Re: [spdx-tech] [spdx] Does SPDX support attachment of signature ?

; PM_SBOM_V2_1_0.json > > <https://softwareassuranceguardian.com/SAG- > PM_SBOM_V2_1_0.json>" > > > > __ __ > > > > }, > > > > __ __ > > > >

Re: [spdx-tech] [spdx] Does SPDX support attachment of signature ?

Hi Vivek, Thanks for posting the question. We have discussed this topic in the SPDX technical team meetings. I think you will find many of us believe signing SPDX document is key to preserving the integrity of the software supply chain. We came to the conclusion that signing

[spdx-tech] Reminder: Software as a Service Meeting Monday 10AM Pacific

Just a reminder we will be having the next meeting for the Software as a Service profile team at 10AM Pacific time on Monday. Here's a link to the zoom invite for the call:

Re: [spdx-tech] easy and simple way to express licenses in subdirectories

at it when I get back. Best, Gary From: Spdx-tech@lists.spdx.org On Behalf Of Oliver Fendt via lists.spdx.org Sent: Thursday, May 2, 2024 11:45 AM To: Gary O'Neall ; spdx-tech@lists.spdx.org Subject: Re: [spdx-tech] easy and simple way to express licenses in subdirectories Hi Gary

Re: [spdx-tech] easy and simple way to express licenses in subdirectories

Hi Oliver, In SPDX, you can use the SPDX Package to represent a subdirectory of files within a larger package. In your scenario, one approach would be to create an SPDX package - if it doesn't have a logical name, you could call it something like "C licensed files" with a declared license

Re: [spdx-tech] Update on website redirects

The URL’s have been updated – let me know if you see any issues. Gary From: Spdx-tech@lists.spdx.org On Behalf Of Joshua Watt Sent: Tuesday, April 9, 2024 10:06 AM To: Gary O'Neall Cc: SPDX Technical Mailing List ; Jeff Licquia ; Steve Winslow ; Kate Stewart Subject: Re: [spdx-tech

Re: [spdx-tech] Using sh:in for enums

2024 9:24 AM > To: SPDX Technical Mailing List > Cc: Zavras, Alexios ; Sean Barnum > ; Gary O'Neall > Subject: [spdx-tech] Using sh:in for enums > > After some poking around in the SHACL model, I realized we may want to use > the sh:in constraint for properties that reference a

[spdx-tech] Update on website redirects

Greetings all, All of the redirects for the schemas/context files for the SPDX 3.0 release are now in place. Below is the list of URL and the target of the redirects. Let me know if you have any issues accessing the files. Gary URL Redirect Target

Re: [spdx-tech] Pre meeting topic: SPDX Serialization URLs

: Gary O'Neall ; Joshua Watt ; SPDX Technical Mailing List Subject: Re: [spdx-tech] Pre meeting topic: SPDX Serialization URLs I’d agree with Kate — putting these on the spdx.org <http://spdx.org> domain probably makes sense. In addition to the License List, the RDF model files for 2.3 ar

Re: [spdx-tech] Pre meeting topic: SPDX Serialization URLs

Note: the spdx.dev website uses WordPress. I'm not proficient in WordPress myself and I'm not sure how to implement a redirect (I suspect there is a plugin for this), but I do have access to make the changes if we want to have the official URL have the spdx.dev domain. Gary > -Original

Re: [spdx-tech] Questions about package checksum?

Greetings, From: Spdx-tech@lists.spdx.org On Behalf Of Yasutake Kurita Sent: Thursday, March 28, 2024 7:52 PM To: Spdx-tech@lists.spdx.org Subject: [spdx-tech] Questions about package checksum? Questions about the following items.

[spdx-tech] Serialization meeting agenda and context

Greetings all, Our next serialization meeting is tomorrow (Thursday) at 8AM Pacific Time (3PM GMT). We will be continuing the discussion from the tech call on how we specify the handling of IDs for the serialized format (pull request 622). To avoid re-opening old issues unless

[spdx-tech] SPDX meeting schedules

With the completion of RC2, a number of the subgroup meetings have changed - either changed frequency or have stopped meeting altogether due to their work being completed. I would like to ask all of the profile / sub-group leads to update the SPDX Meetings GitHub repo README.md

Re: [spdx-tech] Reminder - timezone change for SPDX tech call

am PDT - noon EDT. Bob Robert (Bob) Martin Sr. Software and Supply Chain Assurance Principal Eng. Cross Cutting Solutions and Innovation Dept Cyber Solutions Innovation Center MITRE Labs MITRE Corporation 781-271-3001o 781-424-4095c On 3/11/24 7:59 PM, Gary O'Neall wrote: Just a reminder, the U. S.

Re: [spdx-tech] Reminder - timezone change for SPDX tech call

Correction: the call is at 9AM PDT - sorry for the extra confusion. Gary From: Spdx-tech@lists.spdx.org On Behalf Of Gary O'Neall Sent: Monday, March 11, 2024 4:59 PM To: spdx-tech@lists.spdx.org Subject: [spdx-tech] Reminder - timezone change for SPDX tech call Just a reminder

[spdx-tech] Reminder - timezone change for SPDX tech call

Just a reminder, the U.S. is now on daylight savings time, so the call may be an hour earlier depending on your location. The call is scheduled for 10AM PDT. Best regards, Gary -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#5563):

[spdx-tech] SPDX 3.0 Release Candidate 2 is released and ready for review

Greeting SPDX community, We are pleased to announce that the release candidate 2 for SPDX 3.0 is now published and available online in HTML format: https://spdx.github.io/spdx-spec/v3.0/ You can also find the associated SHACL and JSON LD artifacts at

Re: [spdx-tech] Tuesday's tech call

Hi Dick - the Tag/Value discussion is definitely on the radar. We will pick this up in the serialization meetings once Kate is back online. Thanks, Gary From: Spdx-tech@lists.spdx.org On Behalf Of Dick Brooks Sent: Tuesday, March 5, 2024 3:40 AM To: 'Gary O'Neall' ; spdx-tech

[spdx-tech] Tuesday's tech call

For tomorrow's tech call, I have some topics I would like to discuss: * Issue 651 : Conflicting property names prevents compaction * Issue 572 : Confirm we have consensus on the data

Re: [spdx-tech] JSON schema for spdx-3-model

Thanks Kobota-san! I like the visualizations and the schemas. It will really help in the definition of the Lite profile. Originally, I was thinking of coupling the "Lite Profile" to the tag/value discussions, but I'm wondering if it may be more aligned with a "simple JSON" discussion.

Re: [spdx-tech] Build Profile meeting invite pause

I just paused the meetings - we should not get any additional reminders after this. Gary > -Original Message- > From: Spdx-tech@lists.spdx.org On Behalf Of > Joshua Watt > Sent: Monday, February 26, 2024 9:23 AM > To: l...@google.com > Cc: SPDX Technical Mailing List > Subject: Re:

Re: [spdx-tech] SPDX 3.0

Hi Benedicte, Responses inline below. From: Spdx-tech@lists.spdx.org On Behalf Of Benedicte Presse Sent: Wednesday, February 21, 2024 6:33 AM To: spdx-tech@lists.spdx.org Subject: [spdx-tech] SPDX 3.0 Hi all, I read some informations about SPDX, and especially that the 3.0

[spdx-tech] RDF related issues

As a follow-up to our tech call this morning, I would like to start a separate thread on resolving the RDF specific issues. These issues can be found using the following link: https://github.com/spdx/spdx-3-model/issues?q=is%3Aopen+is%3Aissue+label%3AR DF%2FOWL%2FSHACL If you know of any

Re: [spdx-tech] FYI - SPDX Online Tools Upgrade in progress

Gary From: Spdx-tech@lists.spdx.org On Behalf Of Gary O'Neall Sent: Sunday, January 21, 2024 8:46 AM To: spdx-tech@lists.spdx.org; 'SPDX-legal' Subject: [spdx-tech] FYI - SPDX Online Tools Upgrade in progress FYI - I'll be upgrading the SPDX online tools over the next hour or two - it ma

[spdx-tech] FYI - SPDX Online Tools Upgrade in progress

FYI - I'll be upgrading the SPDX online tools over the next hour or two - it may be temporarily unavailable. I'll send a follow-up email once the upgrade is complete. Gary -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#5494):

[spdx-tech] CISA document on identifiers

One of the proposed solutions for package verification is to use OMNIBor identifiers for verification purposes (see PR #602 for documentation on this approach). Since it relates to identifiers, I thought it might be useful to review the recently

[spdx-tech] Postponing serialization meetings until post RC2

Greetings SPDX tech team, With the focus on getting RC2 out and the fact we have worked through the backlog of serialization issues for RC2, we will be pausing the serialization meetings until after the RC2 release. We will start them back up shortly after RC2 and start working on

[spdx-tech] Software as a Service Subgroup meeting schedule

We will not be having a Software as a Service meeting tomorrow (January 1) since it is new years day. We'll pick back up on January 15th and start working through the profile definition based on our highest priority use cases. Gary -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages

Re: [spdx-tech] Commercial tools

Hi Benedicte, The SPDX outreach team maintains the website and the list of commercial tools. Moving this email to the outreach team list. I don’t believe there has been a request to add FNCI to the list. To request the addition of the tool, an issue can be added to the outreach

[spdx-tech] FYI - cleaning up some of the serialization PR's and Issues

Greeting tech team, I went through and attempted to clean up some of the serialization issues and pull requests to be consistent with the current solutions and decisions. If you feel any of the close PR's are in error, consider opening a new issue that describes the part of the issue not

Re: [spdx-tech] Conversion spdx files from 2.2 to 2.3

Greetings Benedicte, The SPDX Java Libraries used by tools-java and the SPDX online tools does support upgrading from 2.2 to 2.3. I just realized, however, there is no UI or command line option to enable this ☹ I’ve added an issue to tools-java to implement this:

[spdx-tech] Serialization Next Steps

Greeting tech team, On Tuesday's tech call, we agreed to an approach on serializations and have a few follow-up steps we would like to complete before next Tuesday's tech call: * Review 3 pull requests that implement the above decisions: * PR to document how we serialize data

Re: [spdx-tech] RDF range problem in SHACL model

Hi Joshua, >From the RDF spec definition of rdfs:SubclassOf > , it looks like subclasses >should be allowed in the range since all instances of the subclass should also >be instances of the class. We could try a different validator to

Re: [spdx-tech] How and where (in spdx files) write the choosen licence ?

Hi Bénédicte, For the redistributed package, you can put your chosen license in the concluded license field. The declared license should remain as described by the originator of the package. I would also recommend that you add a license comment stating that the license was chosen for the

Re: [spdx-tech] [spdx] Date model for SPDX

Hi Bénédicte, We have an object model and a few schema’s which I’ll detail below. I’m cc’ing the tech mailing list – if you have any follow-on questions, I would recommend posting those to the tech team since this list is more general in nature. For SPDX 2.3: * Object model

[spdx-tech] This week's serialization meetings moved 1 hour

This week's serialization meeting on 5 October will be moved out 1 hour to not conflict with the general meeting (9AM Pacific time). Best, Gary -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#5372):

[spdx-tech] SPDX Tech Call Agenda - and request for review

For Tuesday's tech call, the serialization team would like to get input and decide on if we include the list of elements in addition to the native serialization of elements. The decision is described in issue #505 . Prior to the call,

[spdx-tech] Meeting on Namespace Approach

ton DC) . +1 305 224 1968 US . +1 309 205 3325 US Meeting ID: 895 7629 5212 Passcode: 595108 Find your local number: <https://www.google.com/url?q=https://us02web.zoom.us/u/kqN5dFmus=D e=calendar=2=AOvVaw2MRJh7MBwF9mK4B_z-Ryz1> https://us02web.zoom.us/u/kqN5dFmus From: Gary O'Neall S

Re: [spdx-tech] Homework for this week's tech call

From: Gary O'Neall Sent: Monday, September 4, 2023 5:31 PM To: 'SPDX Technical Mailing List' Subject: Homework for this week's tech call Greetings all, I would like to ask before the tech call this week you review the following before participating in the discussion on namespace maps

[spdx-tech] Homework for this week's tech call

Greetings all, I would like to ask before the tech call this week you review the following before participating in the discussion on namespace maps: * Last tech call minutes - around line 58 in https://spdx.swinslow.net/p/spdx-tech-minutes * Last week's serialization team minutes

Re: [spdx-tech] NOASSERTION on PackageVersion field

, 2023 10:38 AM To: Gary O'Neall Cc: d...@reliableenergyanalytics.com; SPDX Technical Mailing List ; Emrick Donadei ; Tyler Pirtle Subject: Re: [spdx-tech] NOASSERTION on PackageVersion field I think one follow-up question is around whether it is recognized in the specification.. For example

Re: [spdx-tech] NOASSERTION on PackageVersion field

My opinion is that it would be useful to be able to express a “known unknown” on the version if the version can’t be determined. I also agree we should strive to always have a version available. This is especially important in tracking vulnerability information. I just know that there are

Re: [spdx-tech] Thoughts on the issues of NamespaceMap and SpdxDocument

I thought I would update this email thread with some context – the results of 2 meetings on the topic (SPDX Tech Call on 15 Aug and Serialization call on 17 Aug) and the planned next steps. I would encourage anyone interested in the issue to read through the context before next Tuesday’s tech

[spdx-tech] Tomorrow's serialization meeting

In looking at my calendar, I just realized our regularly scheduled serialization meeting this week conflicts with the monthly SPDX general meeting. I would suggest we skip tomorrow's meeting - there's also a few folks on vacation this week as well. I'm also open to rescheduling to Friday

Re: [spdx-tech] Drafted profile-level.md (Lite.md)

Greetings, Below are just some very brief follow-up items from today's tech call. Gary > -Original Message- > From: Spdx-tech@lists.spdx.org On Behalf Of > Norio Kobota > Sent: Tuesday, August 1, 2023 7:04 AM > To: spdx-tech@lists.spdx.org > Cc: japan-sg-s...@lists.openchainproject.org

[spdx-tech] Reminder - Software as a Service Profile Meeting Monday 10AM Pacific Time

Just a reminder we will be having our every other week Software as a Service profile meeting this Monday at 10AM Pacific time. We will continue our discussion on use cases. Below is the corridinates: Join Zoom Meeting

Re: [spdx-tech] Where would I open a bug for the web validation tool?

Hi Rose, You can open an issue here: https://github.com/spdx/spdx-online-tools/issues Very curios, BTW, that it only shows up on the online tools since it shares code with the Java tools. I wonder if it was recently introduced. Gary From: Spdx-tech@lists.spdx.org On Behalf Of

[spdx-tech] Requestion for help on model documentation

Thanks to Rose, Adolfo and Jeff - we made some progress on documenting the TODO's. There's still quite a bit to go - so please visit issue 367 and take one or more of the outstanding documentation items and help us fill in the remaining

Re: [spdx-tech] Invitation: Review JSON-LD Example - creationinfo @ Fri Jul 21, 2023 8:30am - 9:30am (PDT) (spdx-tech@lists.spdx.org)

@ Fri Jul 21, 2023 8:30am - 9:30am (PDT) (spdx-tech@lists.spdx.org) Hi folks, Does this meeting replace the serialization meeting tomorrow (Jul 20 2023)? nisha On 7/18/23 10:33, Gary O'Neall wrote: Review JSON-LD Example - creationinfo This is a follow-up discussion to our tech call on 18

[spdx-tech] Invitation: Review JSON-LD Example - creationinfo @ Fri Jul 21, 2023 8:30am - 9:30am (PDT) (spdx-tech@lists.spdx.org)

BEGIN:VCALENDAR PRODID:-//Google Inc//Google Calendar 70.9054//EN VERSION:2.0 CALSCALE:GREGORIAN METHOD:REQUEST BEGIN:VTIMEZONE TZID:America/Los_Angeles X-LIC-LOCATION:America/Los_Angeles BEGIN:DAYLIGHT TZOFFSETFROM:-0800 TZOFFSETTO:-0700 TZNAME:PDT DTSTART:19700308T02

Re: [spdx-tech] Asia / Europe / U.S. SPDX Tech meeting

Kobota-san, Thank you for the additional information. I'm adding David to the distribution list as he expressed interest in this topic. Best regards, Gary > -Original Message- > From: Spdx-tech@lists.spdx.org On Behalf Of Hiro > Fukuchi > Sent: Tuesday, July 11, 2023 4:22 PM > To:

Re: [spdx-tech] Question on difference in License Text HTML vs. JSON of Python Software Foundation License 2.0 (PSF-2.0)

Hi David, This may be better for the legal team as they maintain the source repository for the license list. However, I can answer your question since I maintain the tools that produce the JSON data (and I'm on both lists). Sorry I didn't reply sooner - I was traveling when our original

Re: [spdx-tech] Asia / Europe / U.S. SPDX Tech meeting

I’m glad you checked – I missed the standard time. It is 5PM PDT – 9AM JST. Thanks, Gary From: norio.kob...@sony.com Sent: Saturday, July 8, 2023 8:13 PM To: Gary O'Neall ; 'Shane Coughlan' Cc: garysourceaudi...@gmail.com; 'Kate Stewart' ; hiroyuki.fuku...@sony.com; j-manbe

Re: [spdx-tech] Asia / Europe / U.S. SPDX Tech meeting

Hi Kobota-san, Yes – the next meeting will be on July 10th at 5PM PST. Best, Gary From: norio.kob...@sony.com Sent: Saturday, July 8, 2023 3:36 PM To: Shane Coughlan ; Gary O'Neall Cc: garysourceaudi...@gmail.com; Kate Stewart ; hiroyuki.fuku...@sony.com; j-manbe...@ti.com

Re: [spdx-tech] Asia / Europe / U.S. SPDX Tech meeting

ughlan > Sent: Thursday, July 6, 2023 4:38 PM > To: Gary O'Neall > Cc: Norio Kobota ; garysourceaudi...@gmail.com; > Kate Stewart ; Hiroyuki Fukuchi > ; j-manbe...@ti.com; Joshua Marpet > ; Shinsuke Kato > ; Masato Endo > ; nis...@vmware.com; > pmad...@cox.net; shi1

Re: [spdx-tech] Asia / Europe / U.S. SPDX Tech meeting

to see what dates and times would work for a joint US/Europe/Asia call. We can then follow-up on the SPDX Tech call on Tuesday to propose a new time. Thanks, Gary From: Gary O'Neall Sent: Sunday, July 2, 2023 11:08 AM To: 'Norio Kobota' ; 'garysourceaudi...@gmail.com' ; 'Kate Stewart

[spdx-tech] New release of the SPDX online tools

I just finished upgrading the software and hardware for the SPDX online tools. For a list of change, see the release notes at https://github.com/spdx/spdx-online-tools/releases/tag/v1.2.1 The compute server and database server has been upgraded to meet the demands of increased usage - and

Re: [spdx-tech] Asia / Europe / U.S. SPDX Tech meeting

Hi Kobota-san, The proposal would be to add an additional meeting. We would still meet on July 10th at 5PM PST and have an additional meeting July 11th at 8AM PST to include Europe in the discussion. I realize the July 11th time is very inconvenient. I did check with some of the

Re: [spdx-tech] Software as a Service Profile Meeting postponed

weeks). Sorry about all the schedule confusion. I'll send out a reminder from the calendar as well. Thanks for your patience, Gary From: Spdx-tech@lists.spdx.org On Behalf Of Gary O'Neall Sent: Tuesday, June 27, 2023 12:51 PM To: 'SPDX Technical Mailing List' Subject: Re: [spdx-tech

Re: [spdx-tech] Asia / Europe / U.S. SPDX Tech meeting

Thanks Shane - for the reminder on the conflicts. This would be a one-time meeting, so it may not conflict with the OpenChain community call. That being said, it is very late for Japan. We could try for 07:00 Pacific time. All - let me know if the earlier time causes a problem. Thanks, Gary

Re: [spdx-tech] Software as a Service Profile Meeting postponed

, Gary From: Gary O'Neall Sent: Saturday, June 17, 2023 6:19 AM To: 'SPDX Technical Mailing List' Subject: Software as a Service Profile Meeting postponed Due to many of us being on holiday this upcoming Monday and the next meeting falls on another long weekend - July 3rd, we'll skip the next

[spdx-tech] Asia / Europe / U.S. SPDX Tech meeting

Greetings Asia SPDX meeting attendee's. In today's SPDX Tech regular Tuesday call, we agreed to hold one of our meetings an hour earlier to make it easier for the SPDX Asia team to join, although I do realize it is still quite late for Asia. Let me know if Tuesday July 11th at 8 AM Pacific

[spdx-tech] SPDX Tech Meeting Today

For today's I'd like to complete the discussion we started a while back on compacting creation information - issue #306 . There are two proposals: * CreationInfo serialization compaction approach Issue #357

[spdx-tech] Software as a Service Profile Meeting postponed

Due to many of us being on holiday this upcoming Monday and the next meeting falls on another long weekend - July 3rd, we'll skip the next 2 regularly scheduled calls. Let me know if you'd like to schedule a call the week of July 10th or if we should just pick things back up on the next regularly

Re: [spdx-tech] SPDX special meeting on Properties vs Relationships

Just catching up – quite a thread! Couple of inputs. I was in the discussion when we created the declared and concluded license fields, and the intent was that the declared license was a fact which can be verified by looking at the source whereas the concluded license was something

[spdx-tech] Agenda for this week's tech call

For this week's tech call, we would like to finish up on the larger license profile related questions: * Use relationships instead of properties - align with Security Profiles? see Thomas comment on https://github.com/spdx/spdx-3-model/issues/254 * Update from Friday's meeting on

[spdx-tech] Follow-up meeting on the license expression discussion

As a follow-up to our last tech call discussion on license expressions, I have schedule a meeting from 9 to 10 AM Pacific time this Friday. Zoom meeting coordinates pasted below. In terms of agenda, I would suggest the following: * Confirm problem statement and confirm this is

Re: [spdx-tech] SPDX serialization meetings -- new time!

Thanks Alexios! Looking forward to joining the calls. I created a PR for the meetings repo with the updated time which we can merge in after this Thursday's call. Gary From: Spdx-tech@lists.spdx.org On Behalf Of Alexios Zavras Sent: Wednesday, June 7, 2023 4:24 AM To:

Re: [spdx-tech] SPDX serialization meetings

AM To: Gary O'Neall ; Spdx-tech@lists.spdx.org Subject: Re: [spdx-tech] SPDX serialization meetings According to my calendar, this would conflict with the general meeting, so once a month there would be no call. How about Tuesday at that time - essentially the hour before the tech call

Re: [spdx-tech] SPDX serialization meetings

Hi Alexios, I would be interested in joining - if we could move the time 2+ hours later, that would be very helpful for me (or anyone in the Pacific Timezone) to join. Thanks for asking, Gary From: Spdx-tech@lists.spdx.org On Behalf Of Alexios Zavras Sent: Wednesday, May 31, 2023

Re: [spdx-tech] GSoC '23 Proposal: SoftWare Heritage SPDX generation

Hi Harsh, You proposal looks very interesting and I’m sure it will provide a lot of benefit to the SWHID and SPDX communities. Since you are using the Python libraries, you can get early access to the SPDX 3.0 features using the prototype-spdx-3.0 branch

[spdx-tech] Tomorow's tech call cancelled

We will be skipping this week's SPDX tech call due to a number of participants attending the SPDX Tooling Mini Summit in Vancouver . All are welcome to sign-up and join virtually. We'll resume our

[spdx-tech] Request for review - updated migration document

Greetings SPDX tech team, I just updated the SPDX 3 Migration Analysis to be consistent with the release candidate version of the spec. There were a lot of recent changes in the model, so it is quite likely I missed something. Please review and comment / suggest anything I missed:

Re: [spdx-tech] Software as a Service Profile

hwz From: Gary O'Neall Sent: Monday, April 24, 2023 6:00 AM To: 'Banula Kumarage' ; 'Brandon Lum' ; 'opensou...@steenbe.nl' ; 'stephen.master...@pega.com' ; 'William Bartholomew' ; 'Prasad Iyer (prasadiy)' ; 'Nisha Kumar' ; 'Ivana Atanasova' ; 'Jeremiah C. Foster' ; 'Adolfo Veytia' ; 'Ros

[spdx-tech] Software as a Service Profile

Greetings all - the votes are in on the meeting time for the Software as a Service profile meeting time. There were no times that worked for everyone, but Monday's 10AM to 11AM Pacific daylight time (17:00 GMT) seemed to work for most of the respondents. I would like to schedule our first

Re: [spdx-tech] License with duplicated SPDX license ds

I just created this issue to update the message from the SPDX Java and online tools: https://github.com/spdx/tools-java/issues/123 Feel free to review/comment my proposed change to the tool. Thanks, Gary From: Spdx-tech@lists.spdx.org On Behalf Of Steve Winslow Sent: Tuesday, April

[spdx-tech] Software as a Service Minutes

Greetings all, I just created a pull request for the meeting minutes from last week's Software as a Service Profile meeting: https://github.com/spdx/meetings/pull/316 Those on the call, please review and approve or provide feedback. I'll merge it into the main meetings repo before our

[spdx-tech] Software as a Service Profile

- April 21. https://doodle.com/meeting/participate/id/eE0GkYgd Thanks, Gary - Gary O'Neall Principal Consultant Source Auditor Inc. Mobile: 408.805.0586 Email: <mailto:g...@sourceauditor.com> g...@sourceauditor.com CONFIDENT

Re: [spdx-defects] [spdx-tech] SPDX 3.0: When to use a property or relationship

I’m thinking it would be common to discover additional elements affected by a vulnerability after a VEX is initially published which would cause the list of elements referenced to change. Therefore my vote would be for B. If it unlikely to change, I would agree with David a property would

[spdx-tech] Question on how to handle "None" and "NoAssertion"

. * In Object Oriented Programming, it is challenging to define subclasses of Element and Licenses (and other types) that include None and NoAssertions. Feel free to update the issues or reply to all in the email. Thanks, Gary - Gary

Re: [spdx-tech] Clarifcation on Package Purpose

Hi Anthony and Rose, Thanks for bumping this up. This fell off my radar and definitely should be resolved. First, I want to apologize for the general inconsistency between JSON and the spec. I should have caught these earlier. I also missed the issue 813

Re: [spdx-tech] SPDX Software as a Service Profile Kick-off Meeting

@lists.spdx.org On Behalf Of Brandon Lum via lists.spdx.org Sent: Monday, April 10, 2023 12:46 PM To: Gary O'Neall Cc: SPDX-list Subject: Re: [spdx-tech] SPDX Software as a Service Profile Kick-off Meeting ah i must have missed the doodle poll, if there's going to be another doodle poll, can

[spdx-tech] SPDX Software as a Service Profile Kick-off Meeting

tps://www.google.com/url?q=https://us02web.zoom.us/j/83702327112=D rce=calendar=2=AOvVaw1bU7Y7302DR4rF9V8Qj--y> https://us02web.zoom.us/j/83702327112 - Gary O'Neall Principal Consultant Source Auditor Inc. Mobile: 408.805.0586 Email: <

[spdx-tech] SPDX Tech Agenda Reminder

Greetings all SPDX tech sub-teams - just a reminder this is the last tech call before the monthly SPDX general meeting where we share summaries from all the sub-teams. Please bring your latest status. Thanks, Gary - Gary O'Neall Principal

Re: [spdx-tech] Serialization: Ontologies vs Datatypes

Thanks David for the additional info. I was planning allowing the fields of “data types” as objects in RDF triples in SPDX 3.0. The difference between Elements and “data types” was whether URI types were required or if the object could be an anonymous/blank node. Is this consistent with

Re: [spdx-tech] Handling invalid licenses

Hi Anthony, My suggestion is to report the license as stated in the Declared License property, even though invalid, and use either NOASSERTION (or better yet) the correct license in the Concluded

Re: [spdx-tech] FYI: Cross pollination with the CISA ICT_SCRM Task Force SW Assurance work stream

Hi Dick, Thanks for welcoming our feedback. Clearly an important topic. I may have a different perspective on the topic coming more from an SPDX than an NTIA perspective. Below are a few thoughts. Gary From: Spdx-tech@lists.spdx.org On Behalf Of Dick Brooks Sent: Tuesday, March 7,

Re: [spdx-tech] Is tools.spdx.org down?

Hi Peter, It’s back up. I have a check setup in AWS that emails me when it is not responding. I did get an email overnight my time, but I didn’t see it / have a check to fix it until now. The problem is either networking or O.S. related as the entire AWS instances is non-responsive

Re: [spdx-tech] clarification around "documentDescribes" field

via lists.spdx.org <http://lists.spdx.org> mailto:google@lists.spdx.org> > wrote: Agreed with both options, either are good to me, probably favoring the later if it means a faster turn-around to standardization. On Thu, Feb 16, 2023 at 4:50 PM Gary O'Neall mailto:g...@sourceaudi

Re: [spdx-tech] FileNames in SPDX File item

From: Spdx-tech@lists.spdx.org On Behalf Of Anthony Harrison Sent: Friday, February 17, 2023 11:32 AM To: Spdx-tech@lists.spdx.org Subject: Re: [spdx-tech] FileNames in SPDX File item Thanks for the feedback. So if I have a package which consists of other dependent packages; can I

Re: [spdx-tech] FileNames in SPDX File item

Just echoing the comments below. > Where should the absolute path be specified (I think we just need the root)? The relative file path is relative to the package the file is “contain”ed within. In a scenario where you have a package “contain”ing several files, you would typically have

Re: [spdx-tech] clarification around "documentDescribes" field

Of Brandon Lum via lists.spdx.org Sent: Thursday, February 16, 2023 12:07 PM To: l...@google.com Cc: Gary O'Neall ; SPDX Technical Mailing List Subject: Re: [spdx-tech] clarification around "documentDescribes" field Reviving this thread again since there is a little bit of ambig

[spdx-tech] New release of the SPDX Java Tools

ou run into any issues, please create an issue in the SPDX Java Tools repo <https://github.com/spdx/tools-java/issues/new> . Thanks, Gary ----- Gary O'Neall Principal Consultant Source Auditor Inc. Mobile: 408.805.0586 Email

Re: [spdx-tech] Build profile development branch on the spdx-3-model repo

Hi Nisha, I just created a "build-profile" branch in the spdx-3-model repo. Let me know if you need anything else. Gary > -Original Message- > From: Spdx-tech@lists.spdx.org On Behalf Of > Nisha Kumar > Sent: Monday, January 23, 2023 12:18 PM > To: 'SPDX-list' > Subject: [spdx-tech]

Re: [spdx-tech] SPDX - true or false? (was Re: Getting started...)

Hi Paul, In response to your proposal: > Well, at the point that someone (or some script) asserts license metadata, I think it may be worth capturing additional metadata, such as > > - the date that the assertion is made For the SBOM case, this is the creation date in the creation information.

Re: [spdx-tech] Question about License Expression Disjunctions

Hi Timothy, You raise a good point. > 1. Should the OR be understood as "normal" disjunction, exclusive > disjunction, or none of the two? Has there been any discussion or thought on > this? We have discussed whether this is an “Exclusive OR” or “Disjunctive OR” and concluded that is

Re: [spdx-tech] SPDX - true or false? (was Re: Getting started...)

Just a few more points to add into this discussion: - In SPDX, there are 2 properties related to licenses - declared and concluded. We created 2 properties rather than one to help with some the issues listed below. Declared relates to the metadata found in the package and concluded is a

Re: [spdx-tech] Identities

I had a similar though. I was wondering if the definitions provided would support a BlockChain like approach which does not have a centralized "authority". Gary From: Spdx-tech@lists.spdx.org On Behalf Of William Bartholomew (CELA) via lists.spdx.org Sent: Wednesday, January 11, 2023

[spdx-tech] New version of the SPDX Online Tools

to email me if you need more information. Thanks, Gary ----- Gary O'Neall Principal Consultant Source Auditor Inc. Mobile: 408.805.0586 Email: <mailto:g...@sourceauditor.com> g...@sourceauditor.com CONFIDENTIALITY NOTE: The informatio

Re: [spdx-tech] clarification around "documentDescribes" field

Hi Brandon, I believe it is safe to ignore the v2.2.0 JSON schema. The “describesPackages” was deprecated on release 2.0 of the spec and is only used for compatibility with pre 2.0 spec version using the RDF format. There is an open issue to remove this property

  1   2   3   4   5   >