatiral example) ?

 

Thank in advance for your answer,

Best regards,

Bénédicte





-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#5397): https://lists.spdx.org/g/Spdx-tech/message/5397
Mute This Topic: https://lists.spdx.org/mt/102195631/21656
Group Owner: spdx-tech+ow...@lists.spdx.org
Unsubscribe: https://lists.spdx.org/g/Spdx-tech/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [spdx-tech] [spdx] Date model for SPDX

[Gary O'Neall]

Hi Bénédicte,

 

We have an object model and a few schema’s which I’ll detail below.

 

I’m cc’ing the tech mailing list – if you have any follow-on questions, I would 
recommend posting those to the tech team since this list is more general in 
nature.

 

For SPDX 2.3:

*   Object model diagram: 
https://github.com/spdx/spdx-spec/blob/master/ontology/SPDX-2.3-simplified.png 
*   Various ontology RDF OWL schema files (used to generate the above 
object model diagram): https://github.com/spdx/spdx-spec/tree/master/ontology
*   JSON Schema: 
https://github.com/spdx/spdx-spec/blob/master/schemas/spdx-schema.json

 

For SPDX 3.0 (under development for RC2):

*   Generated model HTML files: 
https://spdx.github.io/spdx-3-model/auto-generated/
*   SHACL / OWL: https://spdx.github.io/spdx-3-model/model.ttl
*   Source markdown files for the model: 
https://github.com/spdx/spdx-3-model

 

Best,
Gary

 

 

From: s...@lists.spdx.org  On Behalf Of Benedicte Presse
Sent: Wednesday, October 18, 2023 5:13 AM
To: s...@lists.spdx.org
Subject: [spdx] Date model for SPDX

 

Dear all,

 

Is there a data model for the SPDX format ?

 

Thank in advance for your answer.

Best regards,

 

Bénédicte





-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#5385): https://lists.spdx.org/g/Spdx-tech/message/5385
Mute This Topic: https://lists.spdx.org/mt/102041797/21656
Group Owner: spdx-tech+ow...@lists.spdx.org
Unsubscribe: https://lists.spdx.org/g/Spdx-tech/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[spdx-tech] This week's serialization meetings moved 1 hour

[Gary O'Neall]

This week's serialization meeting on 5 October will be moved out 1 hour to
not conflict with the general meeting (9AM Pacific time).

 

Best,

Gary



-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#5372): https://lists.spdx.org/g/Spdx-tech/message/5372
Mute This Topic: https://lists.spdx.org/mt/101739396/21656
Group Owner: spdx-tech+ow...@lists.spdx.org
Unsubscribe: https://lists.spdx.org/g/Spdx-tech/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[spdx-tech] SPDX Tech Call Agenda - and request for review

[Gary O'Neall]

For Tuesday's tech call, the serialization team would like to get input and
decide on if we include the list of elements in addition to the native
serialization of elements.

 

The decision is described in issue #505
<https://github.com/spdx/spdx-3-model/issues/505> . 

 

Prior to the call, please read over the issue.

 

If you don't plan on attending but would like to have a voice in the
decision, please add a comment to the issue.

 

Gary



-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#5366): https://lists.spdx.org/g/Spdx-tech/message/5366
Mute This Topic: https://lists.spdx.org/mt/101718017/21656
Group Owner: spdx-tech+ow...@lists.spdx.org
Unsubscribe: https://lists.spdx.org/g/Spdx-tech/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[spdx-tech] Meeting on Namespace Approach

[Gary O'Neall]

In today's tech call, we decided to have a separate meeting to decide on the
NameSpace approach.

 

It will be at 9AM Pacific Time Wednesday (tomorrow) - same time as the SPDX
tech call.


Below are the Zoom coordinates - these are different from the SPDX tech call
coordinates.

 

I've also included the thread with links to the various proposals for
reference.

 

Gary

 

Join Zoom Meeting
 
<https://www.google.com/url?q=https://us02web.zoom.us/j/89576295212?pwd%3DOF
FKZm9nZnhHWkc1YWlIS1FrNDNtUT09=D=calendar=2=AOvVaw1UdrOB2v
f3eGf1LhbPrF3Y>
https://us02web.zoom.us/j/89576295212?pwd=OFFKZm9nZnhHWkc1YWlIS1FrNDNtUT09

Meeting ID: 895 7629 5212
Passcode: 595108

---

One tap mobile
+16694449171,,89576295212#*595108# US
+16699006833,,89576295212#*595108# US (San Jose)

---

Dial by your location
. +1 669 444 9171 US
. +1 669 900 6833 US (San Jose)
. +1 253 205 0468 US
. +1 253 215 8782 US (Tacoma)
. +1 346 248 7799 US (Houston)
. +1 719 359 4580 US
. +1 312 626 6799 US (Chicago)
. +1 360 209 5623 US
. +1 386 347 5053 US
. +1 507 473 4847 US
. +1 564 217 2000 US
. +1 646 931 3860 US
. +1 689 278 1000 US
. +1 929 205 6099 US (New York)
. +1 301 715 8592 US (Washington DC)
. +1 305 224 1968 US
. +1 309 205 3325 US

Meeting ID: 895 7629 5212
Passcode: 595108

Find your local number:
<https://www.google.com/url?q=https://us02web.zoom.us/u/kqN5dFmus=D
e=calendar=2=AOvVaw2MRJh7MBwF9mK4B_z-Ryz1>
https://us02web.zoom.us/u/kqN5dFmus

 

From: Gary O'Neall  
Sent: Tuesday, September 5, 2023 8:37 AM
To: 'SPDX Technical Mailing List' 
Subject: RE: Homework for this week's tech call

 

Just a bit more background on the namespace map, there were two previous
PR's attempting to solve the NamespaceMap problem - at the start of our tech
call, we can decide if we want to include either of these in the solutions
to be considered.  Send this out before the call so you have a chance to
review in case they do come up on the call:

 

*   Original solution proposal moving NamespaceMap to Document:
https://github.com/spdx/spdx-3-model/pull/403/files
*   Proposal to create a separate profile for serialization information:
https://github.com/spdx/spdx-3-model/pull/479

 

Gary

 

From: Gary O'Neall mailto:g...@sourceauditor.com> >

Sent: Monday, September 4, 2023 5:31 PM
To: 'SPDX Technical Mailing List' mailto:Spdx-tech@lists.spdx.org> >
Subject: Homework for this week's tech call

 

Greetings all,

 

I would like to ask before the tech call this week you review the following
before participating in the discussion on namespace maps:

*   Last tech call minutes - around line 58 in
https://spdx.swinslow.net/p/spdx-tech-minutes 
*   Last week's serialization team minutes around line 23 in
https://spdx.swinslow.net/p/spdx-tech-minutes 
*   Sean's PR containing a proposed solution using the namespace map
https://github.com/spdx/spdx-3-model/pull/490 
*   My attempt at creating a PR implementation of Max's proposed
solution (If Max has time before the call, he may update the PR to better
reflect the proposal) https://github.com/spdx/spdx-3-model/pull/491 

 

Please note: the class named "X" is temporary.  We agreed on a prior
serialization call not to name the class until we finished defining the
semantics.

 

On the tech call, we plan to choose between these 2 proposals.  We will base
our decision on how well it supports the use cases we discussed in previous
calls and other criteria such as complexity to understand and complexity to
implement.

 

Thanks,
Gary



-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#5338): https://lists.spdx.org/g/Spdx-tech/message/5338
Mute This Topic: https://lists.spdx.org/mt/101175247/21656
Group Owner: spdx-tech+ow...@lists.spdx.org
Unsubscribe: https://lists.spdx.org/g/Spdx-tech/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [spdx-tech] Homework for this week's tech call

[Gary O'Neall]

Just a bit more background on the namespace map, there were two previous
PR's attempting to solve the NamespaceMap problem - at the start of our tech
call, we can decide if we want to include either of these in the solutions
to be considered.  Send this out before the call so you have a chance to
review in case they do come up on the call:

 

*   Original solution proposal moving NamespaceMap to Document:
https://github.com/spdx/spdx-3-model/pull/403/files
*   Proposal to create a separate profile for serialization information:
https://github.com/spdx/spdx-3-model/pull/479

 

Gary

 

From: Gary O'Neall  
Sent: Monday, September 4, 2023 5:31 PM
To: 'SPDX Technical Mailing List' 
Subject: Homework for this week's tech call

 

Greetings all,

 

I would like to ask before the tech call this week you review the following
before participating in the discussion on namespace maps:

*   Last tech call minutes - around line 58 in
https://spdx.swinslow.net/p/spdx-tech-minutes 
*   Last week's serialization team minutes around line 23 in
https://spdx.swinslow.net/p/spdx-tech-minutes 
*   Sean's PR containing a proposed solution using the namespace map
https://github.com/spdx/spdx-3-model/pull/490 
*   My attempt at creating a PR implementation of Max's proposed
solution (If Max has time before the call, he may update the PR to better
reflect the proposal) https://github.com/spdx/spdx-3-model/pull/491 

 

Please note: the class named "X" is temporary.  We agreed on a prior
serialization call not to name the class until we finished defining the
semantics.

 

On the tech call, we plan to choose between these 2 proposals.  We will base
our decision on how well it supports the use cases we discussed in previous
calls and other criteria such as complexity to understand and complexity to
implement.

 

Thanks,
Gary



-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#5329): https://lists.spdx.org/g/Spdx-tech/message/5329
Mute This Topic: https://lists.spdx.org/mt/101160591/21656
Group Owner: spdx-tech+ow...@lists.spdx.org
Unsubscribe: https://lists.spdx.org/g/Spdx-tech/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[spdx-tech] Homework for this week's tech call

[Gary O'Neall]

Greetings all,

 

I would like to ask before the tech call this week you review the following
before participating in the discussion on namespace maps:

*   Last tech call minutes - around line 58 in
https://spdx.swinslow.net/p/spdx-tech-minutes 
*   Last week's serialization team minutes around line 23 in
https://spdx.swinslow.net/p/spdx-tech-minutes 
*   Sean's PR containing a proposed solution using the namespace map
https://github.com/spdx/spdx-3-model/pull/490 
*   My attempt at creating a PR implementation of Max's proposed
solution (If Max has time before the call, he may update the PR to better
reflect the proposal) https://github.com/spdx/spdx-3-model/pull/491 

 

Please note: the class named "X" is temporary.  We agreed on a prior
serialization call not to name the class until we finished defining the
semantics.

 

On the tech call, we plan to choose between these 2 proposals.  We will base
our decision on how well it supports the use cases we discussed in previous
calls and other criteria such as complexity to understand and complexity to
implement.

 

Thanks,
Gary



-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#5326): https://lists.spdx.org/g/Spdx-tech/message/5326
Mute This Topic: https://lists.spdx.org/mt/101160591/21656
Group Owner: spdx-tech+ow...@lists.spdx.org
Unsubscribe: https://lists.spdx.org/g/Spdx-tech/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [spdx-tech] NOASSERTION on PackageVersion field

[Gary O'Neall]

My initial thought is that NOASSERTION should only be applicable to certain 
fields where a “known unknown” assertion is valuable.

 

In the RDF / OWL / semantic web SPDX spec., we would add a NOASSERTION value in 
the range of possible values for that property.  This would allow computer 
semantic reasoning to answer questions like “what packages in this distribution 
have ‘known unknown’ version?”.

 

The downside is that we would need to do more updates to the spec. 

 

Best,
Gary

 

From: Spdx-tech@lists.spdx.org  On Behalf Of Brandon 
Lum via lists.spdx.org
Sent: Friday, August 18, 2023 10:38 AM
To: Gary O'Neall 
Cc: d...@reliableenergyanalytics.com; SPDX Technical Mailing List 
; Emrick Donadei ; Tyler Pirtle 

Subject: Re: [spdx-tech] NOASSERTION on PackageVersion field

 

I think one follow-up question is around whether it is recognized in the 
specification.. For example, package supplier 
(https://spdx.github.io/spdx-spec/v2.3/package-information/#75-package-supplier-field)
 it is stated clearly that NOASSERTION is within the format, but not in the 
case of VersionInfo

 

I think the question is NOASSERTION usable in any text field? Or does there 
need to be explicit indication within the spec where a NOASSERTION can be used?

 

On Fri, Aug 18, 2023 at 1:22 PM Gary O'Neall mailto:g...@sourceauditor.com> > wrote:

My opinion is that it would be useful to be able to express a “known unknown” 
on the version if the version can’t be determined.

 

I also agree we should strive to always have a version available.  This is 
especially important in tracking vulnerability information.  I just know that 
there are several situations where this just isn’t possible (e.g. source files 
copied from an upstream project where no one kept track of the original 
version).  It would be better to have the imperfect package information than no 
information at all.

 

The NOASSERTION approach seems like a consistent way to represent the “known 
unknown”.

 

Gary

 

From: Spdx-tech@lists.spdx.org <mailto:Spdx-tech@lists.spdx.org>  
mailto:Spdx-tech@lists.spdx.org> > On Behalf Of Dick 
Brooks
Sent: Friday, August 18, 2023 9:53 AM
To: l...@google.com <mailto:l...@google.com> ; 'SPDX Technical Mailing List' 
mailto:Spdx-tech@lists.spdx.org> >
Cc: 'Emrick Donadei' mailto:edona...@google.com> >; 
'Tyler Pirtle' mailto:r...@google.com> >
Subject: Re: [spdx-tech] NOASSERTION on PackageVersion field

 

Brandon,

 

REA applies the NOASSERTION value when a PackageVersion is indeterminant, based 
on guidance provided by the NTIA work effort.

 

This is not an issue with “file components” as no version is required.

 

 

 

Thanks,

 

Dick Brooks

  

Active Member of the CISA Critical Manufacturing Sector, 

Sector Coordinating Council – A Public-Private Partnership

 

 <https://reliableenergyanalytics.com/products> Never trust software, always 
verify and report! ™

 <http://www.reliableenergyanalytics.com/> 
http://www.reliableenergyanalytics.com

Email:  <mailto:d...@reliableenergyanalytics.com> 
d...@reliableenergyanalytics.com

Tel: +1 978-696-1788  

 

 

From: Spdx-tech@lists.spdx.org <mailto:Spdx-tech@lists.spdx.org>  
mailto:Spdx-tech@lists.spdx.org> > On Behalf Of 
Brandon Lum via lists.spdx.org <http://lists.spdx.org> 
Sent: Friday, August 18, 2023 12:16 PM
To: SPDX Technical Mailing List mailto:Spdx-tech@lists.spdx.org> >
Cc: Emrick Donadei mailto:edona...@google.com> >; Tyler 
Pirtle mailto:r...@google.com> >
Subject: [spdx-tech] NOASSERTION on PackageVersion field

 

Hi,

 

In generating some of our SPDX documents, we've (Tyler/Emrick CC'ed) run into 
situations where the version information of a package is unknown. What comes to 
mind is to set the version to NOASSERTION. However, this is not currently spelt 
out in the spec 
(https://spdx.github.io/spdx-spec/v2.3/package-information/#73-package-version-field).
 

 

Although semantically, in terms of usage of information, it should be similar, 
it still lacks the ability to say that "This information is incomplete", with 
exception of having NOASSERTION be set on the DEPENDS_ON relationship more 
broadly - which may perhaps be a different discussion altogether. 

 

Wanted to get thoughts on this.

 

Cheers

Brandon





-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#5305): https://lists.spdx.org/g/Spdx-tech/message/5305
Mute This Topic: https://lists.spdx.org/mt/100823660/21656
Group Owner: spdx-tech+ow...@lists.spdx.org
Unsubscribe: https://lists.spdx.org/g/Spdx-tech/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [spdx-tech] NOASSERTION on PackageVersion field

[Gary O'Neall]

My opinion is that it would be useful to be able to express a “known unknown” 
on the version if the version can’t be determined.

 

I also agree we should strive to always have a version available.  This is 
especially important in tracking vulnerability information.  I just know that 
there are several situations where this just isn’t possible (e.g. source files 
copied from an upstream project where no one kept track of the original 
version).  It would be better to have the imperfect package information than no 
information at all.

 

The NOASSERTION approach seems like a consistent way to represent the “known 
unknown”.

 

Gary

 

From: Spdx-tech@lists.spdx.org  On Behalf Of Dick 
Brooks
Sent: Friday, August 18, 2023 9:53 AM
To: l...@google.com; 'SPDX Technical Mailing List' 
Cc: 'Emrick Donadei' ; 'Tyler Pirtle' 
Subject: Re: [spdx-tech] NOASSERTION on PackageVersion field

 

Brandon,

 

REA applies the NOASSERTION value when a PackageVersion is indeterminant, based 
on guidance provided by the NTIA work effort.

 

This is not an issue with “file components” as no version is required.

 

 

 

Thanks,

 

Dick Brooks

  

Active Member of the CISA Critical Manufacturing Sector, 

Sector Coordinating Council – A Public-Private Partnership

 

 <https://reliableenergyanalytics.com/products> Never trust software, always 
verify and report! ™

 <http://www.reliableenergyanalytics.com/> 
http://www.reliableenergyanalytics.com

Email:  <mailto:d...@reliableenergyanalytics.com> 
d...@reliableenergyanalytics.com

Tel: +1 978-696-1788

 

 

From: Spdx-tech@lists.spdx.org <mailto:Spdx-tech@lists.spdx.org>  
mailto:Spdx-tech@lists.spdx.org> > On Behalf Of 
Brandon Lum via lists.spdx.org
Sent: Friday, August 18, 2023 12:16 PM
To: SPDX Technical Mailing List mailto:Spdx-tech@lists.spdx.org> >
Cc: Emrick Donadei mailto:edona...@google.com> >; Tyler 
Pirtle mailto:r...@google.com> >
Subject: [spdx-tech] NOASSERTION on PackageVersion field

 

Hi,

 

In generating some of our SPDX documents, we've (Tyler/Emrick CC'ed) run into 
situations where the version information of a package is unknown. What comes to 
mind is to set the version to NOASSERTION. However, this is not currently spelt 
out in the spec 
(https://spdx.github.io/spdx-spec/v2.3/package-information/#73-package-version-field).
 

 

Although semantically, in terms of usage of information, it should be similar, 
it still lacks the ability to say that "This information is incomplete", with 
exception of having NOASSERTION be set on the DEPENDS_ON relationship more 
broadly - which may perhaps be a different discussion altogether. 

 

Wanted to get thoughts on this.

 

Cheers

Brandon





-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#5303): https://lists.spdx.org/g/Spdx-tech/message/5303
Mute This Topic: https://lists.spdx.org/mt/100823660/21656
Group Owner: spdx-tech+ow...@lists.spdx.org
Unsubscribe: https://lists.spdx.org/g/Spdx-tech/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [spdx-tech] Thoughts on the issues of NamespaceMap and SpdxDocument

[Gary O'Neall]

I thought I would update this email thread with some context – the results of 2 
meetings on the topic (SPDX Tech Call on 15 Aug and Serialization call on 17 
Aug) and the planned next steps.  I would encourage anyone interested in the 
issue to read through the context before next Tuesday’s tech call.

 

The original issue is #390 <https://github.com/spdx/spdx-3-model/issues/390> .

 

On the SPDX tech call, we agreed that for namespaces “we need to preserve 
roundtripping and conversion between formats, as well as linkage between 
elements located in different collections.”  This led to a discussion on how we 
preserve the namespaces for round tripping.  The next step was to create 
criteria and compare different solutions and choose one.

 

On the serialization call, we identified 4 potential solutions:

*   The original proposal to have a class with a “originalNamespaceMap” 
property to preserve the namespace from the original serialization.  This is 
represented in pull request 403 
<https://github.com/spdx/spdx-3-model/pull/403/files> .
*   Sean’s recent proposal at the start of this thread
*   David’s proposal to handle this in the serialization spec having 
specific requirements for handling and translating namespaces
*   Max’s proposal to add a Deserialization profile and class in pull 
request #479 <https://github.com/spdx/spdx-3-model/pull/479/files> 

 

During the discussion, we learned the original proposal and Sean’s proposal was 
more similar than different.  They both propose adding a class to the model to 
represent the namespaces and a purely optional “hint” type property.  The class 
created by the creator of the SPDX serialization and populated by the producer.

 

We also found similarities between Max’s proposal and David’s proposal in that 
the namespace information is not created and stored in the model objects 
itself, but rather the information is gathered when deserializing the data.  In 
Max’s proposal, that information is stored in a model object but that object is 
not part of the original serialization.

 

We agreed in the serialization call to not try to name these classes (we used 
the term “X” during the call) since calling something (or not calling 
something) and SPDX Document carries a lot of implications that may or may not 
apply.

 

The plan is to continue the discussion on Tuesday’s tech call.

 

We agreed we will NOT try to name the class during the call.

 

The first decision would be between having the namespace information part of 
the model objects serialized by the producer of the SPDX data (Sean and Gary’s 
approach) or whether we would use the native namespace mapping from the 
serialization format (David and Max’s proposal).

 

Once that’s decided, if there is a model object involved we can flesh out the 
properties and definition / semantics.

 

We’ll decide on the name in the following tech call.

 

Note: I will be hiking Monday through Thursday, so I won’t be online and I 
won’t be available for the meetings – but we should have good representation 
from other participants in the discussions.

 

That’s it for the context – I’m going to add a couple inputs into the 
discussion for consideration below.

 

Gary

 

A couple of inputs into the thread and discussion.

 

*   I’m leaning more towards the David / Max approach since it avoids 
ambiguity and possible inconsistencies between the actual serialization 
namespaces used and the namespaces represented in the model object.  I think it 
is also easier to understand.  I do have a couple questions and potential 
issues with this – I left them as comments in PR #479.

*   I do like having the model class a subclass of Artifact and not a 
subclass of Collection.  This does, however, require that the model object is 
NOT in the original Payload since it would be a recursive definition making it 
very hard to create a checksum.
*   If we go with Max’s proposal, is there any relationship between the 
ExternalMap and the Deserialized artifact?

*   I have the same view as David that this is just related to 
serialization.  It sounds like Sean has some additional use cases to consider, 
but I don’t know what they are and I have not considered the solution 
implications on those use cases.
*   It would be nice, but not necessary, if the solution also supported the 
licensing of copyright data.  The reason these may be related, is the data 
license is placed on a “copy” or artifact – not on the general model – so it is 
almost by definition serialization related (unless I’m misunderstanding 
copyright law – which is quite possible because IANL).  Reference: DATA 
MANAGEMENT: INTELLECTUAL PROPERTY AND COPYRIGHT 
<https://libguides.library.kent.edu/data-management/copyright#:~:text=Data%20are%20considered%20%22facts%22%20under,work%20and%20ensure%20proper%20attribution.>
 

 

I’ll catch up next week.

 

Gary

 

 

From: Spdx-tech@lists.spdx

[spdx-tech] Tomorrow's serialization meeting

[Gary O'Neall]

In looking at my calendar, I just realized our regularly scheduled
serialization meeting this week conflicts with the monthly SPDX general
meeting.

 

I would suggest we skip tomorrow's meeting - there's also a few folks on
vacation this week as well.

 

I'm also open to rescheduling to Friday if there is enough interest.

 

Best,

Gary



-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#5281): https://lists.spdx.org/g/Spdx-tech/message/5281
Mute This Topic: https://lists.spdx.org/mt/100520286/21656
Group Owner: spdx-tech+ow...@lists.spdx.org
Unsubscribe: https://lists.spdx.org/g/Spdx-tech/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [spdx-tech] Drafted profile-level.md (Lite.md)

[Gary O'Neall]

Greetings,

Below are just some very brief follow-up items from today's tech call.

Gary

> -Original Message-
> From: Spdx-tech@lists.spdx.org  On Behalf Of
> Norio Kobota
> Sent: Tuesday, August 1, 2023 7:04 AM
> To: spdx-tech@lists.spdx.org
> Cc: japan-sg-s...@lists.openchainproject.org
> Subject: [spdx-tech] Drafted profile-level.md (Lite.md)
> 
> Dear spdx-tech community,
> 
> Thank you for discussing Lite Profile at the previous meeting.
> 
> We drafted profile-level.md. However, we found some issues, so let me
> discuss them.
> https://github.com/OpenChain-Project/OpenChain-
> JWG/blob/master/subgroups/sbom-sg/outcomes/SPDX-
> Lite/Proposal_v3.0/model/Lite/SPDX-Lite.md
> 
> 1. Which class and element should be used to represent a license with or
> without an SPDX short ID?

[G.O.] Need to wait for the relationship PR to be merged -
https://github.com/spdx/spdx-3-model/pull/448 - 
[G.O.] Update - this was merged yesterday - since concluded and declared
licenses are now relationships, we should remove reference to the
properties.  We should define a restriction that a relationship exists for
the Software Artifiact.  I created issue 463 to track
(https://github.com/spdx/spdx-3-model/issues/463). 
[G.O.] Note that AnyLicenseInfo would be the class to use for any type of
possible license expression

>   It seems to reconfigure Licensing classes in issue#399.
> (https://github.com/spdx/spdx-3-model/pull/399)
> 2. Do we need to list external properties restriction at profile-level.md
that
> already have minCount:1 specified?

[G.O.] From the tech call - no

> 3. How should we write CustomLicense information if we want it to be
> required if it exists and not required if it does not exist?

[G.O.] Same answer as 1. Above

> 4. How should we handle the packageFileName in SPDX2.3 when we receive
> an archived file of an OSS package?
>   This topic appears to be discussed in issue#83.
> (https://github.com/spdx/spdx-3-model/issues/83)

[G.O.] Need to wait for #83 to be resolved - Added to the discussion list
for the tech call

> 
> Best regards,
>   -- Kobota
> 
> 
> 
> 




-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#5276): https://lists.spdx.org/g/Spdx-tech/message/5276
Mute This Topic: https://lists.spdx.org/mt/100484187/21656
Group Owner: spdx-tech+ow...@lists.spdx.org
Unsubscribe: https://lists.spdx.org/g/Spdx-tech/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[spdx-tech] Reminder - Software as a Service Profile Meeting Monday 10AM Pacific Time

[Gary O'Neall]

Just a reminder we will be having our every other week Software as a Service
profile meeting this Monday at 10AM Pacific time.

 

We will continue our discussion on use cases.


Below is the corridinates:

 

Join Zoom Meeting

https://us02web.zoom.us/j/87627432628?pwd=TmZzYk1UR3JVclJyYXlBREVNR0t4dz09 

Meeting ID: 876 2743 2628 

Passcode: 786764 

One tap mobile   +13092053325,,87627432628#*786764# US
 +13126266799,,87627432628#*786764# US (Chicago)



-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#5265): https://lists.spdx.org/g/Spdx-tech/message/5265
Mute This Topic: https://lists.spdx.org/mt/100452095/21656
Group Owner: spdx-tech+ow...@lists.spdx.org
Unsubscribe: https://lists.spdx.org/g/Spdx-tech/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [spdx-tech] Where would I open a bug for the web validation tool?

[Gary O'Neall]

Hi Rose,

 

You can open an issue here: https://github.com/spdx/spdx-online-tools/issues

 

Very curios, BTW, that it only shows up on the online tools since it shares
code with the Java tools.  I wonder if it was recently introduced.

 

Gary

 

From: Spdx-tech@lists.spdx.org  On Behalf Of Rose
Judge via lists.spdx.org
Sent: Wednesday, July 26, 2023 4:18 PM
To: Spdx-tech@lists.spdx.org
Subject: [spdx-tech] Where would I open a bug for the web validation tool?

 

The online web validation seems to have a bug (likely related to
<https://github.com/spdx/tools-java/issues/74> this, this
<https://github.com/spdx/spdx-spec/issues/798> , and
<https://github.com/spdx/spdx-spec/issues/792> this). Where would I open an
issue for this? I don't see this same issue with the java tools validation.

 



 

Thanks,

Rose





-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#5263): https://lists.spdx.org/g/Spdx-tech/message/5263
Mute This Topic: https://lists.spdx.org/mt/100381532/21656
Group Owner: spdx-tech+ow...@lists.spdx.org
Unsubscribe: https://lists.spdx.org/g/Spdx-tech/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[spdx-tech] Requestion for help on model documentation

[Gary O'Neall]

Thanks to Rose, Adolfo and Jeff - we made some progress on documenting the
TODO's.

 

There's still quite a bit to go - so please visit issue 367
<https://github.com/spdx/spdx-3-model/issues/367>  and take one or more of
the outstanding documentation items and help us fill in the remaining
descriptions.


Thanks in advance,

 

Gary



-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#5256): https://lists.spdx.org/g/Spdx-tech/message/5256
Mute This Topic: https://lists.spdx.org/mt/100337697/21656
Group Owner: spdx-tech+ow...@lists.spdx.org
Unsubscribe: https://lists.spdx.org/g/Spdx-tech/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [spdx-tech] Invitation: Review JSON-LD Example - creationinfo @ Fri Jul 21, 2023 8:30am - 9:30am (PDT) (spdx-tech@lists.spdx.org)

[Gary O'Neall]

Hi Nisha – no – this is a meeting in addition to our regular serialization 
meeting.


Gary

 

From: Spdx-tech@lists.spdx.org  On Behalf Of Nisha 
Kumar
Sent: Wednesday, July 19, 2023 7:48 AM
To: Spdx-tech@lists.spdx.org
Subject: Re: [spdx-tech] Invitation: Review JSON-LD Example - creationinfo @ 
Fri Jul 21, 2023 8:30am - 9:30am (PDT) (spdx-tech@lists.spdx.org)

 

Hi folks,

Does this meeting replace the serialization meeting tomorrow (Jul 20 2023)?

nisha

On 7/18/23 10:33, Gary O'Neall wrote:

Review JSON-LD Example - creationinfo 

This is a follow-up discussion to our tech call on 18 July 2023Specifically 
discuss the serialization approach for CreationInfo used in 
https://github.com/spdx/spdx-3-model/pull/414 and identify any i



  

 





This is a follow-up discussion to our tech call on 18 July 2023

Specifically discuss the serialization approach for CreationInfo used in 
https://github.com/spdx/spdx-3-model/pull/414 
<https://www.google.com/url?q=https%3A%2F%2Fgithub.com%2Fspdx%2Fspdx-3-model%2Fpull%2F414=D=169013358000=AOvVaw0jQgn5uccRA1BrYViExN1w>
  and identify any issues and solutions to those issues 


──

Gary ONeall is inviting you to a scheduled Zoom meeting.

Join Zoom Meeting
https://us02web.zoom.us/j/89816979001?pwd=bEUwazc0UzVtUCsySFQrQnVKQjZjdz09 
<https://www.google.com/url?q=https%3A%2F%2Fus02web.zoom.us%2Fj%2F89816979001%3Fpwd%3DbEUwazc0UzVtUCsySFQrQnVKQjZjdz09=D=169013358000=AOvVaw16u9Jdlfcu6tDK6ehwpzKA>
 

Meeting ID: 898 1697 9001
Passcode: 900377

---

One tap mobile
+12532158782,,89816979001#*900377# US (Tacoma)
+13017158592,,89816979001#*900377# US (Washington DC)

---

Dial by your location
• +1 253 215 8782 US (Tacoma)
• +1 301 715 8592 US (Washington DC)
• +1 305 224 1968 US
• +1 309 205 3325 US
• +1 312 626 6799 US (Chicago)
• +1 346 248 7799 US (Houston)
• +1 360 209 5623 US
• +1 386 347 5053 US
• +1 507 473 4847 US
• +1 564 217 2000 US
• +1 646 931 3860 US
• +1 669 444 9171 US
• +1 669 900 6833 US (San Jose)
• +1 689 278 1000 US
• +1 719 359 4580 US
• +1 929 205 6099 US (New York)
• +1 253 205 0468 US

Meeting ID: 898 1697 9001
Passcode: 900377

Find your local number: https://us02web.zoom.us/u/keBsJeTxn9 
<https://www.google.com/url?q=https%3A%2F%2Fus02web.zoom.us%2Fu%2FkeBsJeTxn9=D=169013358000=AOvVaw03vjN_ZEiEr4CcgWkY-JbO>
 



──




When


Friday Jul 21, 2023 ⋅ 8:30am – 9:30am (Pacific Time - Los Angeles)




Location


https://us02web.zoom.us/j/89816979001?pwd=bEUwazc0UzVtUCsySFQrQnVKQjZjdz09
 
<https://www.google.com/url?q=https%3A%2F%2Fus02web.zoom.us%2Fj%2F89816979001%3Fpwd%3DbEUwazc0UzVtUCsySFQrQnVKQjZjdz09=D=169013358000=AOvVaw16u9Jdlfcu6tDK6ehwpzKA>
 View map




Guests


 <mailto:garysourceaudi...@gmail.com> garysourceaudi...@gmail.com - organizer

 <mailto:maximilian.hu...@tngtech.com> maximilian.hu...@tngtech.com 

 <mailto:sbar...@mitre.org> sbar...@mitre.org 

 <mailto:spdx-tech@lists.spdx.org> spdx-tech@lists.spdx.org 

 
<https://calendar.google.com/calendar/event?action=VIEW=MTBydnVzMjhkdjdvcTE3ZDRkMDNhZ2o1a3Ugc3BkeC10ZWNoQGxpc3RzLnNwZHgub3Jn=MjcjZ2FyeXNvdXJjZWF1ZGl0b3JAZ21haWwuY29tYjZkNTZiZmE2OTI5ZWVmZDc2ZWE0NGM0Mjg1NGMzNjEzZjcyZjg1ZQ=America%2FLos_Angeles=en=0>
 View all guest info


Reply for  <mailto:spdx-tech@lists.spdx.org> spdx-tech@lists.spdx.org





 
<https://calendar.google.com/calendar/event?action=RESPOND=MTBydnVzMjhkdjdvcTE3ZDRkMDNhZ2o1a3Ugc3BkeC10ZWNoQGxpc3RzLnNwZHgub3Jn=1=MjcjZ2FyeXNvdXJjZWF1ZGl0b3JAZ21haWwuY29tYjZkNTZiZmE2OTI5ZWVmZDc2ZWE0NGM0Mjg1NGMzNjEzZjcyZjg1ZQ=America%2FLos_Angeles=en=0>
 Yes


 
<https://calendar.google.com/calendar/event?action=RESPOND=MTBydnVzMjhkdjdvcTE3ZDRkMDNhZ2o1a3Ugc3BkeC10ZWNoQGxpc3RzLnNwZHgub3Jn=2=MjcjZ2FyeXNvdXJjZWF1ZGl0b3JAZ21haWwuY29tYjZkNTZiZmE2OTI5ZWVmZDc2ZWE0NGM0Mjg1NGMzNjEzZjcyZjg1ZQ=America%2FLos_Angeles=en=0>
 No


 
<https://calendar.google.com/calendar/event?action=RESPOND=MTBydnVzMjhkdjdvcTE3ZDRkMDNhZ2o1a3Ugc3BkeC10ZWNoQGxpc3RzLnNwZHgub3Jn=3=MjcjZ2FyeXNvdXJjZWF1ZGl0b3JAZ21haWwuY29tYjZkNTZiZmE2OTI5ZWVmZDc2ZWE0NGM0Mjg1NGMzNjEzZjcyZjg1ZQ=America%2FLos_Angeles=en=0>
 Maybe

 


 
<https://calendar.google.com/calendar/event?action=VIEW=MTBydnVzMjhkdjdvcTE3ZDRkMDNhZ2o1a3Ugc3BkeC10ZWNoQGxpc3RzLnNwZHgub3Jn=MjcjZ2FyeXNvdXJjZWF1ZGl0b3JAZ21haWwuY29tYjZkNTZiZmE2OTI5ZWVmZDc2ZWE0NGM0Mjg1NGMzNjEzZjcyZjg1ZQ=America%2FLos_Angeles=en=0>
 More options

 


Invitation from  <https://calendar.google.com/calendar/> Google Calendar

You are receiving this email because you are an attendee on the event. To stop 
receiving future updates for this event, decline this event.

Forwarding this invitation could allow any recipient to send a response to the 
organizer, be added to the guest list, invite others regardless of their own 
invitation status, or modify your RSVP.  
<https://support.google.com/calendar/answer/37135#forwarding> Learn more

garysourceaudi...@gmail.com

[spdx-tech] Invitation: Review JSON-LD Example - creationinfo @ Fri Jul 21, 2023 8:30am - 9:30am (PDT) (spdx-tech@lists.spdx.org)

[Gary O'Neall]

BEGIN:VCALENDAR
PRODID:-//Google Inc//Google Calendar 70.9054//EN
VERSION:2.0
CALSCALE:GREGORIAN
METHOD:REQUEST
BEGIN:VTIMEZONE
TZID:America/Los_Angeles
X-LIC-LOCATION:America/Los_Angeles
BEGIN:DAYLIGHT
TZOFFSETFROM:-0800
TZOFFSETTO:-0700
TZNAME:PDT
DTSTART:19700308T02
RRULE:FREQ=YEARLY;BYMONTH=3;BYDAY=2SU
END:DAYLIGHT
BEGIN:STANDARD
TZOFFSETFROM:-0700
TZOFFSETTO:-0800
TZNAME:PST
DTSTART:19701101T02
RRULE:FREQ=YEARLY;BYMONTH=11;BYDAY=1SU
END:STANDARD
END:VTIMEZONE
BEGIN:VEVENT
DTSTART;TZID=America/Los_Angeles:20230721T083000
DTEND;TZID=America/Los_Angeles:20230721T093000
DTSTAMP:20230718T173336Z
ORGANIZER;CN=garysourceaudi...@gmail.com:mailto:garysourceaudi...@gmail.com
UID:10rvus28dv7oq17d4d03agj...@google.com
ATTENDEE;CUTYPE=INDIVIDUAL;ROLE=REQ-PARTICIPANT;PARTSTAT=ACCEPTED;RSVP=TRUE
 ;CN=garysourceaudi...@gmail.com;X-NUM-GUESTS=0:mailto:garysourceauditor@gma
 il.com
ATTENDEE;CUTYPE=INDIVIDUAL;ROLE=REQ-PARTICIPANT;PARTSTAT=NEEDS-ACTION;RSVP=
 TRUE;CN=maximilian.hu...@tngtech.com;X-NUM-GUESTS=0:mailto:maximilian.huber
 @tngtech.com
ATTENDEE;CUTYPE=INDIVIDUAL;ROLE=REQ-PARTICIPANT;PARTSTAT=NEEDS-ACTION;RSVP=
 TRUE;CN=sbar...@mitre.org;X-NUM-GUESTS=0:mailto:sbar...@mitre.org
ATTENDEE;CUTYPE=INDIVIDUAL;ROLE=REQ-PARTICIPANT;PARTSTAT=NEEDS-ACTION;RSVP=
 TRUE;CN=spdx-tech@lists.spdx.org;X-NUM-GUESTS=0:mailto:spdx-t...@lists.spdx
 .org
X-MICROSOFT-CDO-OWNERAPPTID:2093891047
CREATED:20230718T165854Z
DESCRIPTION:This is a follow-up discussion to our tech call on 18 July 2023
 Specifically discuss the serialization approach for CreationInfo us
 ed in https://github.com/spdx/spdx-3-model/pull/414;>https://githu
 b.com/spdx/spdx-3-model/pull/414 and identify any issues and solutions 
 to those issues──────Gary ONeall is inviting you to a sc
 heduled Zoom meeting.Join Zoom Meetinghttps://us02web.zoom.us/j
 /89816979001?pwd=bEUwazc0UzVtUCsySFQrQnVKQjZjdz09Meeting ID: 898 16
 97 9001Passcode: 900377---One tap mobile+1253215878
 2\,\,89816979001#\,\,\,\,*900377# US (Tacoma)+13017158592\,\,8981697900
 1#\,\,\,\,*900377# US (Washington DC)---Dial by your locati
 on• +1 253 215 8782 US (Tacoma)• +1 301 715 8592 US (Washington DC)
 • +1 305 224 1968 US• +1 309 205 3325 US• +1 312 626 6799 US (C
 hicago)• +1 346 248 7799 US (Houston)• +1 360 209 5623 US• +1 3
 86 347 5053 US• +1 507 473 4847 US• +1 564 217 2000 US• +1 646 
 931 3860 US• +1 669 444 9171 US• +1 669 900 6833 US (San Jose)•
  +1 689 278 1000 US• +1 719 359 4580 US• +1 929 205 6099 US (New Yo
 rk)• +1 253 205 0468 USMeeting ID: 898 1697 9001Passcode: 9
 00377Find your local number: https://us02web.zoom.us/u/keBsJeTxn9──
LAST-MODIFIED:20230718T173335Z
LOCATION:https://us02web.zoom.us/j/89816979001?pwd=bEUwazc0UzVtUCsySFQrQnVK
 QjZjdz09
SEQUENCE:0
STATUS:CONFIRMED
SUMMARY:Review JSON-LD Example - creationinfo
TRANSP:OPAQUE
END:VEVENT
END:VCALENDAR


invite.ics
Description: application/ics

Re: [spdx-tech] Asia / Europe / U.S. SPDX Tech meeting

[Gary O'Neall]

Kobota-san,

Thank you for the additional information.

I'm adding David to the distribution list as he expressed interest in this 
topic.

Best regards,
Gary

> -Original Message-
> From: Spdx-tech@lists.spdx.org  On Behalf Of Hiro
> Fukuchi
> Sent: Tuesday, July 11, 2023 4:22 PM
> To: norio.kob...@sony.com; Shane Coughlan
> ; garysourceaudi...@gmail.com
> Cc: Kate Stewart ; j-manbe...@ti.com;
> Joshua Marpet ;
> kato.shins...@jp.panasonic.com; masato_e...@mail.toyota.co.jp;
> nis...@vmware.com; pmad...@cox.net; shi1@toshiba.co.jp; Taka
> Ninjouji ; y...@linuxfoundation.org;
> Yoshyuki Ito ; spdx-tech@lists.spdx.org
> Subject: Re: [spdx-tech] Asia / Europe / U.S. SPDX Tech meeting
> 
> Hi Gary and all,
> 
> As you asked about Japan's trend/status of regulation on SOM during the
> meeting, I attached "unofficial translation" of METI's SBOM document(draft).
> METI: the Ministry of Economy, Trade and Industry, Japan.
> 
> --
> Hiro Fukuchi (hiroyuki.fuku...@sony.com) Sony
> 
> > -Original Message-
> > From: Kobota, Norio (SGC) 
> > Sent: Tuesday, July 11, 2023 10:19 AM
> > To: Shane Coughlan ;
> > garysourceaudi...@gmail.com
> > Cc: Kate Stewart ; Fukuchi, Hiroyuki
> > (SGC) ; j-manbe...@ti.com; Joshua Marpet
> > ; Kato Shinsuke (加藤 慎介)
> > ; Endo, Masato/遠藤 雅人
> > ; nis...@vmware.com;
> pmad...@cox.net;
> > shi1@toshiba.co.jp; Taka Ninjouji
> > ;
> > y...@linuxfoundation.org; Yoshyuki Ito ;
> > spdx-tech@lists.spdx.org
> > Subject: RE: [spdx-tech] Asia / Europe / U.S. SPDX Tech meeting
> >
> > Hi Gary-san and all,
> >
> > Thank you for having the meeting today.
> > I will share today's my presentation here.
> > https://github.com/OpenChain-Project/OpenChain-
> JWG/blob/master/subgrou
> > p s/sbom-sg/meetings/spdx-asia-telco/SPDX-Asia-Telco-20230711.pptx
> >
> > Thanks,
> >   -- kobota
> >
> > > -Original Message-
> > > From: Spdx-tech@lists.spdx.org  On Behalf
> > > Of Shane Coughlan
> > > Sent: Wednesday, June 28, 2023 6:23 AM
> > > To: garysourceaudi...@gmail.com
> > > Cc: Kate Stewart ; Fukuchi, Hiroyuki
> > > (SGC) ; j-manbe...@ti.com; Joshua Marpet
> > > ; Kato Shinsuke (加藤 慎介)
> > > ; Endo, Masato/遠藤 雅人
> > > ; nis...@vmware.com; Kobota, Norio
> > > (SGC) ; pmad...@cox.net;
> > > shi1@toshiba.co.jp; Taka Ninjouji
> > > ; y...@linuxfoundation.org;
> > > Yoshyuki Ito ;
> > > spdx-tech@lists.spdx.org
> > > Subject: Re: [spdx-tech] Asia / Europe / U.S. SPDX Tech meeting
> > >
> > > Hi Gary
> > >
> > > We just recently moved the OpenChain Monthly Community Call to 08:00
> > > Pacific to avoid conflict with your 09:00 call. Flagging as we have
> > > a repeat on the first Tuesday of each month, and I would like to
> > > avoid an additional
> > conflict.
> > >
> > > However, that is still 00:00 in Japan, and 01:00 when you move to winter
> time.
> > > 23:00 in China, 00:00 during your winter. It will be very
> > > challenging for people in Asia to attend.
> > >
> > > Regards
> > >
> > > Shane
> > >
> > > > On Jun 28, 2023, at 3:59, garysourceaudi...@gmail.com wrote:
> > > >
> > > >   Greetings Asia SPDX meeting attendee's.
> > > > In today's SPDX Tech regular Tuesday call, we agreed to hold one
> > > > of our
> > > meetings an hour earlier to make it easier for the SPDX Asia team to
> > > join, although I do realize it is still quite late for Asia. Let me
> > > know if Tuesday July 11th at 8 AM Pacific time would work for a
> > > joint call. We could also meet at a later Tuesday it the 11th doesn't 
> > > work.
> > > > Thanks,
> > > > GaryAsia SPDX Meeting
> > > > Monday Jul 10, 2023 ⋅ 5pm – 6pm (Pacific Time - Los Angeles)
> > > >
> > > > Agenda:
> > > > - SPDX-Lite
> > > > - other profiles?
> > > > Join Zoom Meeting
> > > >
> > > https://zoom.us/j/199624001
> > > R
> > vKRSx!_r3dS7uN2UlNWzAwOYcYYl6c5F-LNCsb7qOR95JrCWBttwE-dBHaMY
> > > ulCyQJ6fAEgSvNo57eapNBhcAcc0So3KZO7rjR$ [zoom[.]us]
> > > > One tap mobile
> > > > +16465588656,,199624001# US (New York) 16699006833,,199624001#
> US
> > > > +(San Jose)
> > > > Dial by your location
> > > > +1 646 558 8656 US (New York)
> > > > +1 669 900 6833 US (Sa

Re: [spdx-tech] Question on difference in License Text HTML vs. JSON of Python Software Foundation License 2.0 (PSF-2.0)

[Gary O'Neall]

Hi David,

 

This may be better for the legal team as they maintain the source repository
for the license list.  However, I can answer your question since I maintain
the tools that produce the JSON data (and I'm on both lists).  Sorry I
didn't reply sooner - I was traveling when our original email was sent.

 

I'll add the legal team to the dist. list as well.

 

When comparing the licenseText and the licenseTextHtml I found a content
difference beyond formatting/editorial remarks, the screenshot below shows
it. Could it be that the HTML-text and the other text are not in sync? I
assume the licenseText is considered as the original/main, and the HTML
manually augmented with manual formatting and remarks.

 

It is entirely possible that the licenseText and licenseTextHtml are out of
sync.  However, we do verify that the text matches per the license matching
guidelines
<https://spdx.github.io/spdx-spec/v2.3/license-matching-guidelines-and-templ
ates/>  before publishing.

 

More detail:

 

The licenseText is intended to be the original text including any text
formatting.  The source of the licenseText is the text file in the
test/simpleTestForGenerator/ directory.

 

The licenseTextHtml is generated from the XML file.  Since the license XML
file is generated from a number of different sources and tools, it is
entirely possible that there will be some inconsistencies.  However, in most
cases the submitter of the license XML copy/pastes much of the information
from the licenseText reducing the probability of any inconsistencies.

 

The above is documented in the Accepted License Process
<https://github.com/spdx/license-list-XML/blob/main/DOCS/request-new-license
.md#accepted-license-process> .

 

When a new license is submitted and before any data is published, an
automated check is made to make sure the licenseText and the text associated
with the licenseTextHtml match per the license matching guidelines.

 

If you find a situation where a published licenseText doesn't match the
corresponding licenseTextHtml per the license matching guidelines, there
would either be an issue with the  or a bug in the publishing tool.  In that
case, I would suggest submitting a new issue in the license list XML
repository <https://github.com/spdx/license-list-XML/issues> .

 

Hope that helps.

 

Best regards,
Gary

 

 

 

From: Spdx-tech@lists.spdx.org  On Behalf Of
david.schumm via lists.spdx.org
Sent: Sunday, July 9, 2023 10:58 PM
To: spdx-tech@lists.spdx.org
Cc: christian.w...@mercedes-benz.com; ciaran.farr...@mercedes-benz.com
Subject: Re: [spdx-tech] Question on difference in License Text HTML vs.
JSON of Python Software Foundation License 2.0 (PSF-2.0)

 

Dear SPDX Technical Team,

 

I wanted to ask if you already had time to look into the issue mentioned
below and, if the SPDX Technical Team is the right addressee, or if I should
better get in contact with the SPDX Legal Team.

 

Many thanks,

David Schumm

 

 

Von: Schumm, David (096) 
Gesendet: Mittwoch, 28. Juni 2023 11:31
An: 'spdx-tech@lists.spdx.org' mailto:spdx-tech@lists.spdx.org> >
Cc: Wege, Christian (096) mailto:christian.w...@mercedes-benz.com> >; Farrell, Ciaran (096)
mailto:ciaran.farr...@mercedes-benz.com>
>
Betreff: Question on difference in License Text HTML vs. JSON of Python
Software Foundation License 2.0 (PSF-2.0)

 

Dear SPDX Technical Team,

 

I have a question on the license data provided in JSON ("licenseText")
compare to the one provided in HTML ("licenseTextHtml"). I was not sure if
this is a question to the SPDX Technical Team or to the SPDX Legal Team.

 

Question refers to the license text for the "Python Software Foundation
License 2.0 (PSF-2.0)".

*   HTML Display of Python Software Foundation License 2.0 (PSF-2.0):
<https://spdx.org/licenses/PSF-2.0.html>
https://spdx.org/licenses/PSF-2.0.html 
*   JSON Source of Python Software Foundation License 2.0 (PSF-2.0)
"licenseText":
https://raw.githubusercontent.com/spdx/license-list-data/master/json/details
/PSF-2.0.json  (or https://spdx.org/licenses/PSF-2.0.json) 

 

When comparing the licenseText and the licenseTextHtml I found a content
difference beyond formatting/editorial remarks, the screenshot below shows
it. Could it be that the HTML-text and the other text are not in sync? I
assume the licenseText is considered as the original/main, and the HTML
manually augmented with manual formatting and remarks.

 

The differences between licenseText and licenseTextHtml:

 



 

Thanks for looking into this,

 

and best regards,   

David Schumm

 

 

ITT/FA - FOSS Governance

mailto: david.sch...@mercedes-benz.com
<mailto:david.sch...@mercedes-benz.com> 

mobile: +49 160 866 0365

 

 

 



If you are not the addressee, please inform us immediately that you have
received this e-mail by mistake, and delete it. We thank you for your
support.





-=-=-=-=-=-=-=-=-=-=

Re: [spdx-tech] Asia / Europe / U.S. SPDX Tech meeting

[Gary O'Neall]

I’m glad you checked – I missed the standard time.

 

It is 5PM PDT – 9AM JST.

 

Thanks,
Gary

 

From: norio.kob...@sony.com  
Sent: Saturday, July 8, 2023 8:13 PM
To: Gary O'Neall ; 'Shane Coughlan' 

Cc: garysourceaudi...@gmail.com; 'Kate Stewart' ; 
hiroyuki.fuku...@sony.com; j-manbe...@ti.com; 'Joshua Marpet' 
; kato.shins...@jp.panasonic.com; 
masato_e...@mail.toyota.co.jp; nis...@vmware.com; pmad...@cox.net; 
shi1@toshiba.co.jp; 'Taka Ninjouji' ; 
'Yoshiya Eto' ; 'Yoshyuki Ito' 
; spdx-tech@lists.spdx.org; 
rcr...@linuxfoundation.org
Subject: Re: [spdx-tech] Asia / Europe / U.S. SPDX Tech meeting

 

Thanks!

 

But please let me confirm once more.

It’s Summertime now. So the meeting will be on July 10th at 5PM PST (10AM JST) 
or PDT (9AM JST)?

 

Best,

 — kobota

 

  _  

差出人: Gary O'Neall mailto:g...@sourceauditor.com> >
送信日時: Sunday, July 9, 2023 10:37:43 AM
宛先: Kobota, Norio (SGC) mailto:norio.kob...@sony.com> 
>; 'Shane Coughlan' mailto:scough...@linuxfoundation.org> >
CC: garysourceaudi...@gmail.com <mailto:garysourceaudi...@gmail.com>  
mailto:garysourceaudi...@gmail.com> >; 'Kate 
Stewart' mailto:kstew...@linuxfoundation.org> >; 
Fukuchi, Hiroyuki (SGC) mailto:hiroyuki.fuku...@sony.com> >; j-manbe...@ti.com 
<mailto:j-manbe...@ti.com>  mailto:j-manbe...@ti.com> >; 
'Joshua Marpet' mailto:joshua.mar...@guardedrisk.com> >; Kato Shinsuke (加藤 慎介) 
mailto:kato.shins...@jp.panasonic.com> >; 
Endo, Masato/遠藤 雅人 mailto:masato_e...@mail.toyota.co.jp> >; nis...@vmware.com 
<mailto:nis...@vmware.com>  mailto:nis...@vmware.com> >; 
pmad...@cox.net <mailto:pmad...@cox.net>  mailto:pmad...@cox.net> >; shi1@toshiba.co.jp 
<mailto:shi1@toshiba.co.jp>  mailto:shi1@toshiba.co.jp> >; 'Taka Ninjouji' 
mailto:takashi1.ninjo...@toshiba.co.jp> >; 
'Yoshiya Eto' mailto:y...@linuxfoundation.org> >; 
'Yoshyuki Ito' mailto:yoshiyuki.ito...@renesas.com> >; spdx-tech@lists.spdx.org 
<mailto:spdx-tech@lists.spdx.org>  mailto:spdx-tech@lists.spdx.org> >; rcr...@linuxfoundation.org 
<mailto:rcr...@linuxfoundation.org>  mailto:rcr...@linuxfoundation.org> >
件名: RE: [spdx-tech] Asia / Europe / U.S. SPDX Tech meeting 

 

Hi Kobota-san,

 

Yes – the next meeting will be on July 10th at 5PM PST.

 

Best,

Gary

 

From: norio.kob...@sony.com <mailto:norio.kob...@sony.com>  
mailto:norio.kob...@sony.com> > 
Sent: Saturday, July 8, 2023 3:36 PM
To: Shane Coughlan mailto:scough...@linuxfoundation.org> >; Gary O'Neall mailto:g...@sourceauditor.com> >
Cc: garysourceaudi...@gmail.com <mailto:garysourceaudi...@gmail.com> ; Kate 
Stewart mailto:kstew...@linuxfoundation.org> >; 
hiroyuki.fuku...@sony.com <mailto:hiroyuki.fuku...@sony.com> ; 
j-manbe...@ti.com <mailto:j-manbe...@ti.com> ; Joshua Marpet 
mailto:joshua.mar...@guardedrisk.com> >; 
kato.shins...@jp.panasonic.com <mailto:kato.shins...@jp.panasonic.com> ; 
masato_e...@mail.toyota.co.jp <mailto:masato_e...@mail.toyota.co.jp> ; 
nis...@vmware.com <mailto:nis...@vmware.com> ; pmad...@cox.net 
<mailto:pmad...@cox.net> ; shi1@toshiba.co.jp 
<mailto:shi1@toshiba.co.jp> ; Taka Ninjouji 
mailto:takashi1.ninjo...@toshiba.co.jp> >; 
Yoshiya Eto mailto:y...@linuxfoundation.org> >; 
Yoshyuki Ito mailto:yoshiyuki.ito...@renesas.com> >; spdx-tech@lists.spdx.org 
<mailto:spdx-tech@lists.spdx.org> ; rcr...@linuxfoundation.org 
<mailto:rcr...@linuxfoundation.org> 
Subject: Re: [spdx-tech] Asia / Europe / U.S. SPDX Tech meeting

 

Hi Gary and Shane,

 

Thank you for arranging the SPDX Asia call.

I’d like to confirm.

Will the next meeting be held on July 10th at 5PM PST?

We’d like to discuss about the Lite profile.

 

Best,

 — kobota

  _  

差出人: Shane Coughlan mailto:scough...@linuxfoundation.org> >
送信日時: Friday, July 7, 2023 1:24:56 PM
宛先: Gary O'Neall mailto:g...@sourceauditor.com> >
CC: Kobota, Norio (SGC) mailto:norio.kob...@sony.com> 
>; garysourceaudi...@gmail.com <mailto:garysourceaudi...@gmail.com>  
mailto:garysourceaudi...@gmail.com> >; Kate 
Stewart mailto:kstew...@linuxfoundation.org> >; 
Fukuchi, Hiroyuki (SGC) mailto:hiroyuki.fuku...@sony.com> >; j-manbe...@ti.com 
<mailto:j-manbe...@ti.com>  mailto:j-manbe...@ti.com> >; 
Joshua Marpet mailto:joshua.mar...@guardedrisk.com> >; Kato Shinsuke (加藤 慎介) 
mailto:kato.shins...@jp.panasonic.com> >; 
Endo, Masato/遠藤 雅人 mailto:masato_e...@mail.toyota.co.jp> >; nis...@vmware.com 
<mailto:nis...@vmware.com>  mailto:nis...@vmware.com> >; 
pmad...@cox.net <mailto:pmad...@cox.net>  mailto:pmad...@cox.net> >; shi1@toshiba.co.jp 
<mailto:shi1@toshiba.co.jp>  mailto:shi1@toshiba.co.jp> >; Taka Ninjouji 
mailto:takashi1.ni

Re: [spdx-tech] Asia / Europe / U.S. SPDX Tech meeting

[Gary O'Neall]

Hi Kobota-san,

 

Yes – the next meeting will be on July 10th at 5PM PST.

 

Best,

Gary

 

From: norio.kob...@sony.com  
Sent: Saturday, July 8, 2023 3:36 PM
To: Shane Coughlan ; Gary O'Neall 

Cc: garysourceaudi...@gmail.com; Kate Stewart ; 
hiroyuki.fuku...@sony.com; j-manbe...@ti.com; Joshua Marpet 
; kato.shins...@jp.panasonic.com; 
masato_e...@mail.toyota.co.jp; nis...@vmware.com; pmad...@cox.net; 
shi1@toshiba.co.jp; Taka Ninjouji ; 
Yoshiya Eto ; Yoshyuki Ito 
; spdx-tech@lists.spdx.org; 
rcr...@linuxfoundation.org
Subject: Re: [spdx-tech] Asia / Europe / U.S. SPDX Tech meeting

 

Hi Gary and Shane,

 

Thank you for arranging the SPDX Asia call.

I’d like to confirm.

Will the next meeting be held on July 10th at 5PM PST?

We’d like to discuss about the Lite profile.

 

Best,

 — kobota

  _  

差出人: Shane Coughlan mailto:scough...@linuxfoundation.org> >
送信日時: Friday, July 7, 2023 1:24:56 PM
宛先: Gary O'Neall mailto:g...@sourceauditor.com> >
CC: Kobota, Norio (SGC) mailto:norio.kob...@sony.com> 
>; garysourceaudi...@gmail.com <mailto:garysourceaudi...@gmail.com>  
mailto:garysourceaudi...@gmail.com> >; Kate 
Stewart mailto:kstew...@linuxfoundation.org> >; 
Fukuchi, Hiroyuki (SGC) mailto:hiroyuki.fuku...@sony.com> >; j-manbe...@ti.com 
<mailto:j-manbe...@ti.com>  mailto:j-manbe...@ti.com> >; 
Joshua Marpet mailto:joshua.mar...@guardedrisk.com> >; Kato Shinsuke (加藤 慎介) 
mailto:kato.shins...@jp.panasonic.com> >; 
Endo, Masato/遠藤 雅人 mailto:masato_e...@mail.toyota.co.jp> >; nis...@vmware.com 
<mailto:nis...@vmware.com>  mailto:nis...@vmware.com> >; 
pmad...@cox.net <mailto:pmad...@cox.net>  mailto:pmad...@cox.net> >; shi1@toshiba.co.jp 
<mailto:shi1@toshiba.co.jp>  mailto:shi1@toshiba.co.jp> >; Taka Ninjouji 
mailto:takashi1.ninjo...@toshiba.co.jp> >; 
Yoshiya Eto mailto:y...@linuxfoundation.org> >; 
Yoshyuki Ito mailto:yoshiyuki.ito...@renesas.com> >; spdx-tech@lists.spdx.org 
<mailto:spdx-tech@lists.spdx.org>  mailto:spdx-tech@lists.spdx.org> >; rcr...@linuxfoundation.org 
<mailto:rcr...@linuxfoundation.org>  mailto:rcr...@linuxfoundation.org> >
件名: Re: [spdx-tech] Asia / Europe / U.S. SPDX Tech meeting 

 

OK, thanks Gary. If there are any future overlaps, please let me know, and I’m 
always open to rescheduling or similar.

> On Jul 7, 2023, at 12:20, Gary O'Neall  <mailto:g...@sourceauditor.com> > wrote:
> 
> Hi Shane,
> 
> Thanks for the offer to move the meeting.  I think we should keep the meeting 
> as is and we'll reschedule the joint SPDX tech call.  That will give us a bit 
> more time to setup the tech call and confirm the logistics.
> 
> Best,
> Gary
> 
>> -Original Message-
>> From: Shane Coughlan > <mailto:scough...@linuxfoundation.org> >
>> Sent: Thursday, July 6, 2023 4:38 PM
>> To: Gary O'Neall mailto:g...@sourceauditor.com> >
>> Cc: Norio Kobota mailto:norio.kob...@sony.com> >; 
>> garysourceaudi...@gmail.com <mailto:garysourceaudi...@gmail.com> ;
>> Kate Stewart > <mailto:kstew...@linuxfoundation.org> >; Hiroyuki Fukuchi
>> mailto:hiroyuki.fuku...@sony.com> >; 
>> j-manbe...@ti.com <mailto:j-manbe...@ti.com> ; Joshua Marpet
>> mailto:joshua.mar...@guardedrisk.com> >; 
>> Shinsuke Kato
>> mailto:kato.shins...@jp.panasonic.com> >; 
>> Masato Endo
>> mailto:masato_e...@mail.toyota.co.jp> >; 
>> nis...@vmware.com <mailto:nis...@vmware.com> ;
>> pmad...@cox.net <mailto:pmad...@cox.net> ; shi1@toshiba.co.jp 
>> <mailto:shi1@toshiba.co.jp> ; Taka Ninjouji
>> mailto:takashi1.ninjo...@toshiba.co.jp> >; 
>> Yoshiya Eto mailto:y...@linuxfoundation.org> >;
>> Yoshyuki Ito > <mailto:yoshiyuki.ito...@renesas.com> >; spdx-tech@lists.spdx.org 
>> <mailto:spdx-tech@lists.spdx.org> ;
>> rcr...@linuxfoundation.org <mailto:rcr...@linuxfoundation.org> 
>> Subject: Re: [spdx-tech] Asia / Europe / U.S. SPDX Tech meeting
>> 
>> Gary, I can move the OpenChain meeting by one week. Would that work for
>> you?
>> 
>>> On Jul 7, 2023, at 3:38, Gary O'Neall >> <mailto:g...@sourceauditor.com> > wrote:
>>> 
>>> Greetings all –  It looks like the OpenChain Monthly Community Call for US
>> and Europe was rescheduled on top of the proposed meeting for the SPDX
>> Tech joint US/Europe/Asia call.
>>> We have our regularly scheduled monthly SPDX Asia call on July 10th at
>> 5PM PST – let’s add an agenda topic to see what dates and times would work
>> for a joint US/Europe/Asia call.  We can then follow-up on the SPDX Tech 

Re: [spdx-tech] Asia / Europe / U.S. SPDX Tech meeting

[Gary O'Neall]

Hi Shane,

Thanks for the offer to move the meeting.  I think we should keep the meeting 
as is and we'll reschedule the joint SPDX tech call.  That will give us a bit 
more time to setup the tech call and confirm the logistics.

Best,
Gary

> -Original Message-
> From: Shane Coughlan 
> Sent: Thursday, July 6, 2023 4:38 PM
> To: Gary O'Neall 
> Cc: Norio Kobota ; garysourceaudi...@gmail.com;
> Kate Stewart ; Hiroyuki Fukuchi
> ; j-manbe...@ti.com; Joshua Marpet
> ; Shinsuke Kato
> ; Masato Endo
> ; nis...@vmware.com;
> pmad...@cox.net; shi1@toshiba.co.jp; Taka Ninjouji
> ; Yoshiya Eto ;
> Yoshyuki Ito ; spdx-tech@lists.spdx.org;
> rcr...@linuxfoundation.org
> Subject: Re: [spdx-tech] Asia / Europe / U.S. SPDX Tech meeting
> 
> Gary, I can move the OpenChain meeting by one week. Would that work for
> you?
> 
> > On Jul 7, 2023, at 3:38, Gary O'Neall  wrote:
> >
> > Greetings all –  It looks like the OpenChain Monthly Community Call for US
> and Europe was rescheduled on top of the proposed meeting for the SPDX
> Tech joint US/Europe/Asia call.
> >  We have our regularly scheduled monthly SPDX Asia call on July 10th at
> 5PM PST – let’s add an agenda topic to see what dates and times would work
> for a joint US/Europe/Asia call.  We can then follow-up on the SPDX Tech call
> on Tuesday to propose a new time.
> >  Thanks,
> > Gary
> >  From: Gary O'Neall 
> > Sent: Sunday, July 2, 2023 11:08 AM
> > To: 'Norio Kobota' ;
> > 'garysourceaudi...@gmail.com' ; 'Kate
> > Stewart' ; 'hiroyuki.fuku...@sony.com'
> > ; 'j-manbe...@ti.com'  manbe...@ti.com>;
> > 'Joshua Marpet' ;
> > 'kato.shins...@jp.panasonic.com' ;
> > 'masato_e...@mail.toyota.co.jp' ;
> > 'nis...@vmware.com' ; 'pmad...@cox.net'
> > ; 'scough...@linuxfoundation.org'
> > ; 'shi1@toshiba.co.jp'
> > ; 'takashi1.ninjo...@toshiba.co.jp'
> > ; 'y...@linuxfoundation.org'
> > ; 'yoshiyuki.ito...@renesas.com'
> > ; 'spdx-tech@lists.spdx.org'
> > 
> > Subject: RE: [spdx-tech] Asia / Europe / U.S. SPDX Tech meeting  Hi
> > Kobota-san,  The proposal would be to add an additional meeting.  We
> > would still meet on July 10th at 5PM PST and have an additional meeting
> July 11th at 8AM PST to include Europe in the discussion.
> >  I realize the July 11th time is very inconvenient.  I did check with some 
> > of
> the European contributors to see if we could move it earlier, but 
> unfortunately
> we would loose some of the key contributors to the discussion.
> >  We could, however, choose a different day with an earlier time.
> >  Thanks,
> > Gary
> >  From: Spdx-tech@lists.spdx.org  On Behalf
> > Of Norio Kobota
> > Sent: Wednesday, June 28, 2023 9:20 PM
> > To: garysourceaudi...@gmail.com; Kate Stewart
> > ; hiroyuki.fuku...@sony.com;
> > j-manbe...@ti.com; Joshua Marpet ;
> > kato.shins...@jp.panasonic.com; masato_e...@mail.toyota.co.jp;
> > nis...@vmware.com; pmad...@cox.net; scough...@linuxfoundation.org;
> > shi1@toshiba.co.jp; takashi1.ninjo...@toshiba.co.jp;
> > y...@linuxfoundation.org; yoshiyuki.ito...@renesas.com;
> > spdx-tech@lists.spdx.org
> > Subject: Re: [spdx-tech] Asia / Europe / U.S. SPDX Tech meeting  Hello
> > SPDX Community,  Thank you very much for changing it to a very early
> > morning for people in the US area.
> > But let me reconfirm the date and time.
> > Which is correct date and time, 7/11 8AM- or 7/10 5PM- PST?
> > Your text says July 11th 8AM PST while the schedule says July 10th 5PM.
> >  Anyway I will share the date and time with Japan members. And at least, I
> will participate the meeting.
> >  Best,
> > -- kobota
> >  From: Google Calendar  On Behalf Of
> > garysourceaudi...@gmail.com
> > Sent: Wednesday, June 28, 2023 4:00 AM
> > To: Kate Stewart ; Fukuchi, Hiroyuki
> > (SGC) ; j-manbe...@ti.com; Joshua Marpet
> > ; Kato Shinsuke (加藤 慎介)
> > ; Endo, Masato/遠藤 雅人
> > ; nis...@vmware.com; Kobota, Norio
> > (SGC) ; pmad...@cox.net;
> > scough...@linuxfoundation.org; shi1@toshiba.co.jp;
> > takashi1.ninjo...@toshiba.co.jp; y...@linuxfoundation.org;
> > yoshiyuki.ito...@renesas.com; spdx-tech@lists.spdx.org;
> > garysourceaudi...@gmail.com
> > Subject: Asia / Europe / U.S. SPDX Tech meeting  Asia SPDX Meeting
> >   Greetings Asia SPDX meeting attendee's.
> > In today's SPDX Tech regular Tuesday call, we agreed to hold one of our
> meetings an hour earlier to make it easier for the SPDX Asia team to join,
> although I do realize it is still quite late for Asia. Let me know if Tuesday 
> July
> 11th at 8 AM Pa

Re: [spdx-tech] Asia / Europe / U.S. SPDX Tech meeting

[Gary O'Neall]

Greetings all – 

 

It looks like the OpenChain Monthly Community Call for US and Europe was 
rescheduled on top of the proposed meeting for the SPDX Tech joint 
US/Europe/Asia call.

 

We have our regularly scheduled monthly SPDX Asia call on July 10th at 5PM PST 
– let’s add an agenda topic to see what dates and times would work for a joint 
US/Europe/Asia call.  We can then follow-up on the SPDX Tech call on Tuesday to 
propose a new time.

 

Thanks,

Gary

 

From: Gary O'Neall  
Sent: Sunday, July 2, 2023 11:08 AM
To: 'Norio Kobota' ; 'garysourceaudi...@gmail.com' 
; 'Kate Stewart' ; 
'hiroyuki.fuku...@sony.com' ; 'j-manbe...@ti.com' 
; 'Joshua Marpet' ; 
'kato.shins...@jp.panasonic.com' ; 
'masato_e...@mail.toyota.co.jp' ; 
'nis...@vmware.com' ; 'pmad...@cox.net' ; 
'scough...@linuxfoundation.org' ; 
'shi1@toshiba.co.jp' ; 
'takashi1.ninjo...@toshiba.co.jp' ; 
'y...@linuxfoundation.org' ; 
'yoshiyuki.ito...@renesas.com' ; 
'spdx-tech@lists.spdx.org' 
Subject: RE: [spdx-tech] Asia / Europe / U.S. SPDX Tech meeting

 

Hi Kobota-san,

 

The proposal would be to add an additional meeting.  We would still meet on 
July 10th at 5PM PST and have an additional meeting July 11th at 8AM PST to 
include Europe in the discussion.

 

I realize the July 11th time is very inconvenient.  I did check with some of 
the European contributors to see if we could move it earlier, but unfortunately 
we would loose some of the key contributors to the discussion.

 

We could, however, choose a different day with an earlier time.

 

Thanks,
Gary

 

From: Spdx-tech@lists.spdx.org <mailto:Spdx-tech@lists.spdx.org>  
mailto:Spdx-tech@lists.spdx.org> > On Behalf Of 
Norio Kobota
Sent: Wednesday, June 28, 2023 9:20 PM
To: garysourceaudi...@gmail.com <mailto:garysourceaudi...@gmail.com> ; Kate 
Stewart mailto:kstew...@linuxfoundation.org> >; 
hiroyuki.fuku...@sony.com <mailto:hiroyuki.fuku...@sony.com> ; 
j-manbe...@ti.com <mailto:j-manbe...@ti.com> ; Joshua Marpet 
mailto:joshua.mar...@guardedrisk.com> >; 
kato.shins...@jp.panasonic.com <mailto:kato.shins...@jp.panasonic.com> ; 
masato_e...@mail.toyota.co.jp <mailto:masato_e...@mail.toyota.co.jp> ; 
nis...@vmware.com <mailto:nis...@vmware.com> ; pmad...@cox.net 
<mailto:pmad...@cox.net> ; scough...@linuxfoundation.org 
<mailto:scough...@linuxfoundation.org> ; shi1@toshiba.co.jp 
<mailto:shi1@toshiba.co.jp> ; takashi1.ninjo...@toshiba.co.jp 
<mailto:takashi1.ninjo...@toshiba.co.jp> ; y...@linuxfoundation.org 
<mailto:y...@linuxfoundation.org> ; yoshiyuki.ito...@renesas.com 
<mailto:yoshiyuki.ito...@renesas.com> ; spdx-tech@lists.spdx.org 
<mailto:spdx-tech@lists.spdx.org> 
Subject: Re: [spdx-tech] Asia / Europe / U.S. SPDX Tech meeting

 

Hello SPDX Community,

 

Thank you very much for changing it to a very early morning for people in the 
US area.

But let me reconfirm the date and time.

Which is correct date and time, 7/11 8AM- or 7/10 5PM- PST?

Your text says July 11th 8AM PST while the schedule says July 10th 5PM.

 

Anyway I will share the date and time with Japan members. And at least, I will 
participate the meeting.

 

Best,

-- kobota

 

From: Google Calendar mailto:calendar-notificat...@google.com> > On Behalf Of 
garysourceaudi...@gmail.com <mailto:garysourceaudi...@gmail.com> 
Sent: Wednesday, June 28, 2023 4:00 AM
To: Kate Stewart mailto:kstew...@linuxfoundation.org> >; Fukuchi, Hiroyuki (SGC) 
mailto:hiroyuki.fuku...@sony.com> >; 
j-manbe...@ti.com <mailto:j-manbe...@ti.com> ; Joshua Marpet 
mailto:joshua.mar...@guardedrisk.com> >; Kato 
Shinsuke (加藤 慎介) mailto:kato.shins...@jp.panasonic.com> >; Endo, Masato/遠藤 雅人 
mailto:masato_e...@mail.toyota.co.jp> >; 
nis...@vmware.com <mailto:nis...@vmware.com> ; Kobota, Norio (SGC) 
mailto:norio.kob...@sony.com> >; pmad...@cox.net 
<mailto:pmad...@cox.net> ; scough...@linuxfoundation.org 
<mailto:scough...@linuxfoundation.org> ; shi1@toshiba.co.jp 
<mailto:shi1@toshiba.co.jp> ; takashi1.ninjo...@toshiba.co.jp 
<mailto:takashi1.ninjo...@toshiba.co.jp> ; y...@linuxfoundation.org 
<mailto:y...@linuxfoundation.org> ; yoshiyuki.ito...@renesas.com 
<mailto:yoshiyuki.ito...@renesas.com> ; spdx-tech@lists.spdx.org 
<mailto:spdx-tech@lists.spdx.org> ; garysourceaudi...@gmail.com 
<mailto:garysourceaudi...@gmail.com> 
Subject: Asia / Europe / U.S. SPDX Tech meeting

 

Asia SPDX Meeting



  

 


Greetings Asia SPDX meeting attendee's.

In today's SPDX Tech regular Tuesday call, we agreed to hold one of our 
meetings an hour earlier to make it easier for the SPDX Asia team to join, 
although I do realize it is still quite late for Asia. Let me know if Tuesday 
July 11th at 8 AM Pacific time would work for a joint call. We could also meet 
at a later Tuesday it the 11th doesn't work.

Thanks,

[spdx-tech] New release of the SPDX online tools

[Gary O'Neall]

I just finished upgrading the software and hardware for the SPDX online
tools.

 

For a list of change, see the release notes at
https://github.com/spdx/spdx-online-tools/releases/tag/v1.2.1

 

The compute server and database server has been upgraded to meet the demands
of increased usage - and hopefully avoids further outages.

 

There is enough change that we likely introduced some new issues - so if you
see any problems, please open an issue at
https://github.com/spdx/spdx-online-tools/issues/new/choose

 

I would like to thank Banula and Vedant for their contributions to the
release as well as Rohit for his continuing support of the project and
Jilayne for providing guidance and support to the developers.

 

Best regards,

Gary



-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#5212): https://lists.spdx.org/g/Spdx-tech/message/5212
Mute This Topic: https://lists.spdx.org/mt/99921987/21656
Group Owner: spdx-tech+ow...@lists.spdx.org
Unsubscribe: https://lists.spdx.org/g/Spdx-tech/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [spdx-tech] Asia / Europe / U.S. SPDX Tech meeting

[Gary O'Neall]

Hi Kobota-san,

 

The proposal would be to add an additional meeting.  We would still meet on 
July 10th at 5PM PST and have an additional meeting July 11th at 8AM PST to 
include Europe in the discussion.

 

I realize the July 11th time is very inconvenient.  I did check with some of 
the European contributors to see if we could move it earlier, but unfortunately 
we would loose some of the key contributors to the discussion.

 

We could, however, choose a different day with an earlier time.

 

Thanks,
Gary

 

From: Spdx-tech@lists.spdx.org  On Behalf Of Norio 
Kobota
Sent: Wednesday, June 28, 2023 9:20 PM
To: garysourceaudi...@gmail.com; Kate Stewart ; 
hiroyuki.fuku...@sony.com; j-manbe...@ti.com; Joshua Marpet 
; kato.shins...@jp.panasonic.com; 
masato_e...@mail.toyota.co.jp; nis...@vmware.com; pmad...@cox.net; 
scough...@linuxfoundation.org; shi1@toshiba.co.jp; 
takashi1.ninjo...@toshiba.co.jp; y...@linuxfoundation.org; 
yoshiyuki.ito...@renesas.com; spdx-tech@lists.spdx.org
Subject: Re: [spdx-tech] Asia / Europe / U.S. SPDX Tech meeting

 

Hello SPDX Community,

 

Thank you very much for changing it to a very early morning for people in the 
US area.

But let me reconfirm the date and time.

Which is correct date and time, 7/11 8AM- or 7/10 5PM- PST?

Your text says July 11th 8AM PST while the schedule says July 10th 5PM.

 

Anyway I will share the date and time with Japan members. And at least, I will 
participate the meeting.

 

Best,

-- kobota

 

From: Google Calendar mailto:calendar-notificat...@google.com> > On Behalf Of 
garysourceaudi...@gmail.com <mailto:garysourceaudi...@gmail.com> 
Sent: Wednesday, June 28, 2023 4:00 AM
To: Kate Stewart mailto:kstew...@linuxfoundation.org> >; Fukuchi, Hiroyuki (SGC) 
mailto:hiroyuki.fuku...@sony.com> >; 
j-manbe...@ti.com <mailto:j-manbe...@ti.com> ; Joshua Marpet 
mailto:joshua.mar...@guardedrisk.com> >; Kato 
Shinsuke (加藤 慎介) mailto:kato.shins...@jp.panasonic.com> >; Endo, Masato/遠藤 雅人 
mailto:masato_e...@mail.toyota.co.jp> >; 
nis...@vmware.com <mailto:nis...@vmware.com> ; Kobota, Norio (SGC) 
mailto:norio.kob...@sony.com> >; pmad...@cox.net 
<mailto:pmad...@cox.net> ; scough...@linuxfoundation.org 
<mailto:scough...@linuxfoundation.org> ; shi1@toshiba.co.jp 
<mailto:shi1@toshiba.co.jp> ; takashi1.ninjo...@toshiba.co.jp 
<mailto:takashi1.ninjo...@toshiba.co.jp> ; y...@linuxfoundation.org 
<mailto:y...@linuxfoundation.org> ; yoshiyuki.ito...@renesas.com 
<mailto:yoshiyuki.ito...@renesas.com> ; spdx-tech@lists.spdx.org 
<mailto:spdx-tech@lists.spdx.org> ; garysourceaudi...@gmail.com 
<mailto:garysourceaudi...@gmail.com> 
Subject: Asia / Europe / U.S. SPDX Tech meeting

 

Asia SPDX Meeting



  

 


Greetings Asia SPDX meeting attendee's.

In today's SPDX Tech regular Tuesday call, we agreed to hold one of our 
meetings an hour earlier to make it easier for the SPDX Asia team to join, 
although I do realize it is still quite late for Asia. Let me know if Tuesday 
July 11th at 8 AM Pacific time would work for a joint call. We could also meet 
at a later Tuesday it the 11th doesn't work.

Thanks,
Gary

 





Asia SPDX Meeting


Monday Jul 10, 2023 ⋅ 5pm – 6pm (Pacific Time - Los Angeles)



Agenda:
- SPDX-Lite
- other profiles?

Join Zoom Meeting
https://zoom.us/j/199624001 
<https://www.google.com/url?q=https://zoom.us/j/199624001=D=calendar=2=AOvVaw0vopwF4A91tfjOhc-RB48T>
 

One tap mobile
+16465588656,,199624001# US (New York)
+16699006833,,199624001# US (San Jose)

Dial by your location
+1 646 558 8656 US (New York)
+1 669 900 6833 US (San Jose)
877 369 0926 US Toll-free
855 880 1246 US Toll-free
Meeting ID: 199 624 001
Find your local number: https://zoom.us/u/ac9KKJWzJT 
<https://www.google.com/url?q=https://zoom.us/u/ac9KKJWzJT=D=calendar=2=AOvVaw1Se2MHOcGS8-5pV4t29kg5>
 


──




Organizer


 <mailto:kstew...@linuxfoundation.org> Kate Stewart

 <mailto:kstew...@linuxfoundation.org> kstew...@linuxfoundation.org




Guests


 <mailto:scough...@linuxfoundation.org> scough...@linuxfoundation.org

 <mailto:garysourceaudi...@gmail.com> garysourceaudi...@gmail.com

 <mailto:norio.kob...@sony.com> norio.kob...@sony.com

 <mailto:hiroyuki.fuku...@sony.com> hiroyuki.fuku...@sony.com

 <mailto:kato.shins...@jp.panasonic.com> kato.shins...@jp.panasonic.com

 <mailto:j-manbe...@ti.com> j-manbe...@ti.com

 <mailto:pmad...@cox.net> pmad...@cox.net

 <mailto:nis...@vmware.com> nis...@vmware.com

 <mailto:joshua.mar...@guardedrisk.com> Joshua Marpet

 <mailto:takashi1.ninjo...@toshiba.co.jp> takashi1.ninjo...@toshiba.co.jp

 <mailto:y...@linuxfoundation.org> y...@linuxfoundation.org

 <mailto:masato_e...@mail.toyota.co.jp> MASATO ENDO

 <mailto:yoshiyuki.ito...@renesas.com> yoshiyuki.ito...@renesas.com

 <mailto:shi1

Re: [spdx-tech] Software as a Service Profile Meeting postponed

[Gary O'Neall]

OK - One more update - some of our regular attendees have conflicts if we
moved this to the 10th rather than the 17th - so we'll resume our calls on
the 17th at our regularly scheduled time - then every 2 weeks after (not
necessarily the 1st and 3rd Mondays of the month - it will just be every 2
weeks).  Sorry about all the schedule confusion.  I'll send out a reminder
from the calendar as well.

 

Thanks for your patience,


Gary

 

From: Spdx-tech@lists.spdx.org  On Behalf Of Gary
O'Neall
Sent: Tuesday, June 27, 2023 12:51 PM
To: 'SPDX Technical Mailing List' 
Subject: Re: [spdx-tech] Software as a Service Profile Meeting postponed

 

I've gotten feedback that the meeting scheduling has gotten rather confused
for the Software as a Service profile meeting.  I've tried to schedule them
the 1st and 3rd Monday, but apparently calendaring systems don't do well
with this frequency.

 

I would propose we start back up on Monday July the 10th at 10:00 AM Pacific
time and repeat every 2 weeks (not necessarily the 1st and 3rd Monday).

 

Please let me know if this causes any scheduling issues.

 

If no one has any concerns with this, I'll cancel the current series of
meetings and reschedule.

 

Thanks for your patience,

 

Gary

 

From: Gary O'Neall mailto:g...@sourceauditor.com> >

Sent: Saturday, June 17, 2023 6:19 AM
To: 'SPDX Technical Mailing List' mailto:spdx-tech@lists.spdx.org> >
Subject: Software as a Service Profile Meeting postponed

 

Due to many of us being on holiday this upcoming Monday and the next meeting
falls on another long weekend - July 3rd, we'll skip the next 2 regularly
scheduled calls.  Let me know if you'd like to schedule a call the week of
July 10th or if we should just pick things back up on the next regularly
scheduled call on Monday July 17th.  

 

Best regards,

Gary





-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#5209): https://lists.spdx.org/g/Spdx-tech/message/5209
Mute This Topic: https://lists.spdx.org/mt/99588391/21656
Group Owner: spdx-tech+ow...@lists.spdx.org
Unsubscribe: https://lists.spdx.org/g/Spdx-tech/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [spdx-tech] Asia / Europe / U.S. SPDX Tech meeting

[Gary O'Neall]

Thanks Shane - for the reminder on the conflicts.

This would be a one-time meeting, so it may not conflict with the OpenChain 
community call.

That being said, it is very late for Japan.

We could try for 07:00 Pacific time.

All - let me know if the earlier time causes a problem.

Thanks,
Gary


> -Original Message-
> From: Shane Coughlan 
> Sent: Tuesday, June 27, 2023 2:23 PM
> To: garysourceaudi...@gmail.com
> Cc: Kate Stewart ; Hiroyuki Fukuchi
> ; j-manbe...@ti.com; Joshua Marpet
> ; Shinsuke Kato
> ; Masato Endo
> ; nis...@vmware.com;
> norio.kob...@sony.com; pmad...@cox.net; shi1@toshiba.co.jp; Taka
> Ninjouji ; y...@linuxfoundation.org;
> Yoshyuki Ito ; spdx-tech@lists.spdx.org
> Subject: Re: Asia / Europe / U.S. SPDX Tech meeting
> 
> Hi Gary
> 
> We just recently moved the OpenChain Monthly Community Call to 08:00
> Pacific to avoid conflict with your 09:00 call. Flagging as we have a repeat 
> on
> the first Tuesday of each month, and I would like to avoid an additional
> conflict.
> 
> However, that is still 00:00 in Japan, and 01:00 when you move to winter
> time. 23:00 in China, 00:00 during your winter. It will be very challenging 
> for
> people in Asia to attend.
> 
> Regards
> 
> Shane
> 
> > On Jun 28, 2023, at 3:59, garysourceaudi...@gmail.com wrote:
> >
> >   Greetings Asia SPDX meeting attendee's.
> > In today's SPDX Tech regular Tuesday call, we agreed to hold one of our
> meetings an hour earlier to make it easier for the SPDX Asia team to join,
> although I do realize it is still quite late for Asia. Let me know if Tuesday 
> July
> 11th at 8 AM Pacific time would work for a joint call. We could also meet at a
> later Tuesday it the 11th doesn't work.
> > Thanks,
> > GaryAsia SPDX Meeting
> > Monday Jul 10, 2023 ⋅ 5pm – 6pm (Pacific Time - Los Angeles)
> >
> > Agenda:
> > - SPDX-Lite
> > - other profiles?
> > Join Zoom Meeting
> > https://zoom.us/j/199624001
> > One tap mobile
> > +16465588656,,199624001# US (New York) 16699006833,,199624001# US
> (San
> > +Jose)
> > Dial by your location
> > +1 646 558 8656 US (New York)
> > +1 669 900 6833 US (San Jose)
> > 877 369 0926 US Toll-free
> > 855 880 1246 US Toll-free
> > Meeting ID: 199 624 001
> > Find your local number: https://zoom.us/u/ac9KKJWzJT
> >
> > ──
> > Organizer
> > Kate Stewart
> > kstew...@linuxfoundation.org
> > Guests
> > scough...@linuxfoundation.org
> > garysourceaudi...@gmail.com
> > norio.kob...@sony.com
> > hiroyuki.fuku...@sony.com
> > kato.shins...@jp.panasonic.com
> > j-manbe...@ti.com
> > pmad...@cox.net
> > nis...@vmware.com
> > Joshua Marpet
> > takashi1.ninjo...@toshiba.co.jp
> > y...@linuxfoundation.org
> > MASATO ENDO
> > yoshiyuki.ito...@renesas.com
> > shi1@toshiba.co.jp




-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#5207): https://lists.spdx.org/g/Spdx-tech/message/5207
Mute This Topic: https://lists.spdx.org/mt/99815800/21656
Group Owner: spdx-tech+ow...@lists.spdx.org
Unsubscribe: https://lists.spdx.org/g/Spdx-tech/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [spdx-tech] Software as a Service Profile Meeting postponed

[Gary O'Neall]

I've gotten feedback that the meeting scheduling has gotten rather confused
for the Software as a Service profile meeting.  I've tried to schedule them
the 1st and 3rd Monday, but apparently calendaring systems don't do well
with this frequency.

 

I would propose we start back up on Monday July the 10th at 10:00 AM Pacific
time and repeat every 2 weeks (not necessarily the 1st and 3rd Monday).

 

Please let me know if this causes any scheduling issues.

 

If no one has any concerns with this, I'll cancel the current series of
meetings and reschedule.

 

Thanks for your patience,

 

Gary

 

From: Gary O'Neall  
Sent: Saturday, June 17, 2023 6:19 AM
To: 'SPDX Technical Mailing List' 
Subject: Software as a Service Profile Meeting postponed

 

Due to many of us being on holiday this upcoming Monday and the next meeting
falls on another long weekend - July 3rd, we'll skip the next 2 regularly
scheduled calls.  Let me know if you'd like to schedule a call the week of
July 10th or if we should just pick things back up on the next regularly
scheduled call on Monday July 17th.  

 

Best regards,

Gary



-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#5206): https://lists.spdx.org/g/Spdx-tech/message/5206
Mute This Topic: https://lists.spdx.org/mt/99588391/21656
Group Owner: spdx-tech+ow...@lists.spdx.org
Unsubscribe: https://lists.spdx.org/g/Spdx-tech/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[spdx-tech] Asia / Europe / U.S. SPDX Tech meeting

[Gary O'Neall]

Greetings Asia SPDX meeting attendee's. In today's SPDX Tech regular  
Tuesday call, we agreed to hold one of our meetings an hour earlier to make  
it easier for the SPDX Asia team to join, although I do realize it is still  
quite late for Asia. Let me know if Tuesday July 11th at 8 AM Pacific time  
would work for a joint call. We could also meet at a later Tuesday it the  
11th doesn't work. Thanks, Gary


Asia SPDX Meeting
Monday Jul 10, 2023 ⋅ 5pm – 6pm
Pacific Time - Los Angeles




Agenda:
- SPDX-Lite
- other profiles?

Join Zoom Meeting
https://zoom.us/j/199624001

One tap mobile
+16465588656,,199624001# US (New York)
+16699006833,,199624001# US (San Jose)

Dial by your location
+1 646 558 8656 US (New York)
+1 669 900 6833 US (San Jose)
877 369 0926 US Toll-free
855 880 1246 US Toll-free
Meeting ID: 199 624 001
Find your local number: https://zoom.us/u/ac9KKJWzJT


──

Organizer
Kate Stewart
kstew...@linuxfoundation.org

Guests
scough...@linuxfoundation.org
garysourceaudi...@gmail.com
norio.kob...@sony.com
hiroyuki.fuku...@sony.com
kato.shins...@jp.panasonic.com
j-manbe...@ti.com
pmad...@cox.net
nis...@vmware.com
Joshua Marpet
takashi1.ninjo...@toshiba.co.jp
y...@linuxfoundation.org
MASATO ENDO
yoshiyuki.ito...@renesas.com
shi1@toshiba.co.jp




-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#5205): https://lists.spdx.org/g/Spdx-tech/message/5205
Mute This Topic: https://lists.spdx.org/mt/99815800/21656
Group Owner: spdx-tech+ow...@lists.spdx.org
Unsubscribe: https://lists.spdx.org/g/Spdx-tech/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[spdx-tech] SPDX Tech Meeting Today

[Gary O'Neall]

For today's I'd like to complete the discussion we started a while back on
compacting creation information - issue #306
<https://github.com/spdx/spdx-3-model/issues/306> .  There are two
proposals: 

*   CreationInfo serialization compaction approach  Issue #357
<https://github.com/spdx/spdx-3-model/issues/357>  
*   Proposal for "unbundled" or individual profile to only require
CreationInfo when elements are not contained in a bundle: PR #343
<https://github.com/spdx/spdx-3-model/pull/343> 

 

I'd also like to discuss a couple logistical topics:

*   Do we have a meeting next week on July 4?
*   Should we schedule an early meeting to discuss the build, usage, and
lite profiles early to make it more convenient for the Japanese timezone?

 

Feel free to suggest additional topics.

 

Best regards,
Gary



-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#5201): https://lists.spdx.org/g/Spdx-tech/message/5201
Mute This Topic: https://lists.spdx.org/mt/99808587/21656
Group Owner: spdx-tech+ow...@lists.spdx.org
Unsubscribe: https://lists.spdx.org/g/Spdx-tech/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[spdx-tech] Software as a Service Profile Meeting postponed

[Gary O'Neall]

Due to many of us being on holiday this upcoming Monday and the next meeting
falls on another long weekend - July 3rd, we'll skip the next 2 regularly
scheduled calls.  Let me know if you'd like to schedule a call the week of
July 10th or if we should just pick things back up on the next regularly
scheduled call on Monday July 17th.  

 

Best regards,

Gary



-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#5189): https://lists.spdx.org/g/Spdx-tech/message/5189
Mute This Topic: https://lists.spdx.org/mt/99588391/21656
Group Owner: spdx-tech+ow...@lists.spdx.org
Unsubscribe: https://lists.spdx.org/g/Spdx-tech/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [spdx-tech] SPDX special meeting on Properties vs Relationships

[Gary O'Neall]

Just catching up – quite a thread!

 

Couple of inputs.

 

I was in the discussion when we created the declared and concluded license 
fields, and the intent was that the declared license was a fact which can be 
verified by looking at the source whereas the concluded license was something 
where different analysis (or even different opinions) may lead to different 
answers.

 

As Steve mentioned in his analysis, different tools may pick up different 
declared licenses, but I consider that similar to different tools may calculate 
different checksums for the same file if there is an implementation error – you 
can always to back to the source and verify and it should be treated as a 
“fact” for the artifact and something that should not change (if you trust the 
source of the Element metadata).

 

There are a large number of scenarios where the concluded license would change 
for the exact same artifact:

*   A software provider offers a choice of licenses (e.g. commercial or 
GPL-2.0-or-later; GPL-2.0-only or Apache-2.0), someone in the supply chain 
makes a decision
*   There is embedded open source that forces a license onto the package 
supplier (e.g. copy-left licenses)
*   The supplier information is not correct – something I actually run into 
a lot is open source software where all the files have one license and the 
package metadata says a completely different license

 

Best,
Gary

 

From: Spdx-tech@lists.spdx.org  On Behalf Of Dick 
Brooks
Sent: Friday, June 16, 2023 9:35 AM
To: 'David Kemp' ; 'SPDX Technical Mailing List' 
; 'SPDX-legal' 
Subject: Re: [spdx-tech] SPDX special meeting on Properties vs Relationships

 

David,

 

There is no guesswork needed to “know” the terms of use with SAG-PM

 

Gary’s tool and other tools can “know” the license that is in effect for SAG-PM 
by reading the SBOM provided by REA. There is no need to “guess” (conclude) the 
SAG-PM license.

 

Thanks,

 

Dick Brooks

  

Active Member of the CISA Critical Manufacturing Sector, 

Sector Coordinating Council – A Public-Private Partnership

 

 <https://reliableenergyanalytics.com/products> Never trust software, always 
verify and report! ™

 <http://www.reliableenergyanalytics.com/> 
http://www.reliableenergyanalytics.com

Email:  <mailto:d...@reliableenergyanalytics.com> 
d...@reliableenergyanalytics.com

Tel: +1 978-696-1788

 

 

From: Spdx-tech@lists.spdx.org <mailto:Spdx-tech@lists.spdx.org>  
mailto:Spdx-tech@lists.spdx.org> > On Behalf Of 
David Kemp
Sent: Friday, June 16, 2023 12:27 PM
To: SPDX Technical Mailing List mailto:spdx-tech@lists.spdx.org> >; SPDX-legal mailto:spdx-le...@lists.spdx.org> >
Subject: Re: [spdx-tech] SPDX special meeting on Properties vs Relationships

 

Note that "Steve's tool is confident that package X has license A" allows the 
SPDX Package X element created by Steve to have a license A property.

Gary's tool can create an SPDX Package X element with a license B property.

It's when both Steve and Gary want to re-use the same SPDX Package X element 
created by Dick, but apply different licenses to it, that relationships are 
required.

v/r,
David

 

On Fri, Jun 16, 2023 at 9:49 AM Steve Winslow mailto:swins...@gmail.com> > wrote:

(cc spdx-legal)

 

For what it’s worth, here are a few of my thoughts on this:

 

* concludedLicense [0] is definitely something that different people / tools 
can reach different answers about.

 

* As currently drafted for SPDX 3.0, I believe declaredLicense [1] is also 
something that people / tools can reach different answers about. Although it is 
talking about the license information “actually found in the software,” tooling 
may e.g. find different licenses, or assign different license identifiers to 
them (including custom licenses). I don’t see declaredLicense as something 
intrinsic and globally agreed-upon given the way the field is defined.

 

* Additionally, keep in mind that the “same software” (e.g., the same bytes on 
disk) might be distributed to different users under multiple or differing 
licenses. E.g., a software package might be distributed under an open source 
license, with a separate proprietary license agreement negotiated with a 
specific recipient; or a software package which is under FOSS license A and 
later additionally licensed under FOSS license B, without updating notices 
within the work itself. I think this might not affect declaredLicense, if the 
software’s contents are not modified; but certainly could affect 
concludedLicense.

 

My point with the last item is just to say that I’m not convinced the license 
is something “intrinsic” to the software, in an immutable or inherent sense. 
But at the same time, a software artifact doesn’t have to have (and in my mind, 
shouldn’t be assumed to have) just one single global SPDX ID associated with 
it. Multiple SBOM creators can create different SPDX IDs to talk about the 
“same” piece 

[spdx-tech] Agenda for this week's tech call

[Gary O'Neall]

For this week's tech call, we would like to finish up on the larger license
profile related questions:

 

*   Use relationships instead of properties - align with Security
Profiles? see Thomas comment on
https://github.com/spdx/spdx-3-model/issues/254
*   Update from Friday's meeting on license expression serializations -
see decision in issue 372 comment
<https://github.com/spdx/spdx-3-model/issues/372#issuecomment-1584905970>
and pull request 369 <https://github.com/spdx/spdx-3-model/pull/369>  which
implements the Friday decision plus all previous tech team decisions on the
licensing profile.

 

Steve is only able to join us for the first 15 minutes or so, so I'd like to
cover the relationships first then the update since Alexios, David, Max and
I can cover the Friday meeting update.

 

The second topic I'd like to take on is the CreationInfo compaction.  There
are two proposal - it would be great if you could review both proposals
before the call:

*   Sean's proposal for CreationInfo serialization compaction approach:
issue #357 <https://github.com/spdx/spdx-3-model/issues/357> 
*   Proposal for "unbundled" or individual profile to only require
CreationInfo when elements are not contained in a bundle: PR #343
<https://github.com/spdx/spdx-3-model/pull/343> 

 

See you online tomorrow,


Gary 



-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#5169): https://lists.spdx.org/g/Spdx-tech/message/5169
Mute This Topic: https://lists.spdx.org/mt/99488691/21656
Group Owner: spdx-tech+ow...@lists.spdx.org
Unsubscribe: https://lists.spdx.org/g/Spdx-tech/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[spdx-tech] Follow-up meeting on the license expression discussion

[Gary O'Neall]

As a follow-up to our last tech call discussion on license expressions, I
have schedule a meeting from 9 to 10 AM Pacific time this Friday.  Zoom
meeting coordinates pasted below.

 

In terms of agenda, I would suggest the following:

*   Confirm problem statement and confirm this is something we think is
worth solving for release 3.0 of the spec - 5 to 10 minutes
*   Review alternative solution proposals documented in issue 372
  - 20 to 30 minutes
*   If needed, discuss criteria for choosing a solution
*   Decide on a solution
*   Next steps

 

Feel free to add any suggestions or comments in advance of the meeting to
https://github.com/spdx/spdx-3-model/issues/372

 

 

Join Zoom Meeting
 

https://us02web.zoom.us/j/86995828562?pwd=VWhYT01aZ2tzODdtcGduVHV2OFQrUT09

Meeting ID: 869 9582 8562
Passcode: 564728

---

One tap mobile
  +17193594580,,86995828562#*564728# US
  +19292056099,,86995828562#*564728# US (New York)

---

Dial by your location
.   +1 719 359 4580 US
.   +1 929 205 6099 US (New York)
.   +1 253 205 0468 US
.   +1 253 215 8782 US (Tacoma)
.   +1 301 715 8592 US (Washington DC)
.   +1 305 224 1968 US
.   +1 309 205 3325 US
.   +1 312 626 6799 US (Chicago)
.   +1 346 248 7799 US (Houston)
.   +1 360 209 5623 US
.   +1 386 347 5053 US
.   +1 507 473 4847 US
.   +1 564 217 2000 US
.   +1 646 931 3860 US
.   +1 669 444 9171 US
.   +1 669 900 6833 US (San Jose)
.   +1 689 278 1000 US

Meeting ID: 869 9582 8562
Passcode: 564728

Find your local number:  
https://us02web.zoom.us/u/kdqiTZQDVd



-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#5167): https://lists.spdx.org/g/Spdx-tech/message/5167
Mute This Topic: https://lists.spdx.org/mt/99390876/21656
Group Owner: spdx-tech+ow...@lists.spdx.org
Unsubscribe: https://lists.spdx.org/g/Spdx-tech/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [spdx-tech] SPDX serialization meetings -- new time!

[Gary O'Neall]

Thanks Alexios!

 

Looking forward to joining the calls.

 

I created a PR for the meetings repo with the updated time which we can
merge in after this Thursday's call.

 

Gary

 

From: Spdx-tech@lists.spdx.org  On Behalf Of
Alexios Zavras
Sent: Wednesday, June 7, 2023 4:24 AM
To: Spdx-tech@lists.spdx.org
Subject: [spdx-tech] SPDX serialization meetings -- new time!

 

Hi all,

 

After examining availabilities and preferences, the serialization meetings
of SPDX will move two hours later, on the same days.

Therefore, they will happen on Thursdays, 1500-1600 UTC.

 

Once a month (usually the first Thursday of the month) this will conflict
with the General meeting, so we will not have a call on these days.

Tomorrow (2023-06-08) the call is cancelled, since a number of regular
participants are not able to join.

 

Anyone who is interested in the topic and wants to actively participate,
please join us on Thursday 15 June onwards, 1500 UTC.

 

PS. In case you haven't seen it, there are currently PRs submitted providing
serialization examples in JSON syntax. Please read and comment on them!

 

-- zvr 

 

Intel Deutschland GmbH
Registered Address: Am Campeon 10, 85579 Neubiberg, Germany
Tel: +49 89 99 8853-0, www.intel.de <http://www.intel.de> 
Managing Directors: Christin Eisenschmid, Sharon Heck, Tiffany Doon Silva   
Chairperson of the Supervisory Board: Nicole Lau
Registered Office: Munich
Commercial Register: Amtsgericht Muenchen HRB 186928





-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#5166): https://lists.spdx.org/g/Spdx-tech/message/5166
Mute This Topic: https://lists.spdx.org/mt/99382323/21656
Group Owner: spdx-tech+ow...@lists.spdx.org
Unsubscribe: https://lists.spdx.org/g/Spdx-tech/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [spdx-tech] SPDX serialization meetings

[Gary O'Neall]

One hour before the tech call also has a conflict the first Tuesday of the
month with the OpenChain general call.  This would only be once a month, so
I could make the other meetings.

 

Thanks,
Gary

 

From: Spdx-tech@lists.spdx.org  On Behalf Of
Alexios Zavras
Sent: Thursday, June 1, 2023 3:25 AM
To: Gary O'Neall ; Spdx-tech@lists.spdx.org
Subject: Re: [spdx-tech] SPDX serialization meetings

 

According to my calendar, this would conflict with the general meeting, so
once a month there would be no call.

 

How about Tuesday at that time - essentially the hour before the tech call?

 

-- zvr 

 

From: Gary O'Neall mailto:garysourceaudi...@gmail.com> > 
Sent: Thursday, 1 June, 2023 02:03
To: Zavras, Alexios mailto:alexios.zav...@intel.com> >; Spdx-tech@lists.spdx.org
<mailto:Spdx-tech@lists.spdx.org> 
Subject: RE: [spdx-tech] SPDX serialization meetings

 

Hi Alexios,

 

I would be interested in joining - if we could move the time 2+ hours later,
that would be very helpful for me (or anyone in the Pacific Timezone) to
join.

 

Thanks for asking,


Gary

 

From: Spdx-tech@lists.spdx.org <mailto:Spdx-tech@lists.spdx.org>
mailto:Spdx-tech@lists.spdx.org> > On Behalf Of
Alexios Zavras
Sent: Wednesday, May 31, 2023 11:58 AM
To: Spdx-tech@lists.spdx.org <mailto:Spdx-tech@lists.spdx.org> 
Subject: [spdx-tech] SPDX serialization meetings

 

Hi all,

 

As you may already know, the group of people with interest in the
serialization of SPDXv3 data meets regularly. The current schedule is weekly
calls on Thursdays, 1300-1400 UTC.

 

Are there people who want to actively contribute in the SPDX Serialization
efforts and are hindered because of the current timeslot?

If yes, please reach out (even to me directly) and we can try to find an
alternative, more convenient arrangement.

 

-- zvr 

 

Intel Deutschland GmbH
Registered Address: Am Campeon 10, 85579 Neubiberg, Germany
Tel: +49 89 99 8853-0, www.intel.de <http://www.intel.de> 
Managing Directors: Christin Eisenschmid, Sharon Heck, Tiffany Doon Silva   
Chairperson of the Supervisory Board: Nicole Lau
Registered Office: Munich
Commercial Register: Amtsgericht Muenchen HRB 186928

Intel Deutschland GmbH
Registered Address: Am Campeon 10, 85579 Neubiberg, Germany
Tel: +49 89 99 8853-0, www.intel.de <http://www.intel.de> 
Managing Directors: Christin Eisenschmid, Sharon Heck, Tiffany Doon Silva   
Chairperson of the Supervisory Board: Nicole Lau
Registered Office: Munich
Commercial Register: Amtsgericht Muenchen HRB 186928






-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#5162): https://lists.spdx.org/g/Spdx-tech/message/5162
Mute This Topic: https://lists.spdx.org/mt/99249072/21656
Group Owner: spdx-tech+ow...@lists.spdx.org
Unsubscribe: https://lists.spdx.org/g/Spdx-tech/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [spdx-tech] SPDX serialization meetings

[Gary O'Neall]

Hi Alexios,

 

I would be interested in joining - if we could move the time 2+ hours later,
that would be very helpful for me (or anyone in the Pacific Timezone) to
join.

 

Thanks for asking,


Gary

 

From: Spdx-tech@lists.spdx.org  On Behalf Of
Alexios Zavras
Sent: Wednesday, May 31, 2023 11:58 AM
To: Spdx-tech@lists.spdx.org
Subject: [spdx-tech] SPDX serialization meetings

 

Hi all,

 

As you may already know, the group of people with interest in the
serialization of SPDXv3 data meets regularly. The current schedule is weekly
calls on Thursdays, 1300-1400 UTC.

 

Are there people who want to actively contribute in the SPDX Serialization
efforts and are hindered because of the current timeslot?

If yes, please reach out (even to me directly) and we can try to find an
alternative, more convenient arrangement.

 

-- zvr 

 

Intel Deutschland GmbH
Registered Address: Am Campeon 10, 85579 Neubiberg, Germany
Tel: +49 89 99 8853-0, www.intel.de <http://www.intel.de> 
Managing Directors: Christin Eisenschmid, Sharon Heck, Tiffany Doon Silva   
Chairperson of the Supervisory Board: Nicole Lau
Registered Office: Munich
Commercial Register: Amtsgericht Muenchen HRB 186928






-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#5158): https://lists.spdx.org/g/Spdx-tech/message/5158
Mute This Topic: https://lists.spdx.org/mt/99249072/21656
Group Owner: spdx-tech+ow...@lists.spdx.org
Unsubscribe: https://lists.spdx.org/g/Spdx-tech/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [spdx-tech] GSoC '23 Proposal: SoftWare Heritage SPDX generation

[Gary O'Neall]

Hi Harsh,

 

You proposal looks very interesting and I’m sure it will provide a lot of 
benefit to the SWHID and SPDX communities.

 

Since you are using the Python libraries, you can get early access to the SPDX 
3.0 features using the prototype-spdx-3.0 branch 
<https://github.com/spdx/tools-python/tree/prototype-spdx-3.0> .  There will 
likely be further changes to the SPDX 3.0 spec before final release, but the 
python library is kept relatively current.

 

Feel free to ask any question on this email list.  You can also use the SPDX 
Gitter channel: https://app.gitter.im/#/room/#spdx-org_Lobby:gitter.im

 

Thanks,
Gary

 

 

From: Spdx-tech@lists.spdx.org  On Behalf Of Kate 
Stewart
Sent: Friday, May 26, 2023 6:52 AM
To: HarshVardhan Mahawar 
Cc: spdx-tech@lists.spdx.org; spdx-le...@lists.spdx.org
Subject: Re: [spdx-tech] GSoC '23 Proposal: SoftWare Heritage SPDX generation

 

Hi Harsh,

Delighted to have you working on this project!  

 

Happy to set up some time and provide some orientation about SPDX specification 
evolution, and

starting points to work with.  

 

Can you please send me (1:1) some time windows (with local time) next week on 
Tuesday or Wednesday that work for you and I'll set up a meeting.  I'm based in 
the US.

 

Thanks!

Kate

 

On Fri, May 26, 2023 at 8:41 AM HarshVardhan Mahawar mailto:hv062...@gmail.com> > wrote:

Dear SPDX community,


I hope this email finds you well, My name is Harsh Vardhan Mahawar and I am 
delighted to have been selected as a GSoC contributor during this summer with 
the SPDX organization.
First of all I would like to thank the SPDX community and my mentor David 
Douard from SWH for giving me this opportunity to work on this project 
"SoftWare Heritage SPDX generation"
This project involves generation of valid SPDX documents through SWHID 
(SoftWare Heritage persistent IDentifiers) using currently available 
spdx-python libraries.
I am attaching my GSoC proposal to this email for your reference. 
After discussing with my mentor I am planning to use SWH Graphql public api to 
retrieve necessary information about and around a particular SWHID.
Now, I would like to address a few queries and seek clarifications regarding 
the project:
1.Could you please provide me more details about the specific SPDX 
specifications and formats (as 3.0 is in its way :)) that I should focus on 
during the document generation process.
2.Are there any specific documentation resources or references that you 
recommend for this project.

I appreciate your guidance and support throughout (and after as well :)) the 
GSoC program, and I am eager to collaborate with the project mentors and the 
SPDX community to successfully complete this project.

Thank you for your time and consideration. I am excited to embark on this 
journey in the Open-source world.

Best regards,

Harsh Vardhan Mahawar

hv062...@gmail.com <mailto:hv062...@gmail.com> 





-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#5152): https://lists.spdx.org/g/Spdx-tech/message/5152
Mute This Topic: https://lists.spdx.org/mt/99149887/21656
Group Owner: spdx-tech+ow...@lists.spdx.org
Unsubscribe: https://lists.spdx.org/g/Spdx-tech/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[spdx-tech] Tomorow's tech call cancelled

[Gary O'Neall]

We will be skipping this week's SPDX tech call due to a number of
participants attending the SPDX Tooling Mini Summit in Vancouver
<https://events.linuxfoundation.org/open-source-summit-north-america/program
/schedule/> .

 

All are welcome to sign-up and join virtually.

 

We'll resume our normal schedule next Tuesday May 16.

 

Best,
Gary



-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#5135): https://lists.spdx.org/g/Spdx-tech/message/5135
Mute This Topic: https://lists.spdx.org/mt/98766065/21656
Group Owner: spdx-tech+ow...@lists.spdx.org
Unsubscribe: https://lists.spdx.org/g/Spdx-tech/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[spdx-tech] Request for review - updated migration document

[Gary O'Neall]

Greetings SPDX tech team,

 

I just updated the SPDX 3 Migration Analysis to be consistent with the
release candidate version of the spec.

 

There were a lot of recent changes in the model, so it is quite likely I
missed something.

 

Please review and comment / suggest anything I missed:
https://docs.google.com/document/d/1-olHRnX1CssUS67Psv_sAq9Vd-pc81HF8MM0hA7M
0hg/edit?usp=sharing

 

I'll be presenting the migration analysis on Tuesday, so an early review
would be appreciated.


Thanks,

Gary



-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#5133): https://lists.spdx.org/g/Spdx-tech/message/5133
Mute This Topic: https://lists.spdx.org/mt/98743113/21656
Group Owner: spdx-tech+ow...@lists.spdx.org
Unsubscribe: https://lists.spdx.org/g/Spdx-tech/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [spdx-tech] Software as a Service Profile

[Gary O'Neall]

Greetings all,

 

I created a Zoom meeting for our regular Software as a Service profile
meeting.

 

The meetings will occur the first and 3rd week of the month at 10AM to 11AM
Pacific daylight time (17:00 GMT).

 

Below are the coordinates for the meeting:

 

Gary ONeall is inviting you to a scheduled Zoom meeting.

Join Zoom Meeting
 
<https://www.google.com/url?q=https://us02web.zoom.us/j/87627432628?pwd%3DTm
ZzYk1UR3JVclJyYXlBREVNR0t4dz09=D=calendar=2=AOvVaw3Ex8Y5WO
BWYAT620z6iKRm>
https://us02web.zoom.us/j/87627432628?pwd=TmZzYk1UR3JVclJyYXlBREVNR0t4dz09

Meeting ID: 876 2743 2628
Passcode: 786764
One tap mobile
+13092053325,,87627432628#*786764# US
+13126266799,,87627432628#*786764# US (Chicago)

Dial by your location
+1 309 205 3325 US
+1 312 626 6799 US (Chicago)
+1 646 931 3860 US
+1 929 205 6099 US (New York)
+1 301 715 8592 US (Washington DC)
+1 305 224 1968 US
+1 253 215 8782 US (Tacoma)
+1 346 248 7799 US (Houston)
+1 360 209 5623 US
+1 386 347 5053 US
+1 507 473 4847 US
+1 564 217 2000 US
+1 669 444 9171 US
+1 669 900 6833 US (San Jose)
+1 689 278 1000 US
+1 719 359 4580 US
+1 253 205 0468 US
Meeting ID: 876 2743 2628
Passcode: 786764
Find your local number:
<https://www.google.com/url?q=https://us02web.zoom.us/u/kc7UV89hwz=D
ce=calendar=2=AOvVaw3_9vatsVbED3VoiBEqoUxG>
https://us02web.zoom.us/u/kc7UV89hwz

 

From: Gary O'Neall  
Sent: Monday, April 24, 2023 6:00 AM
To: 'Banula Kumarage' ; 'Brandon Lum'
; 'opensou...@steenbe.nl' ;
'stephen.master...@pega.com' ; 'William
Bartholomew' ; 'Prasad Iyer (prasadiy)'
; 'Nisha Kumar' ; 'Ivana Atanasova'
; 'Jeremiah C. Foster' ; 'Adolfo
Veytia' ; 'Rose Judge' 
Cc: 'spdx-tech@lists.spdx.org' 
Subject: Software as a Service Profile

 

Greetings all - the votes are in on the meeting time for the Software as a
Service profile meeting time.

 

There were no times that worked for everyone, but Monday's 10AM to 11AM
Pacific daylight time (17:00 GMT) seemed to work for most of the
respondents.

 

I would like to schedule our first meeting for the 3rd week - May 15 then
occurring the first and 3rd week of the month thereafter.

 

In terms of the agenda, after introductions, I thought we would start with
use cases and requirements using the CISA SBOM Cloud use cases
<https://docs.google.com/document/d/1yog5o2g2j9MG75G62AWDxblNNkYEZ0WJmkbZWbb
IhnU/edit?usp=sharing>  as a base.  We could then move into a discussion on
extensions to the core model
<https://github.com/spdx/spdx-3-model/blob/main/model.png> .

 

Feedback and suggestions on the agenda are welcome.

 

Best,

Gary



-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#5116): https://lists.spdx.org/g/Spdx-tech/message/5116
Mute This Topic: https://lists.spdx.org/mt/98469357/21656
Group Owner: spdx-tech+ow...@lists.spdx.org
Unsubscribe: https://lists.spdx.org/g/Spdx-tech/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[spdx-tech] Software as a Service Profile

[Gary O'Neall]

Greetings all - the votes are in on the meeting time for the Software as a
Service profile meeting time.

 

There were no times that worked for everyone, but Monday's 10AM to 11AM
Pacific daylight time (17:00 GMT) seemed to work for most of the
respondents.

 

I would like to schedule our first meeting for the 3rd week - May 15 then
occurring the first and 3rd week of the month thereafter.

 

In terms of the agenda, after introductions, I thought we would start with
use cases and requirements using the CISA SBOM Cloud use cases
<https://docs.google.com/document/d/1yog5o2g2j9MG75G62AWDxblNNkYEZ0WJmkbZWbb
IhnU/edit?usp=sharing>  as a base.  We could then move into a discussion on
extensions to the core model
<https://github.com/spdx/spdx-3-model/blob/main/model.png> .

 

Feedback and suggestions on the agenda are welcome.

 

Best,

Gary



-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#5110): https://lists.spdx.org/g/Spdx-tech/message/5110
Mute This Topic: https://lists.spdx.org/mt/98469357/21656
Group Owner: spdx-tech+ow...@lists.spdx.org
Unsubscribe: https://lists.spdx.org/g/Spdx-tech/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [spdx-tech] License with duplicated SPDX license ds

[Gary O'Neall]

I just created this issue to update the message from the SPDX Java and online 
tools: https://github.com/spdx/tools-java/issues/123

 

Feel free to review/comment my proposed change to the tool.

 

Thanks,

Gary

 

From: Spdx-tech@lists.spdx.org  On Behalf Of Steve 
Winslow
Sent: Tuesday, April 18, 2023 12:56 PM
To: rju...@vmware.com
Cc: opensou...@jilayne.com; Anthony Harrison ; 
Spdx-tech@lists.spdx.org
Subject: Re: [spdx-tech] License with duplicated SPDX license ds

 

Hi all,

 

As a follow-up to this -- from the SPDX License List page at 
https://spdx.org/licenses/, in the "Deprecated License Identifiers" section:

 

. . . When a license identifier is "deprecated" on the SPDX License List, it 
effectively means that there is an updated license identifier and the 
deprecated license identifier, while remaining valid, should no longer be used.

 

So, deprecated identifiers are and remain "valid", and SPDX Documents that 
contain them are also fully valid.

 

If some of the SPDX parsing tools (from the SPDX project or elsewhere) flag 
those identifiers as making a document "invalid", then that isn't correct and 
is an error in the tooling.

 

I don't think there would be a problem with a warning that they are not 
encouraged for use (given the "should no longer be used" language above), but I 
think it's incorrect if tooling flags it as an error.

 

Best,

Steve

 

On Fri, Apr 14, 2023 at 4:31 PM Rose Judge via lists.spdx.org 
<http://lists.spdx.org>  mailto:vmware@lists.spdx.org> > wrote:

Deprecated license IDs do not validate with the latest SPDX tooling. You will 
see an error like the following:

 

This SPDX Document is not valid due to:

Package at line 34690 invalid: LGPL-2.1 is deprecated. in 
libseccomp2

Package at line 8056 invalid: LGPL-2.1 is deprecated. in 
gcc-9-base

 

This has been an issue for Tern as libraries we depend on still refer to 
deprecated SPDX license IDs. 

 

From: Spdx-tech@lists.spdx.org <mailto:Spdx-tech@lists.spdx.org>  
mailto:Spdx-tech@lists.spdx.org> > on behalf of J 
Lovejoy via lists.spdx.org <http://lists.spdx.org>  
mailto:jilayne@lists.spdx.org> >
Date: Thursday, April 13, 2023 at 8:23 PM
To: Anthony Harrison mailto:anthony.p.harri...@gmail.com> >
Cc: Spdx-tech@lists.spdx.org <mailto:Spdx-tech@lists.spdx.org>  
mailto:Spdx-tech@lists.spdx.org> >
Subject: Re: [spdx-tech] License with duplicated SPDX license ds


!! External Email 

Hi Anthony, 

 

Well… yes, they are deprecated and show up on the deprecated part of the SPDX 
License List. But I think they are still valid in the context of SPDX tooling 
for the reason stated below. 

Kate - do I have that correctly stated?

 

I guess this does make for a bit of an odd appearance. But it seemed the best 
approach given the reality of use of the old ids and it being a big change.

 

Thanks,

Jilayne

 

On Apr 12, 2023, at 12:27 PM, Anthony Harrison mailto:anthony.p.harri...@gmail.com> > wrote:

 

Hi Jilayne 

 

Thank you for the explanation.

 

However I note that the 'older' GPL license ids e.g. LGPL-2.0+ are now marked 
as deprecated as of version 3.0 of the SPDX license list (see 
https://spdx.org/licenses/). Therefore if the SBOM refers to a version of the 
SPDX license list which is V3.x, then I assume that the deprecated license ids 
are no longer valid and should not be used when reporting a license within an 
SBOM. Is this a correct interpretation?

 

Anthony

 

On Wed, 12 Apr 2023 at 00:26, J Lovejoy mailto:opensou...@jilayne.com> > wrote:

Hi Anthony,

This is not an error at all but reflects the changing of the ids for the GPL 
family of licenses at the behest of the FSF in 2017, while trying to not break 
things for those people who had already been using the previous ids for years 
prior. You can read more about it here: 
https://spdx.dev/license-list-3-0-released/

Thanks,
Jilayne
SPDX-legal co-lead



Hello 

 

Looking at the latest version of the SPDX :License List (3.20) I have noticed 
that some licenses have multiple identities e.g.

 

--
  "name": "GNU General Public License v2.0 only",
  "licenseId": "GPL-2.0-only",

  "licenseId": "GPL-2.0",

--

  "name": "GNU Library General Public License v2 only",

  "licenseId": "LGPL-2.0-only",

  "licenseId": "LGPL-2.0",
--
  "name": "GNU Library General Public License v2 or later",
  "licenseId": "LGPL-2.0-or-later",

  "licenseId": "LGPL-2.0+",

--

  "name": "GNU General Public License v2.0 or later",
  "licenseId": "GPL-2.0-or-later",
  "licenseId": "GPL-2.0+",

--
  &quo

[spdx-tech] Software as a Service Minutes

[Gary O'Neall]

Greetings all,

 

I just created a pull request for the meeting minutes from last week's
Software as a Service Profile meeting:
https://github.com/spdx/meetings/pull/316

 

Those on the call, please review and approve or provide feedback.  I'll
merge it into the main meetings repo before our next meeting.

 

Thanks,
Gary

 



-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#5092): https://lists.spdx.org/g/Spdx-tech/message/5092
Mute This Topic: https://lists.spdx.org/mt/98331342/21656
Group Owner: spdx-tech+ow...@lists.spdx.org
Unsubscribe: https://lists.spdx.org/g/Spdx-tech/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[spdx-tech] Software as a Service Profile

[Gary O'Neall]

Thanks to all the attendees of last week's Software as a Service Profile
meeting.

 

In the meeting, we decided to meeting every two weeks for an hour.

 

I would propose we meet the first and 3rd week of the month.

 

I created a Doodle poll to collect input on preferred times.  I tried to
avoid overlapping with other popular SPDX calls and make the timezone Europe
to West Coast friendly.  If any in the Asia region is interested, perhaps we
can summarize during our regular monthly SPDX Asia call.

 

Below is the link to the Doodle Poll - if interested, please respond by this
Friday - April 21.

 

https://doodle.com/meeting/participate/id/eE0GkYgd

 

Thanks,

Gary

 

 

-

Gary O'Neall

Principal Consultant

Source Auditor Inc.

Mobile: 408.805.0586

Email:  <mailto:g...@sourceauditor.com> g...@sourceauditor.com

CONFIDENTIALITY NOTE: The information transmitted, including attachments, is
intended only for the person(s) or entity to which it is addressed and may
contain confidential and/or privileged material. Any review,
re-transmission, dissemination or other use of, or taking of any action in
reliance upon this information by persons or entities other than the
intended recipient is prohibited. If you received this in error, please
contact the sender and destroy any copies of this information.

 



-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#5090): https://lists.spdx.org/g/Spdx-tech/message/5090
Mute This Topic: https://lists.spdx.org/mt/98330912/21656
Group Owner: spdx-tech+ow...@lists.spdx.org
Unsubscribe: https://lists.spdx.org/g/Spdx-tech/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [spdx-defects] [spdx-tech] SPDX 3.0: When to use a property or relationship

[Gary O'Neall]

I’m thinking it would be common to discover additional elements affected by a 
vulnerability after a VEX is initially published which would cause the list of 
elements referenced to change.  Therefore my vote would be for B.

 

If it unlikely to change, I would agree with David a property would be better.

 

Gary

 

From: spdx-defe...@lists.spdx.org  On Behalf Of 
David Kemp
Sent: Monday, April 17, 2023 11:25 AM
To: spdx-tech@lists.spdx.org; spdx-defe...@lists.spdx.org
Subject: Re: [spdx-defects] [spdx-tech] SPDX 3.0: When to use a property or 
relationship

 

As a general rule, properties are used when an element's content is known at 
the time the element is created, while either references or relationships are 
used when that content is expected to change over time.  For example, a 
hypothetical "Person" element would include immutable properties of a specific 
person, but would not include a "child" property because children can pop up 
later.  A Person element could include a parent property because parents don't 
change, and/or a "parentOf" relationship could be used to cover more dynamic 
possibilities like unknown or sealed biological parents that could be 
discovered or unsealed after the child instance is created.

So if I understand the example, Option A should work since the status of a 
specific product with respect to a specific vulnerability should not change.  
And if it does change, a new VEX "urn:spdx.dev:vex-cve-2020-2849-2" will be 
issued to supersede "-1".

But I'm not sure how "Our version of this package was modified" gets translated 
to "We are not using this component" with a "product" property.  Are "we" 
creating a product that has the identical name, including version number, as a 
package (urn:npmjs.com:elliptic-6.5.3)?  If so, how is the unaffected package 
or product distinguished from the original/unmodified baseline that presumably 
is affected by the vulnerablity?

v/r,
David



 

On Mon, Apr 17, 2023 at 11:18 AM Thomas Steenbergen mailto:opensou...@steenbe.nl> > wrote:

Hi all,

 

In April 12th Defects meeting we were discussing changing the security profile 
<https://github.com/spdx/spdx-3-model/tree/security-profile/security-profile>  
to be better able to support VEX use cases.

 

We ran into the reoccurring issue of when to use a property and when to use a 
relationship, included some examples below.

Know we discuss this in a recent tech call. Do we have any written 
guidance/design principles? Can we discuss this further tomorrow?

 

Below an excerpt of SPDX 3.0 Vulnerability example as currently found on 
GitHub, issue we found is that changing any VEX property would require 
publishing the whole vulnerability which is not ideal. Idea is to move VEX and 
maybe other categorization into their own elements so SPDX creator can update 
just the categorization and timestamp for each categorization creation using 
SPDX 3.0 Element's creationInfo.

 

"@type": "Vulnerability", 

"@id": "urn:spdx.dev:cve-2020-2849",

"summary": "Use of a Broken or Risky Cryptographic Algorithm",

"description": "The npm package `elliptic` before version 6.5.4 are vulnerable 
to Cryptographic Issues via the secp256k1 implementation in elliptic/ec/key.js. 
There is no check to confirm that the public key point passed into the derive 
function actually exists on the secp256k1 curve. This results in the potential 
for the private key used in this implementation to be revealed after a number 
of ECDH operations are performed.",  

"modified": "2021-03-08T16:02:43Z",

"published": "2021-03-08T16:06:50Z",

"categorizations": [

  {

"@type": "VexNotAffectedVulnerabilityCategorization ",

"@id": "urn:spdx.dev:vex-cve-2020-2849",

"status": "notAffected",

"impact": "Our version of this package was modified and does not include 
code affected by cve-2020-2849.",

"justification": "vulnerabileCodeNotPresent",

"source": "https://vex-system...;,

  }

],

{

   "@type": "Relationship",

   "relationshipType": "advisory",

   "to": "urn:spdx.dev:vex-cve-2020-2849",

   "from": ["urn:npmjs.com:elliptic-6.5.3", 
"urn:npmjs.com:elliptic-6.5.3-subcomponent-1"]

},

 

 

Option A: Only use properties to link a VEX to other SPDX elements - easy for 
VEX publishers and readers as everything is in 1element

  { 

"@type": "VexNotAffectedVulnerabilityCategorization",

"@id": "urn:spdx.dev:vex-cve-2020-2849-1",

"status": "notAffected",

"i

[spdx-tech] Question on how to handle "None" and "NoAssertion"

[Gary O'Neall]

Hi Sean - and the larger SPDX tech community,

 

I would like to get your opinion on how we should handle the NoAssertion and
None object values for several SPDX properties.

 

The issues are documented in https://github.com/spdx/spdx-3-model/issues/76
and https://github.com/spdx/spdx-3-model/issues/71

 

There are two (or more) perspectives on this issue.

 

*   In RDF - we're using an Individual for None and NoAssertion and
including that in the Range for the properties.  This has caused some
issues, which may be due to using OWL rather than SHACL to describe the
restrictions.

 

*   In Object Oriented Programming, it is challenging to define
subclasses of Element and Licenses (and other types) that include None and
NoAssertions.

 

Feel free to update the issues or reply to all in the email.


Thanks,
Gary

 

-

Gary O'Neall

Principal Consultant

Source Auditor Inc.

Mobile: 408.805.0586

Email:  <mailto:g...@sourceauditor.com> g...@sourceauditor.com

CONFIDENTIALITY NOTE: The information transmitted, including attachments, is
intended only for the person(s) or entity to which it is addressed and may
contain confidential and/or privileged material. Any review,
re-transmission, dissemination or other use of, or taking of any action in
reliance upon this information by persons or entities other than the
intended recipient is prohibited. If you received this in error, please
contact the sender and destroy any copies of this information.

 



-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#5080): https://lists.spdx.org/g/Spdx-tech/message/5080
Mute This Topic: https://lists.spdx.org/mt/98312141/21656
Group Owner: spdx-tech+ow...@lists.spdx.org
Unsubscribe: https://lists.spdx.org/g/Spdx-tech/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [spdx-tech] Clarifcation on Package Purpose

[Gary O'Neall]

Hi Anthony and Rose,

 

Thanks for bumping this up.  This fell off my radar and definitely should be 
resolved.  First, I want to apologize for the general inconsistency between 
JSON and the spec. I should have caught these earlier. I also missed the issue 
813 <https://github.com/spdx/spdx-spec/issues/813>  comment which I just 
responded to.

 

Since 3.0 allow for breaking changes, we should be able to fix all the Enum 
inconsistencies.  All - please review for this (and other) inconsistencies in 
the serialization specifications for 3.0 and help make sure we don’t make any 
similar mistakes.

 

Best,
Gary

 

From: Spdx-tech@lists.spdx.org  On Behalf Of Anthony 
Harrison
Sent: Tuesday, April 11, 2023 9:26 AM
To: Rose Judge 
Cc: Spdx-tech@lists.spdx.org
Subject: Re: [spdx-tech] Clarifcation on Package Purpose

 

Thanks Rose

 

Good to see I am not the only one finding these issues. I note that the Python 
SPDX tool library assumes OPERATING-SYSTEM and I think this is preferable to 
having an _ and is consistent with CycloneDX.. Supporting both - and _ is not a 
good solution IMHO. 

 

At the moment we have at least 2 inconsistencies between two SPDX products 
(online validator and Python SPDX tool library) which is not ideal.

 

Anthony

 

On Tue, 11 Apr 2023 at 16:49, Rose Judge mailto:rju...@vmware.com> > wrote:

Hi Anthony,

 

This issue is documented here as well: 
https://github.com/spdx/spdx-spec/issues/813 and also similar to 
https://github.com/spdx/spdx-spec/issues/792 which was resolved by allowing 
both – and _: https://github.com/spdx/spdx-spec/pull/793. Based off these 
issues I would assume either is correct but Gary can confirm.

 

-Rose

 

From: Spdx-tech@lists.spdx.org <mailto:Spdx-tech@lists.spdx.org>  
mailto:Spdx-tech@lists.spdx.org> > on behalf of 
Anthony Harrison via lists.spdx.org <http://lists.spdx.org>  
mailto:gmail@lists.spdx.org> >
Date: Tuesday, April 11, 2023 at 7:42 AM
To: Spdx-tech@lists.spdx.org <mailto:Spdx-tech@lists.spdx.org>  
mailto:Spdx-tech@lists.spdx.org> >
Subject: [spdx-tech] Clarifcation on Package Purpose


!! External Email 

According to Clause 7.24.1, of SPDX 2.3 spec, OPERATING-SYSTEM is a valid 
package purpose.

 

However if I look at the  JSON spec 
(https://github.com/spdx/spdx-spec/blob/master/schemas/spdx-schema.json), this 
is OPERATING_SYSTEM (note the subtle difference between the - and _).

 

The online validator allows OPERATING_SYSTEM and not OPERATING-SYSTEM as a 
valid purpose.

 

There is clearly some inconsistency here. Which is correct?

 

(For reference, the equivalent value in CycloneDX is 'operating-system')

 

Anthony

 

 

 


!! External Email: This email originated from outside of the organization. Do 
not click links or open attachments unless you recognize the sender. 

 





-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#5074): https://lists.spdx.org/g/Spdx-tech/message/5074
Mute This Topic: https://lists.spdx.org/mt/98199005/21656
Group Owner: spdx-tech+ow...@lists.spdx.org
Unsubscribe: https://lists.spdx.org/g/Spdx-tech/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [spdx-tech] SPDX Software as a Service Profile Kick-off Meeting

[Gary O'Neall]

Sorry about that Brandon.

 

It was also an admittedly short notice for the poll.

 

Since you won’t be able to make the meeting, do feel free to provide inputs on 
the following and we’ll take that input into the meeting:

 

*   Logistics – what would you prefer to have as a meeting frequency 
(weekly, every 2 weeks, other)?
*   Logistics – any day/times that are preferred and won’t work?
*   Target dates – the big question – should we try to get something into 
the 3.0 release?
*   Scope – Any thoughts on how we scope the work.

 

Cheers,
Gary

 

From: Spdx-tech@lists.spdx.org  On Behalf Of Brandon 
Lum via lists.spdx.org
Sent: Monday, April 10, 2023 12:46 PM
To: Gary O'Neall 
Cc: SPDX-list 
Subject: Re: [spdx-tech] SPDX Software as a Service Profile Kick-off Meeting

 

ah i must have missed the doodle poll, if there's going to be another doodle 
poll, can it be shared in the mailing list since i won't be able to attend the 
kick off! Thanks!

 

Cheers

Brandon

 

On Mon, Apr 10, 2023 at 2:39 PM Gary O'Neall mailto:g...@sourceauditor.com> > wrote:

Based on the doodle poll responses from those expressing interest in last 
Tuesday’s tech call, I have scheduled the initial meeting for the Software as a 
Service profile team for April 13, 10-11 AM Pacific time.

 

Anyone interested in the topic is welcome to join.

 

For the initial meeting, I would like to discuss the scope, target release date 
and logistics (meeting time and frequency).

 

As background, there is a very related activity CISA SBOM Cloud.  Minutes can 
be found here: 
https://docs.google.com/document/d/1ZpTtsY0H2SwfNRq6qUzLMiWLQ8OwlhmJeg_M0cxrOiQ 

 

Below is the link to the zoom video conference:

 

 

Initial meeting to discuss creating an SPDX profile for software offered as a 
service over a network. At the meeting, we'll decide the frequency and timing 
for any subsequent meetings.

m_id: YgL67VZOb9
---
Video Conferencing:
 
<https://www.google.com/url?q=https://us02web.zoom.us/j/83702327112=D=calendar=2=AOvVaw1bU7Y7302DR4rF9V8Qj--y>
 https://us02web.zoom.us/j/83702327112

 

-----

Gary O'Neall

Principal Consultant

Source Auditor Inc.

Mobile: 408.805.0586  

Email: g...@sourceauditor.com <mailto:g...@sourceauditor.com> 

CONFIDENTIALITY NOTE: The information transmitted, including attachments, is 
intended only for the person(s) or entity to which it is addressed and may 
contain confidential and/or privileged material. Any review, re-transmission, 
dissemination or other use of, or taking of any action in reliance upon this 
information by persons or entities other than the intended recipient is 
prohibited. If you received this in error, please contact the sender and 
destroy any copies of this information.

 





-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#5067): https://lists.spdx.org/g/Spdx-tech/message/5067
Mute This Topic: https://lists.spdx.org/mt/98182226/21656
Group Owner: spdx-tech+ow...@lists.spdx.org
Unsubscribe: https://lists.spdx.org/g/Spdx-tech/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[spdx-tech] SPDX Software as a Service Profile Kick-off Meeting

[Gary O'Neall]

Based on the doodle poll responses from those expressing interest in last
Tuesday's tech call, I have scheduled the initial meeting for the Software
as a Service profile team for April 13, 10-11 AM Pacific time.

 

Anyone interested in the topic is welcome to join.

 

For the initial meeting, I would like to discuss the scope, target release
date and logistics (meeting time and frequency).

 

As background, there is a very related activity CISA SBOM Cloud.  Minutes
can be found here:
https://docs.google.com/document/d/1ZpTtsY0H2SwfNRq6qUzLMiWLQ8OwlhmJeg_M0cxr
OiQ 

 

Below is the link to the zoom video conference:

 

 

Initial meeting to discuss creating an SPDX profile for software offered as
a service over a network. At the meeting, we'll decide the frequency and
timing for any subsequent meetings.

m_id: YgL67VZOb9
---
Video Conferencing:
 
<https://www.google.com/url?q=https://us02web.zoom.us/j/83702327112=D
rce=calendar=2=AOvVaw1bU7Y7302DR4rF9V8Qj--y>
https://us02web.zoom.us/j/83702327112

 

-

Gary O'Neall

Principal Consultant

Source Auditor Inc.

Mobile: 408.805.0586

Email:  <mailto:g...@sourceauditor.com> g...@sourceauditor.com

CONFIDENTIALITY NOTE: The information transmitted, including attachments, is
intended only for the person(s) or entity to which it is addressed and may
contain confidential and/or privileged material. Any review,
re-transmission, dissemination or other use of, or taking of any action in
reliance upon this information by persons or entities other than the
intended recipient is prohibited. If you received this in error, please
contact the sender and destroy any copies of this information.

 



-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#5065): https://lists.spdx.org/g/Spdx-tech/message/5065
Mute This Topic: https://lists.spdx.org/mt/98182226/21656
Group Owner: spdx-tech+ow...@lists.spdx.org
Unsubscribe: https://lists.spdx.org/g/Spdx-tech/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[spdx-tech] SPDX Tech Agenda Reminder

[Gary O'Neall]

Greetings all SPDX tech sub-teams - just a reminder this is the last tech
call before the monthly SPDX general meeting where we share summaries from
all the sub-teams.  Please bring your latest status.

 

Thanks,

Gary

 

-

Gary O'Neall

Principal Consultant

Source Auditor Inc.

Mobile: 408.805.0586

Email:  <mailto:g...@sourceauditor.com> g...@sourceauditor.com

CONFIDENTIALITY NOTE: The information transmitted, including attachments, is
intended only for the person(s) or entity to which it is addressed and may
contain confidential and/or privileged material. Any review,
re-transmission, dissemination or other use of, or taking of any action in
reliance upon this information by persons or entities other than the
intended recipient is prohibited. If you received this in error, please
contact the sender and destroy any copies of this information.

 



-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#5058): https://lists.spdx.org/g/Spdx-tech/message/5058
Mute This Topic: https://lists.spdx.org/mt/98024270/21656
Group Owner: spdx-tech+ow...@lists.spdx.org
Unsubscribe: https://lists.spdx.org/g/Spdx-tech/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [spdx-tech] Serialization: Ontologies vs Datatypes

[Gary O'Neall]

Thanks David for the additional info.

 

I was planning allowing the fields of “data types” as objects in RDF triples in 
SPDX 3.0.  The difference between Elements and “data types” was whether URI 
types were required or if the object could be an anonymous/blank node.

 

Is this consistent with the discussion in the Serialization meeting?

 

Gary

 

From: Spdx-tech@lists.spdx.org  On Behalf Of David 
Kemp
Sent: Sunday, March 19, 2023 12:07 PM
To: SPDX-list 
Subject: [spdx-tech] Serialization: Ontologies vs Datatypes

 

At the SPDX Serialisation Meeting 2023-03-16:

Sean presented a deck of slides that he and Alexios had created to explain 
concepts relating to JSON-LD and RDF with regard to SPDX. The presentation 
covered JSON, JSON-LD, context maps and ontologies.


The discussion included Alexios' toy example of Coordinate, and whether it is a 
linked (referenceable) item in an ontology or not.
1) SPDX Element instances are referenceable by SpdxId, an IRI

2) Instances of Datatypes are plain values, they do not have reference IDs

A third option was discussed, whether Coordinate could be an ontological 
element (a subject or object, connected by a predicate in an ontology graph), 
in which case each instance of a Coordinate would need an IRI that is not an 
SpdxId in addition to its value (latitude and longitude).

The case of Central Park was discussed, which would be modeled as a "Place" 
with a name, image, and an ordered list of Coordinates (not a set) that 
establishes its perimeter.  The southeast corner of the park, 5th Avenue and W. 
58th St, has coordinate 40.76376383066618, -73.973564545299.  This instance is 
not an ontological item because it is also on the perimeter of 5th Avenue that 
exists independently of Central Park.  The identical coordinate would have at 
least three different IRIs (as coordinates of one park, two streets, plus 
innumerable people standing on that corner) if it were considered a 
referenceable RDF item.  Therefore it is not, it is just a value.

The SPDX model accurately expresses the semantics of Datatypes: 
CreationInformation, ExternalIdentifier, PositiveIntegerRange, etc, are data 
types:

These types have value-type / struct semantics - equality is determined by 
comparing values and they MUST NOT be referenced by name across documents.


We should add a list (like the boundary of Central Park) that cannot be a set 
to Alexios' toy serialization example, even if SPDX does not have any use cases 
for an ordered list, to ensure that the modeling methodology is complete.







-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#5046): https://lists.spdx.org/g/Spdx-tech/message/5046
Mute This Topic: https://lists.spdx.org/mt/97716744/21656
Group Owner: spdx-tech+ow...@lists.spdx.org
Unsubscribe: https://lists.spdx.org/g/Spdx-tech/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [spdx-tech] Handling invalid licenses

[Gary O'Neall]

Hi Anthony,

 

My suggestion is to report the license as stated in the Declared License 
<https://spdx.github.io/spdx-spec/v2.3/package-information/#715-declared-license-field>
  property, even though invalid, and use either NOASSERTION (or better yet) the 
correct license in the Concluded License 
<https://spdx.github.io/spdx-spec/v2.3/package-information/#713-concluded-license-field>
  field.  I would also recommend adding a comment in the Comments on License 
Field 
<https://spdx.github.io/spdx-spec/v2.3/package-information/#716-comments-on-license-field>
  explaining the error.

 

Hope that helps,

Gary

 

From: Spdx-tech@lists.spdx.org  On Behalf Of Anthony 
Harrison
Sent: Thursday, March 16, 2023 11:41 AM
To: Spdx-tech@lists.spdx.org
Subject: [spdx-tech] Handling invalid licenses

 

Team

 

In generating SBOMs, I am encountering a lot of issues with licence information 
obtained from either ecosystem meta data or actual source files most do not 
appear to be using SPDX license identifiers. If I report the actual licence 
text then the generated SBOM is invalid; however reporting it as NOSASSERTION 
or NONE doesn’t seem correct because the author has made some attempt at 
identifying the license albeit incorrectly. 

 

What is the correct behaviour when an invalid license is detected?

 

Regards

 

Anthony Harrison





-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#5043): https://lists.spdx.org/g/Spdx-tech/message/5043
Mute This Topic: https://lists.spdx.org/mt/97657161/21656
Group Owner: spdx-tech+ow...@lists.spdx.org
Unsubscribe: https://lists.spdx.org/g/Spdx-tech/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [spdx-tech] FYI: Cross pollination with the CISA ICT_SCRM Task Force SW Assurance work stream

[Gary O'Neall]

Hi Dick,

 

Thanks for welcoming our feedback.  Clearly an important topic.  I may have
a different perspective on the topic coming more from an SPDX than an NTIA
perspective.  Below are a few thoughts.

 

Gary

 

From: Spdx-tech@lists.spdx.org  On Behalf Of Dick
Brooks
Sent: Tuesday, March 7, 2023 1:09 PM
To: Spdx-tech@lists.spdx.org
Subject: [spdx-tech] FYI: Cross pollination with the CISA ICT_SCRM Task
Force SW Assurance work stream

 

Just an FYI:

 

Both Willian and I work on the CISA ICT_SCRM Task Force SW Assurance Work
Stream, which is developing guidance for Federal Procurement Offers with
regard to OMB M-22-18 and EO 14028.

 

Today, I shared this information with the group, based on our discussions
regarding Supplier semantics. This is a very important topic that we need to
be consistent is referring to when discussing semantics of the software
supply chain.

 

I welcome your feedback on what I sent to the Task Force earlier, shown
here:

 

Today, the SPDX SBOM tech team had a very active discussion about the roles
in a software supply chain. There are "at least" three distinctive roles:

[G.O.] The 3 roles are NTIA defined roles.  The way you phrase it here, it
sounds like SPDX defined these roles.  I would rephrase 'There are "at
least" three distinctive roles' to 'The NTIA discusses at least 3
distinctive roles in the NTIA framing document'.

1.   Supplier

   Here is how the NTIA documents describe Supplier, which I
agree with:

https://www.ntia.gov/sites/default/files/publications/sbom_minimum_elements_
report_0.pdf

 

   REF Page 9:

   


Supplier Name 

The name of an entity that creates, defines, and identifies components. 

  

Supplier refers to the originator or manufacturer of the software component.

 

   No consensus was reached within the SPDX Tech community on
the semantics of "Supplier"

[G.O.] I think there is consensus on the SPDX definition of an SPDX Supplier
- I believe there is not consensus on the NTIA definition of Supplier within
the specific SPDX meeting.  I would remove this sentence or clarify that we
are talking about NTIA supplier, not SPDX supplier.

 

   REA agrees with the NTIA definition of Supplier and asserts
that Suppliers produce SBOM's, which are provided to others, i.e. end users,
vendors and distributors 

 

2.   Vendor 

No consensus was reached within the SPDX Tech community on the semantics of
"Vendor"

[G.O.] Again - this is an NTIA term.  Vendor is not a term used in SPDX.  We
only use supplier and originator.  Same as above, suggest either removing
the sentence or clarifying that we are talking about NTIA "Vendor"

 

REA asserts that a vendor is the party that "transacts" in the purchase/sale
of a software product to an end consumer. A vendor supplies a customer with
a "Vendor Response File
<https://energycentral.com/c/pip/advice-software-vendors-prepare-omb-m-22-18
-requirements> ".  A Systems Integrator is considered a Vendor (not a
supplier)

 

3.   Distributor

No consensus was reached within the SPDX Tech community on the semantics of
"Distributor"

[G.O.] Same comments.

 

   REA asserts that a Distributor is the party that makes a
software product available to others. GitHub is an example of a Distributor.
The Apple Store is a distributor of software products.

   

As with many concepts in the software supply chain there are many gray
areas. REA has gone on the record recommending that SPDX adopt the NITA
semantics for Supplier in the next release, v 3.0.

"Supplier refers to the originator or manufacturer of the software
component."

 

It's entirely feasible for a single legal entity to serve in all 3 roles.
This occurs frequently with Microsoft products.

 

I welcome your thoughts and insights on these 3 roles.

 

I welcome your thoughts and insights. IMO, we will need to reach a consensus
on the 3 roles identified above, and possibly more as we dig deeper.

[G.O.] After reading through the entire message, I would suggest reframing
the discussion.  SPDX current defines 2 roles - a supplier and originator.
Both are clearly defined in the SPDX 2.X spec.  The NTIA documentation
discusses 3 roles.  There is a mapping between the NTIA Supplier and the
SPDX supplier, but there is some confusion on mapping Distributor and Vendor
to the SPDX terms.  We didn't discuss mapping SPDX originator, but that may
also lead to confusion.  I know Kate has put quite a bit of time into
discussing this with the NTIA community, so I would suggest getting her
feedback before sending this on to the other work group(s).

 

Thanks,

 

Dick Brooks

  

Active Member of the CISA Critical Manufacturing Sector, 

Sector Coordinating Council - A Public-Private Partnership

 

Never trust software, always verify and report!

Re: [spdx-tech] Is tools.spdx.org down?

[Gary O'Neall]

Hi Peter,

 

It’s back up.

 

I have a check setup in AWS that emails me when it is not responding.  I did 
get an email overnight my time, but I didn’t see it / have a check to fix it 
until now.

 

The problem is either networking or O.S. related as the entire AWS instances is 
non-responsive to networking requests.  I rebooted the instance and it’s back 
up again.

 

If you or anyone in the SPDX community has expertise in network operations or 
systems operations, I could really use some help on this one!  Just email me 
and I’ll send you the logs for analysis.

 

For SPDX – we do use Gitter: 
https://app.gitter.im/#/room/#spdx-org_Lobby:gitter.im although I have not 
personally been monitoring the chats.  I’ll start again now.

 

Cheers,
Gary

 

From: Spdx-tech@lists.spdx.org  On Behalf Of Peter 
Monks
Sent: Tuesday, February 28, 2023 11:33 AM
To: spdx-tech@lists.spdx.org
Subject: [spdx-tech] Is tools.spdx.org down?

 

G'day everyone,

 

I just noticed that https://tools.spdx.org/ appears to be down - it times out 
for both http and ping requests.  Is this just me, or is there indeed a 
server-side problem?

 

Separately, does SPDX use a chat type service of any kind (Slack, Discord, 
etc.)?  I just wondered if there was a better place to report minor things like 
this (and ask potentially silly questions, of which I have many!).

 

Cheers,

Peter

 





-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#5000): https://lists.spdx.org/g/Spdx-tech/message/5000
Mute This Topic: https://lists.spdx.org/mt/97298150/21656
Group Owner: spdx-tech+ow...@lists.spdx.org
Unsubscribe: https://lists.spdx.org/g/Spdx-tech/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [spdx-tech] clarification around "documentDescribes" field

[Gary O'Neall]

Let’s add an agenda item for next Tuesday’s call to discuss how we want to 
document the JSON fields in general for the spec.

 

I added a couple of comments to Keith’s specific questions below.


Gary

 

From: Spdx-tech@lists.spdx.org  On Behalf Of Keith 
Zantow via lists.spdx.org
Sent: Thursday, February 23, 2023 2:09 PM
To: SPDX Technical Mailing List 
Subject: Re: [spdx-tech] clarification around "documentDescribes" field

 

Hi All,

 

Sorry I missed this discussion earlier, and apologies for bringing this back 
up, but just had a bit of a talk with Brandon and wanted to chime in on a 
couple thoughts here. As Gary noted, there are at least 2 "shortcut" fields 
(documentDescribes and hasFiles), which are completely equivalent to analogous 
relationships, as far as I can tell.

 

In order to support these fields in the tools-golang project, does it make 
sense to only output relationships but support parsing these fields from 
existing SBOMs and translating them into relationships? Is there a reason to 
push the decision of how to construct the SPDX document from a common model to 
the user of the library? It seems like this is not something a library consumer 
should be concerned with (do I put this data here or here?). 

[G.O.] I think it’s important to support reading the shortcut for compatibility 
with libraries that use the shortcut, but I personally think it would be OK to 
always output relationships.  It does make the output more verbose which really 
only impacts human readers of the JSON file.

Also, these fields are not defined in the SPDX spec as far as I can tell (aside 
from RDF somehow, which I don't quite grok), and despite being defined in the 
JSON schema should probably be modeled as relationships when working with data 
models within tools, I think.

[G.O.] True – also noted in the thread below. 

 

Any thoughts about only supporting reading here?

 

Thanks,

-Keith

 

On Tue, Feb 21, 2023 at 5:51 PM Adolfo mailto:pue...@chainguard.dev> > wrote:

The second sounds good to me too,

I think we also need to draft some guidance somewhere in the spec on how both 
are valid and are additive when the first level elements are defined in both 
via relationships and documentDescribes to define how consumption tools should 
behave when finding both.

 

 

 

On Tue, Feb 21, 2023 at 4:13 PM Brandon Lum via lists.spdx.org 
<http://lists.spdx.org>  mailto:google@lists.spdx.org> > wrote:

Agreed with both options, either are good to me, probably favoring the later if 
it means a faster turn-around to standardization.

 

On Thu, Feb 16, 2023 at 4:50 PM Gary O'Neall mailto:g...@sourceauditor.com> > wrote:

Hi Brandon and SPDX tech team,

 

I just checked and it looks like “documentDescribed” is already optional in the 
JSON Schema, which should relieve some of the pressure on this issue.

 

My interpretation of the “documentDescribes” is that it is really a “shortcut” 
for the DESCRIBES relationships on the SpdxDocument.

 

In the Java tools, I treat it as 100% equivalent to a DESCRIBES relationship 
between the SpdxDocument and the SPDX element represented by the SPDX ID’s in 
the list of “documentDescribes”.  I basically translate on deserialization to 
relationships and translate back on serialization.

 

Note: this is very similar to the “hasFile” property on the SpdxPackage which 
is equivalent to the CONTAINS relationship from the package to the file.  We 
may want to include the “hasFiles” in the same discussion and resolution since 
they are treated similarly.

 

In terms of resolution for the spec, my first choice would be to document the 
JSON serialization to the same level we document the tag/value.  Unfortunately, 
we were not able to get anyone to volunteer and/or follow-through on 
documenting JSON in the text.  We have more volunteers for the 3.0 spec, so I’m 
hopeful we’ll have this resolved once 3.0 releases.

 

My second choice would be to include the JSON schema in the spec itself.  It 
would be good to have a semi-formal review of the schema since we’ve missed 
things in the past and some of the descriptions could be clearer.  This would 
be feasible in the 2.X timeframe since we already have a Schema to start with.

 

I would be nervous about removing the fields.  It would simplify tooling, but 
it would create compatibility issues for anyone already using those fields.

 

Thanks,
Gary

 

From: Spdx-tech@lists.spdx.org <mailto:Spdx-tech@lists.spdx.org>  
mailto:Spdx-tech@lists.spdx.org> > On Behalf Of 
Brandon Lum via lists.spdx.org <http://lists.spdx.org> 
Sent: Thursday, February 16, 2023 12:07 PM
To: l...@google.com <mailto:l...@google.com> 
Cc: Gary O'Neall mailto:g...@sourceauditor.com> >; 
SPDX Technical Mailing List mailto:Spdx-tech@lists.spdx.org> >
Subject: Re: [spdx-tech] clarification around "documentDescribes" field

 

Reviving this thread

Re: [spdx-tech] FileNames in SPDX File item

[Gary O'Neall]

 

 

From: Spdx-tech@lists.spdx.org  On Behalf Of Anthony 
Harrison
Sent: Friday, February 17, 2023 11:32 AM
To: Spdx-tech@lists.spdx.org
Subject: Re: [spdx-tech] FileNames in SPDX File item

 

Thanks for the feedback.

 

So if I have a package which consists of other dependent packages; can I not 
have a single SBOM with all of the files for all of the packages (all files 
having a CONTAINS relationship to their respective package)?

[G.O.] Yes, this can be represented in an SPDX document.  The way you would 
structure that is have a DESCRIBES relationship from the SPDX Document to the 
top level package – this gives you root of the tree.  You would then use a 
dependency relationship from the top level package to the dependent packages.  
If you want to represent a file contained in the top level package or any of 
the dependencies, create a file and create a CONTAINS relationship from the 
package to the file.  To reconstruct the file paths on serializations, you 
would use the package filename from the package containing the file + the file 
name.

 

What can be confusing is deciding when a file is a “package” vs a “file 
contained in a package”.  Sometimes it is both – for example, If you have a 
dependency on, say, a file a.lib and a.lib represent an independently 
distributable library, you would likely create a package to represent a.lib.  
If the file a.lib is also contained in the archive the is distributed in, say, 
an archive file with the top level package you could also create a CONTAINs 
relationship to the file a.lib.  In general, if you’re dealing with something 
that can be distributed independently, you would use a package to represent 
that element.

 

Anthony





-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#4977): https://lists.spdx.org/g/Spdx-tech/message/4977
Mute This Topic: https://lists.spdx.org/mt/97026525/21656
Group Owner: spdx-tech+ow...@lists.spdx.org
Unsubscribe: https://lists.spdx.org/g/Spdx-tech/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [spdx-tech] FileNames in SPDX File item

[Gary O'Neall]

Just echoing the comments below.

 

> Where should the absolute path be specified (I think we just need the root)? 

 

The relative file path is relative to the package the file is “contain”ed 
within.  In a scenario where you have a package “contain”ing several files, you 
would typically have a Package File Name 
<https://spdx.github.io/spdx-spec/v2.3/package-information/#74-package-file-name-field>
  indicating the root for the contained file name fields if it is in a 
directory or the filename of an archive file where the root of the archive file 
is the root of the contained files.  The Package Name 
<https://spdx.github.io/spdx-spec/v2.3/package-information/#71-package-name-field>
  field is just the name the Originator gave to the package, so it would not be 
used for forming the root path information.

 

If there is a single file which is distributed independently (e.g. not 
contained within a package), you would use a Package rather than File and put 
your file path information in the Package File Name 
<https://spdx.github.io/spdx-spec/v2.3/package-information/#74-package-file-name-field>
  field and use File for the Primary Package Purpose 
<https://spdx.github.io/spdx-spec/v2.3/package-information/#724-primary-package-purpose-field>
 .

 

> Are we assuming that ALL files in SBOM are within the same file tree?

 

Translating the question a bit into SPDX Speak, “Are we assuming that ALL files 
in the SPDX Document are within the same file tree?”

 

No – the assumption is that ALL files with a CONTAINS relationship to the same 
package are in the same file tree.  All files in an SBOM are in the same file 
tree only if the SBOM contains only one package which contains files.

 

Best,

Gary

 

From: Spdx-tech@lists.spdx.org  On Behalf Of David 
Kemp
Sent: Friday, February 17, 2023 8:17 AM
To: spdx-tech@lists.spdx.org
Subject: Re: [spdx-tech] FileNames in SPDX File item

 

P.S. Since SPDX 3 is Element-based, should the File element contain a package: 
Package property, to avoid requiring that a "contains" Relationship exist for 
every File?

 

On Fri, Feb 17, 2023 at 11:08 AM David Kemp via lists.spdx.org 
<http://lists.spdx.org>  mailto:gmail@lists.spdx.org> > wrote:

More completely, 
https://spdx.github.io/spdx-spec/v2.3/file-information/#81-file-name-field says:

Identify the full path and filename that corresponds to the file information in 
this section.
Format: A relative filename with the root of the package archive or directory.
In general, every filename is preceded with a ./, see 
http://www.ietf.org/rfc/rfc3986.txt for syntax.

 

So the syntax is a path "relative to the package archive or directory", not 
just a bare filename with a "./" prefix.  Unfortunately the package name 
("Provide the actual file name of the package, or path of the directory being 
treated as a package.") is optional but file name is required, which is 
confusing.

Fortunately this corresponds to the SPDX 3 decision to NOT support 
downloadLocation property for File; i.e. files only have meaning in the context 
of packages.  Presumably the same "name" requirements copy directly from 2.3 to 
3.0.

Question: Since 2.3 File name is required but Package name is optional -- is 
there any situation where a relative file name is meaningful without a base?  
If not, is Package name optional a bug / mistake?

@Dick: Given a path, applications can submit just the filename portion in 
queries.

 

On Fri, Feb 17, 2023 at 7:57 AM Dick Brooks mailto:d...@reliableenergyanalytics.com> > wrote:

Anthony,

 

Based on our experiences, the presence of any path information creates problems 
when searching NIST NVD that could result in false negatives, during a risk 
assessment. We strip all path info from the filename before submitting a NIST 
NVD vulnerability search request. 

 

Thanks,

 

Dick Brooks

  

Active Member of the CISA Critical Manufacturing Sector, 

Sector Coordinating Council – A Public-Private Partnership

 

 <https://reliableenergyanalytics.com/products> Never trust software, always 
verify and report! ™

 <http://www.reliableenergyanalytics.com/> 
http://www.reliableenergyanalytics.com

Email:  <mailto:d...@reliableenergyanalytics.com> 
d...@reliableenergyanalytics.com

Tel: +1 978-696-1788

 

From: Spdx-tech@lists.spdx.org <mailto:Spdx-tech@lists.spdx.org>  
mailto:Spdx-tech@lists.spdx.org> > On Behalf Of 
Anthony Harrison
Sent: Friday, February 17, 2023 7:03 AM
To: Spdx-tech@lists.spdx.org <mailto:Spdx-tech@lists.spdx.org> 
Subject: [spdx-tech] FileNames in SPDX File item

 

Colleagues

A couple of questions on files specified in a SPDX File item.

According to the SPDX spec, the filename for a SPDX file is a relative filename 
(prefixed by ./). - see 
https://spdx.github.io/spdx-spec/v2.3/file-information/#81-file-name-field. 
However providing a relative pa

Re: [spdx-tech] clarification around "documentDescribes" field

[Gary O'Neall]

Hi Brandon and SPDX tech team,

 

I just checked and it looks like “documentDescribed” is already optional in the 
JSON Schema, which should relieve some of the pressure on this issue.

 

My interpretation of the “documentDescribes” is that it is really a “shortcut” 
for the DESCRIBES relationships on the SpdxDocument.

 

In the Java tools, I treat it as 100% equivalent to a DESCRIBES relationship 
between the SpdxDocument and the SPDX element represented by the SPDX ID’s in 
the list of “documentDescribes”.  I basically translate on deserialization to 
relationships and translate back on serialization.

 

Note: this is very similar to the “hasFile” property on the SpdxPackage which 
is equivalent to the CONTAINS relationship from the package to the file.  We 
may want to include the “hasFiles” in the same discussion and resolution since 
they are treated similarly.

 

In terms of resolution for the spec, my first choice would be to document the 
JSON serialization to the same level we document the tag/value.  Unfortunately, 
we were not able to get anyone to volunteer and/or follow-through on 
documenting JSON in the text.  We have more volunteers for the 3.0 spec, so I’m 
hopeful we’ll have this resolved once 3.0 releases.

 

My second choice would be to include the JSON schema in the spec itself.  It 
would be good to have a semi-formal review of the schema since we’ve missed 
things in the past and some of the descriptions could be clearer.  This would 
be feasible in the 2.X timeframe since we already have a Schema to start with.

 

I would be nervous about removing the fields.  It would simplify tooling, but 
it would create compatibility issues for anyone already using those fields.

 

Thanks,
Gary

 

From: Spdx-tech@lists.spdx.org  On Behalf Of Brandon 
Lum via lists.spdx.org
Sent: Thursday, February 16, 2023 12:07 PM
To: l...@google.com
Cc: Gary O'Neall ; SPDX Technical Mailing List 

Subject: Re: [spdx-tech] clarification around "documentDescribes" field

 

Reviving this thread again since there is a little bit of ambiguity where these 
fields are part of the schema but their behavior is not technically described 
in the upstream specification. i.e. "documentDescribes" isn't in the ISO spec 
definition. 

 

Would the resolution be to push for the JSON schema to be incorporated into the 
spec via its serialization specification or to remove these fields or make them 
optional in the JSON schema?

 

Please help correct my understanding if i've missed something!

 

Thanks

Brandon

 

On Wed, Jan 4, 2023 at 11:16 PM Brandon Lum via lists.spdx.org 
<http://lists.spdx.org>  mailto:google@lists.spdx.org> > wrote:

Awesome! Thanks for the context and clarification Gary!

 

On Thu, Jan 5, 2023 at 8:09 AM Gary O'Neall mailto:g...@sourceauditor.com> > wrote:

Hi Brandon,

 

I believe it is safe to ignore the v2.2.0 JSON schema.

 

The “describesPackages” was deprecated on release 2.0 of the spec and is only 
used for compatibility with pre 2.0 spec version using the RDF format.  There 
is an open issue to remove this property 
<https://github.com/spdx/spdx-spec/issues/534> .  It was probably in the 2.2.0 
JSON schema due to it being generated from the RDF schema which still has the 
deprecated property.  It looks like PR #528 
<https://github.com/spdx/spdx-spec/pull/528/files>  is where the property was 
replaced with the more appropriate “documentDescribes”.

 

In the past, we’ve used the JSON examples as the primary documentation for the 
JSON format.  With the fixes from PR 528, we should be able to use both the 
JSON Schema and the examples. The documentation for the JSON format should be 
dramatically improved in the 3.0 spec.

 

Cheers,
Gary

 

 

From: Spdx-tech@lists.spdx.org <mailto:Spdx-tech@lists.spdx.org>  
mailto:Spdx-tech@lists.spdx.org> > On Behalf Of 
Brandon Lum via lists.spdx.org <http://lists.spdx.org> 
Sent: Wednesday, January 4, 2023 1:13 AM
To: SPDX Technical Mailing List mailto:Spdx-tech@lists.spdx.org> >
Subject: [spdx-tech] clarification around "documentDescribes" field

 

Hi!

 

An issue <https://github.com/spdx/tools-golang/issues/166>  was opened in 
tools-golang around the missing "documentDescribes" field, which is part of the 
JSON schema.

 

For v2.2.1 and above, the field is present, however, in v2.2.0 of the spec 
<https://github.com/spdx/spdx-spec/blob/v2.2/schemas/spdx-schema.json> , it 
looks like the field is called "describesPackages", however, in the same tag, 
the v2.2.0 example 
<https://github.com/spdx/spdx-spec/blob/v2.2/examples/SPDXJSONExample-v2.2.spdx.json#L58>
  uses "documentDescribes". 

 

Based on some of the wording from Gary's Java library around 2020, and looking 
through the v2.2.0 docs, i'm guessing that the JSON spec was still not fully 
approved then... So it should be safe to ignore th

[spdx-tech] New release of the SPDX Java Tools

[Gary O'Neall]

FYI - Release 1.1.4 of the SPDX Java
<https://github.com/spdx/tools-java/releases/tag/v1.1.4>  Tools is now
available.

 

The new release has a rather significant improvement in performance,
especially for JSON, Tag/Value, or YAML documents with a large number of
relationships.  In one test example, there was a 3,000 fold decrease in the
processing time.

 

Note that the new release no longer preserves the order of collections (such
as relationships, and checksums).  This isn't considered a bug, but it may
cause some incompatibilities if your code depended on the order.

 

If you run into any issues, please create an issue in the SPDX Java Tools
repo <https://github.com/spdx/tools-java/issues/new> .

 

Thanks,

Gary

 

-----

Gary O'Neall

Principal Consultant

Source Auditor Inc.

Mobile: 408.805.0586

Email:  <mailto:g...@sourceauditor.com> g...@sourceauditor.com

CONFIDENTIALITY NOTE: The information transmitted, including attachments, is
intended only for the person(s) or entity to which it is addressed and may
contain confidential and/or privileged material. Any review,
re-transmission, dissemination or other use of, or taking of any action in
reliance upon this information by persons or entities other than the
intended recipient is prohibited. If you received this in error, please
contact the sender and destroy any copies of this information.

 



-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#4940): https://lists.spdx.org/g/Spdx-tech/message/4940
Mute This Topic: https://lists.spdx.org/mt/96513100/21656
Group Owner: spdx-tech+ow...@lists.spdx.org
Unsubscribe: https://lists.spdx.org/g/Spdx-tech/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [spdx-tech] Build profile development branch on the spdx-3-model repo

[Gary O'Neall]

Hi Nisha,

I just created a "build-profile" branch in the spdx-3-model repo.

Let me know if you need anything else.

Gary

> -Original Message-
> From: Spdx-tech@lists.spdx.org  On Behalf Of
> Nisha Kumar
> Sent: Monday, January 23, 2023 12:18 PM
> To: 'SPDX-list' 
> Subject: [spdx-tech] Build profile development branch on the spdx-3-model
> repo
> 
> Hello,
> 
> Turns out I don't have permission to create a build-profile branch in order to
> start development on the profile. Would anyone be able to create one for me
> and give me push permissions to that branch? My github profile is @nishakm
> 
> --
> nisha
> 
> 
> 
> 




-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#4938): https://lists.spdx.org/g/Spdx-tech/message/4938
Mute This Topic: https://lists.spdx.org/mt/96483003/21656
Group Owner: spdx-tech+ow...@lists.spdx.org
Unsubscribe: https://lists.spdx.org/g/Spdx-tech/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [spdx-tech] SPDX - true or false? (was Re: Getting started...)

[Gary O'Neall]

Hi Paul,

In response to your proposal:

> Well, at the point that someone (or some script) asserts license metadata,
I think it may be worth capturing additional metadata, such as
>
> - the date that the assertion is made

For the SBOM case, this is the creation date in the creation information.

For original license declarations in the source code, most (but not all)
source code uses some form of source control system that captures the date
as part of the checkin.

We are also capturing other date/time information as part of the build
profile (e.g. built date for the package) that can be useful.

If there is any additional date/time information we should capture - please
let us know.

> - who (or which program) is making the assertion, preferably with some
indication of their competence/qualifications

For the SBOM, this is the creator field - it can be a person, organization
or tool.  We don't (and in my opinion shouldn't) capture qualification,
competencies in the SBOM itself as these things can change over time and
they are likely in the area of opinions and the SPDX spec tries to stick to
facts.  That being said, most organizations maintain a list of organizations
and individuals they trust for analysis.

For the original code checkin, the source control systems typically capture
the information.

> - the basis for the assertion (e.g. manual inspection, automated checking,
author of the code etc)

Checkout the build profile group - they are working on solving similar use
cases for the SPDX 3.0 release.  Use cases can be found here:
https://github.com/spdx/spdx-3-build-profile/blob/main/usecases.md and
minutes here: https://github.com/spdx/meetings/tree/main/build

I expect the activity in the build group to pick up now that we have the
core model nearly completed.

Gary



> -Original Message-
> From: Spdx-tech@lists.spdx.org  On Behalf Of
Paul
> Sherwood
> Sent: Sunday, January 22, 2023 4:12 AM
> To: David Kemp 
> Cc: spdx-tech@lists.spdx.org
> Subject: Re: [spdx-tech] SPDX - true or false? (was Re: Getting
started...)
> 
> Dave,
> 
> sorry for my late reply - comments inline below...
> 
> On 2023-01-15 16:49, David Kemp wrote:
> > Assigning a License ID to some amorphous "thing" called a package --
> > that can be composed of a web of components created at different times
> > by different authors, and processed by multiple builders at multiple
> > points in a build hierarchy -- is tricky.  The lower down in that
> > hierarchy the easier it is to track - if at the bottom a developer of
> > a leaf (dependency-less) component includes the text of the MIT
> > license in his component, his intent is pretty clear.  At that point
> > an SBOM creator binding a license ID to a package ID can be 1)
> > correct, 2) mistaken, or 3) malicious.  As packages are combined up
> > the dependency tree things only get more complicated, but the
> > correctness possibilities are the same.
> 
> I agree, the potential cases we have are correct, mistaken, maliciously
wrong.
> Without an SBOM there's the additional case of undefined.
> 
> > As Polyphemus learned, you don't accomplish anything if you can't
> > assign names to things.  Not producing SBOMs guarantees that you will
> > fail.
> 
> Hmmm - I think that's a bit strong. Lots of software has been successful
over
> decades without SBOMs :-)
> 
> > Arguing that naming perfection is impossible therefore we should do
> > nothing is not persuasive.
> 
> I'm not arguing for doing nothing. I've identified an issue and am trying
to
> figure out
> 
> a) whether others agree that there's a problem
> b) what is already being done about it
> c) what else could be done
> 
> > As technology gets adopted ISO 9000
> > quality assurance processes and certifications may follow, and pushing
> > to develop QA standards is great.. Until then, caveat emptor.
> > Consumers will have to make judgement calls about provider reliability
> > like they do everywhere else in life.
> 
> True
> 
> >> So the underlying problem I see is that manually created metadata can
> >> be misleading and lead to false confidence (as demonstrated by the
> >> keyring example). What mechanisms can be applied to ensure that
> >> license assertions based on SPDX metadata are actually true?
> >
> > What is your proposal?  Forbid manually-created metadata? Forbid use
> > of SBOMs entirely? I don't believe that's the straightest path to QA.
> 
> Well, at the point that someone (or some script) asserts licence metadata,
I
> think it may be worth capturing additional metadata, such as
> 
> - the date that the assertion is made
> - who (or which program) is making the assertion, preferab

Re: [spdx-tech] Question about License Expression Disjunctions

[Gary O'Neall]

Hi Timothy,

 

You raise a good point.

 

> 1. Should the OR be understood as "normal" disjunction, exclusive 
> disjunction, or none of the two? Has there been any discussion or thought on 
> this?



We have discussed whether this is an “Exclusive OR” or “Disjunctive OR” and 
concluded that is was “Disjunctive” in the sense that you could take one 
license, the other license or keep the original disjunctive set (i.e.: you 
didn’t have to pick one to the exclusion of the other).

> 2. The specification mentions the equivalence with commutation, but nothing 
> about transitivity or distributivity. Is there any deeper meaning to this?

I don’t recall any discussion on transitivity or distributivity.  I completely 
agree with your analysis the “Normal” distributivity leads to erroneous results 
and should not be applied.  Perhaps we should make this more explicit in the 
spec either stating how transitivity applies or state that transitivity doesn’t 
apply.

 

One caveat on the above – it has been a while since I’ve been involved in 
license discussions and my memory has been known to be a bit faulty – if others 
recall more or different discussions, please chime in.


Gary 

 

 

From: Spdx-tech@lists.spdx.org  On Behalf Of Timothy 
Gillespie
Sent: Friday, January 20, 2023 6:39 AM
To: Spdx-tech@lists.spdx.org
Subject: [spdx-tech] Question about License Expression Disjunctions

 

Hi everyone,

 


I have two questions/remarks about the compound license expressions as defined 
in SPDX 2.3 Annex D.4.

The OR is referred to as the "Disjunctive OR operator". However, as we have a 
choice and would not pick two or more of such licenses, it seems to me that it 
is not a "normal" disjunction but an exclusive one. I find this distinction 
interesting for evaluating license equivalence regarding distributivity.

If the OR is to be understood as a "normal" disjunction, then that would mean 
both distributivities apply (AND over OR and OR over AND).

If the OR is to be understood as an exclusive disjunction, then that would mean 
only one distributivity would apply. (AND over OR).



For example:

BSD-3-Clause OR (MIT AND Apache-2.0) ≡ (BSD-3-Clause OR Apache-2.0) AND 
(BSD-3-Clause OR MIT) (True only for "normal" disjunction)

BSD-3-Clause AND (MIT OR Apache-2.0) ≡ (BSD-3-Clause AND Apache-2.0) OR 
(BSD-3-Clause AND MIT) (True for "normal" and exclusive disjunction)

To me, the assumption of an exclusive disjunction seems to make more sense.



Questions:

1. Should the OR be understood as "normal" disjunction, exclusive disjunction, 
or none of the two? Has there been any discussion or thought on this?
2. The specification mentions the equivalence with commutation, but nothing 
about transitivity or distributivity. Is there any deeper meaning to this?




Best Regards,
Timothy





-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#4931): https://lists.spdx.org/g/Spdx-tech/message/4931
Mute This Topic: https://lists.spdx.org/mt/96401230/21656
Group Owner: spdx-tech+ow...@lists.spdx.org
Unsubscribe: https://lists.spdx.org/g/Spdx-tech/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [spdx-tech] SPDX - true or false? (was Re: Getting started...)

[Gary O'Neall]

Just a few more points to add into this discussion:

- In SPDX, there are 2 properties related to licenses - declared and
concluded.  We created 2 properties rather than one to help with some the
issues listed below.  Declared relates to the metadata found in the package
and concluded is a conclusion reached by the SPDX document creator.  So, if
you trust the judgement of the SPDX document creator, you may be able to
trust the concluded license field.  In my day job, I audit software for
license compliance and produce SPDX documents with concluded licenses - some
of which take quite some time to manually confirm especially if the open
source software package is very old and pre-dates good license compliance
practices.
- In SPDX 2.1 an SPDX Lite[1] Annex was added.  One of the reasons for
adding this Annex was to make it easier for the originator of a package to
add metadata in a machine readable form which would enable downstream
packages to have accurate information from the package originators.
- Over the past 3-4 years, there has been very good adoption of SPDX license
identifiers, SPDX license expressions and clearer license related properties
in package managers.  For example, NPM now includes much more machine
readable license information.

I'm not arguing we are anywhere near our goal of having consistently
reliable machine and human readable license information, but we're making
some good progress.

If you have any specific improvements we can make to the specification
itself, please feel free to open an issue in the SPDX spec repo [2].

Gary


[1] https://spdx.github.io/spdx-spec/v2.3/SPDX-Lite/
[2] https://github.com/spdx/spdx-spec/issues


> -Original Message-
> From: Spdx-tech@lists.spdx.org  On Behalf Of
> Alberto Pianon
> Sent: Sunday, January 15, 2023 10:20 AM
> To: Paul Sherwood 
> Cc: Karsten Klein ; Spdx Tech  t...@lists.spdx.org>
> Subject: Re: [spdx-tech] SPDX - true or false? (was Re: Getting
started...)
> 
> Il 2023-01-15 09:56 Paul Sherwood ha scritto:
> > Hi Karsten,
> >
> > thank you. Please see my comments inline
> >
> > On 2023-01-14 14:10, Karsten Klein wrote:
> >> I would also argue that SPDX does not help you in this context.
> >
> > Well, in principle, I believe that getting people to think about
> > licencing in general is better than not, so SPDX contributes at least
> > in that way. And if we can establish confidence that the metadata is
> > correct, and in line with our expected usage of software, we can
> > obtain some mitigation against licence compliance risk.
> >
> > My concern is specifically the false confidence situation, i.e. where
> > the presence of SPDX metadata may cause people to assume incorrectly
> > that licencing has been properly dealt with
> >
> 
> "properly dealt with" may require a definition too :). There are different
> approaches in dealing with licenses in complex third-party software
> components, that depend both on the tools that are used and on the review
> policy of the IP audit team - policy which in turn may depend on
case-specific
> and context-dependent risk assessments. Such information can hardly, if
not
> at all, be expressed in a machine-readable way.
> 
> A project that may address your concerns is openchainproject.org, aimed at
> building trust in the open source supply chain, with a particular focus on
> license compliance. It is a Linux Foundation project, too, and its
specifications
> recently became an ISO standard.
> 
> Regards,
> 
> Alberto
> array.eu
> 
> 
> 




-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#4927): https://lists.spdx.org/g/Spdx-tech/message/4927
Mute This Topic: https://lists.spdx.org/mt/96263894/21656
Group Owner: spdx-tech+ow...@lists.spdx.org
Unsubscribe: https://lists.spdx.org/g/Spdx-tech/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [spdx-tech] Identities

[Gary O'Neall]

I had a similar though.  I was wondering if the definitions provided would
support a BlockChain like approach which does not have a centralized
"authority".

 

Gary

 

From: Spdx-tech@lists.spdx.org  On Behalf Of
William Bartholomew (CELA) via lists.spdx.org
Sent: Wednesday, January 11, 2023 4:14 PM
To: SPDX-list ; dk1...@gmail.com
Subject: Re: [spdx-tech] Identities

 

These all seem reasonable to me. My only comment is that there may not be a
"formal" authority. For example, an identification scheme could use an
algorithm to derive a globally unique identifier or use a convention to
guarantee sufficient uniqueness. An authority may or may not associate an
identifier with an identity.

 

Regards,

 

William Bartholomew (he/him) -  <https://aka.ms/book-willbar> Let's chat

Principal Security Strategist

Global Cybersecurity Policy - Microsoft

 

My working day may not be your working day. Please don't feel obliged to
reply to this e-mail outside of your normal working hours.

  _  

From: Spdx-tech@lists.spdx.org <mailto:Spdx-tech@lists.spdx.org>
mailto:Spdx-tech@lists.spdx.org> > on behalf of
David Kemp via lists.spdx.org mailto:dk190a=gmail@lists.spdx.org> >
Sent: Wednesday, January 11, 2023 2:59 PM
To: SPDX-list mailto:Spdx-tech@lists.spdx.org> >
Subject: [EXTERNAL] [spdx-tech] Identities 

 

At the tech meeting we decided to accept the current identity model and move
forward without blocking the 3.0 release.  The discussion covered many ideas
on which no decisions were documented, and I wonder if we can reach
agreement on these points while the discussion is still fresh, without
allowing any No Decisions to become blockers.

1) An Identifier is different from an Identity.

Discussion: Identifiers have the property of being associated with zero,
one, or multiple identities over time.  Note: at any specific time an
identifier should be associated with at most one identity.

2) Every Identity MUST have an authority. 

 

Discussion: The authority associates identifiers with identities. If there
is no authority, there can be no identity to which an identifier refers.
* The Social Security Administration is the authority that maintains records
of peoples' identities. Every 9 digit number is an identifier, but only some
of those identifiers are associated with an identity: 000-00- and
123-45-6789 are "SSN identifiers" but they (probably) have never been
assigned to an identity by the authority.

* "hotmail.com
<https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Fhotmail.co
m%2F=05%7C01%7Cwillbar%40microsoft.com%7Ccb99e45f23e84d1dc13008daf4278a
e5%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638090747920318654%7CUnknown
%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6M
n0%3D%7C3000%7C%7C%7C=tqTKUfKN0kHX4nQ6ieRZH8xQUqWgqpWo3b%2FvH2jVSbc%3D
=0> " is the authority that maintains hotmail identities.  The
identifier "a...@hotmail.com <mailto:a...@hotmail.com> " is (probably) not an
identity because of minimum length restrictions on the local portion.  The
authority assigns identifiers to identities, ensuring uniqueness.  The
identifier  "john.sm...@hotmail.com <mailto:john.sm...@hotmail.com> " has
probably been assigned to several identities over time. The authority
determines if it is currently assigned to any identity.

* Without assistance from the authority it is impossible for SPDX to
distinguish the identities to which an identifier is assigned.  If
"john_sm...@hotmail.com <mailto:john_sm...@hotmail.com> " is an active
identity in 2021 and 2022, it is impossible to know if they are the same
identity or two different identities unless some other information (such as
SSN or a hypothetical hotmail UID) is included in those identities. SpdxId
is not part of the identity - many Identity Elements can be created for the
same identity.

 

3) Authorities determine what subject types they support

 

Discussion: SSA will not assign identities to anyone other than natural
people - it is fraud to attempt to create fake accounts.  Hotmail doesn't do
any identity proofing - anyone or anything can get a hotmail account on
request, so the distinction between person and organization doesn't exist
for that authority. Squatters have claimed many obvious hotmail organization
identifiers, but at the moment "hondavehicl...@hotmail.com
<mailto:hondavehicl...@hotmail.com> " is available.

 

4) Some authorities create identities and assign identifiers to processes

 

Discussion: A process identity type is not a PID running on an operating
system, it is a subject type accepted by an identity management authority.
Hotmail has already created "dependa...@hotmail.com
<mailto:dependa...@hotmail.com> " and "veri...@hotmail.com
<mailto:veri...@hotmail.com> " identities, and "sboma...@hotmail.com
<

[spdx-tech] New version of the SPDX Online Tools

[Gary O'Neall]

I just finished publishing a new version of the SPDX online tools.

 

It solves a couple of issues with the license submission utility and
upgrades the NTIA Conformance Checker with an improved version.

 

You can see a list of the changes in the release notes
<https://github.com/spdx/spdx-online-tools/releases/tag/v1.1.0> .

 

If you find any issues, please add them to the repository issues list
<https://github.com/spdx/spdx-online-tools/issues> .

 

BTW - There's plenty of issues remaining if any of you would like to pitch
in and help improve the online tools.  You can review issues from the issues
list <https://github.com/spdx/spdx-online-tools/issues>  and contribute pull
request for any task you're willing to pick up.  I'm particularly interested
in fixing the broken unit tests - it would really help all other
contributors and the maintainers.  Do feel free to email me if you need more
information.

 

Thanks,
Gary

 

-

Gary O'Neall

Principal Consultant

Source Auditor Inc.

Mobile: 408.805.0586

Email:  <mailto:g...@sourceauditor.com> g...@sourceauditor.com

CONFIDENTIALITY NOTE: The information transmitted, including attachments, is
intended only for the person(s) or entity to which it is addressed and may
contain confidential and/or privileged material. Any review,
re-transmission, dissemination or other use of, or taking of any action in
reliance upon this information by persons or entities other than the
intended recipient is prohibited. If you received this in error, please
contact the sender and destroy any copies of this information.

 



-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#4912): https://lists.spdx.org/g/Spdx-tech/message/4912
Mute This Topic: https://lists.spdx.org/mt/96191378/21656
Group Owner: spdx-tech+ow...@lists.spdx.org
Unsubscribe: https://lists.spdx.org/g/Spdx-tech/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [spdx-tech] clarification around "documentDescribes" field

[Gary O'Neall]

Hi Brandon,

 

I believe it is safe to ignore the v2.2.0 JSON schema.

 

The “describesPackages” was deprecated on release 2.0 of the spec and is only 
used for compatibility with pre 2.0 spec version using the RDF format.  There 
is an open issue to remove this property 
<https://github.com/spdx/spdx-spec/issues/534> .  It was probably in the 2.2.0 
JSON schema due to it being generated from the RDF schema which still has the 
deprecated property.  It looks like PR #528 
<https://github.com/spdx/spdx-spec/pull/528/files>  is where the property was 
replaced with the more appropriate “documentDescribes”.

 

In the past, we’ve used the JSON examples as the primary documentation for the 
JSON format.  With the fixes from PR 528, we should be able to use both the 
JSON Schema and the examples. The documentation for the JSON format should be 
dramatically improved in the 3.0 spec.

 

Cheers,
Gary

 

 

From: Spdx-tech@lists.spdx.org  On Behalf Of Brandon 
Lum via lists.spdx.org
Sent: Wednesday, January 4, 2023 1:13 AM
To: SPDX Technical Mailing List 
Subject: [spdx-tech] clarification around "documentDescribes" field

 

Hi!

 

An issue <https://github.com/spdx/tools-golang/issues/166>  was opened in 
tools-golang around the missing "documentDescribes" field, which is part of the 
JSON schema.

 

For v2.2.1 and above, the field is present, however, in v2.2.0 of the spec 
<https://github.com/spdx/spdx-spec/blob/v2.2/schemas/spdx-schema.json> , it 
looks like the field is called "describesPackages", however, in the same tag, 
the v2.2.0 example 
<https://github.com/spdx/spdx-spec/blob/v2.2/examples/SPDXJSONExample-v2.2.spdx.json#L58>
  uses "documentDescribes". 

 

Based on some of the wording from Gary's Java library around 2020, and looking 
through the v2.2.0 docs, i'm guessing that the JSON spec was still not fully 
approved then... So it should be safe to ignore the v2.2.0 JSON schema spec?

 

Cheers

Brandon





-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#4907): https://lists.spdx.org/g/Spdx-tech/message/4907
Mute This Topic: https://lists.spdx.org/mt/96047024/21656
Group Owner: spdx-tech+ow...@lists.spdx.org
Unsubscribe: https://lists.spdx.org/g/Spdx-tech/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-