Re: OpenChain for projects

Jeremiah Foster <jeremiah.foster@...>

On Wed, Jan 25, 2017 at 3:05 PM, Kate Stewart <kstewart@...> wrote:
> On Wed, Jan 25, 2017 at 1:27 PM, Matija Šuklje <matija@...> wrote:
>> Die 25. 01. 17 et hora 19.12.09 Jilayne Lovejoy scripsit:

>> 2) I don’t think any of them distribute
>> the SPDX files as well (does Debian do so already?),
> Debsources stores the information to be able to generate SPDX files,
> and Debian has recognized the SPDX license identifiers since the start.
> Fedora/Red Hat is contemplating (at least there have been some discussions)
> on standardizing on the SPDX license identifiers but hasn't committed to doing it yet.
> Yocto has been prototyping generating SPDX files for a couple of years, and
> there are new tools emerging to help this effort (ie.  see: ELC talk about LiD next
> month for instance... )

​Is there a code repo for LiD? I don't see it via Google. It is an open source project no?​

>> and 3) it’s still a
>> humongous cost of resources, which someone has to cover.
> Its a step by step, we add what we can to reduce the cost for everyone type of activity.
> Each contributes what they can (and scratches their own itch), and eventually we'll
> get the automation working as it should.  

​+1​  Great work done so far!

> Thomas and I will be talking about this topic in our FOSDEM talk.   We've
> got some ideas on how to help solve this problem we'll be presenting.
> Happy to collaborate with others who have ideas on how to move this along further.   ;-)

​I'm still interested in having the blockchain utilized for assurance in the supply chain. I see that there are a couple of Hyperledger projects doing something similar, namely storing a hash of a document in the blockchain which I think would be useful and fairly easy to implement. ​This way each stage of the supply chain could sign the SPDX document ensuring that there is traceability to the origin.



Join to automatically receive all group messages.