Re: OpenChain for projects


Kate Stewart
 



On Wed, Jan 25, 2017 at 2:18 PM, Jeremiah Foster <jeremiah.foster@...> wrote:


On Wed, Jan 25, 2017 at 3:05 PM, Kate Stewart <kstewart@...> wrote:
>
> On Wed, Jan 25, 2017 at 1:27 PM, Matija Šuklje <matija@...> wrote:
>>
>> Die 25. 01. 17 et hora 19.12.09 Jilayne Lovejoy scripsit:

<snip>
   
>>
>> 2) I don’t think any of them distribute
>> the SPDX files as well (does Debian do so already?),
>
>
> Debsources stores the information to be able to generate SPDX files,
> and Debian has recognized the SPDX license identifiers since the start.
>
> Fedora/Red Hat is contemplating (at least there have been some discussions)
> on standardizing on the SPDX license identifiers but hasn't committed to doing it yet.
>
> Yocto has been prototyping generating SPDX files for a couple of years, and
> there are new tools emerging to help this effort (ie.  see: ELC talk about LiD next
> month for instance... )

​Is there a code repo for LiD? I don't see it via Google. It is an open source project no?​

I've talked to the authors and their going through internal approvals to publish the code.
Expectation is that the source repository open before their talk.
 

>> and 3) it’s still a
>> humongous cost of resources, which someone has to cover.
>
>
> Its a step by step, we add what we can to reduce the cost for everyone type of activity.
> Each contributes what they can (and scratches their own itch), and eventually we'll
> get the automation working as it should.  

​+1​  Great work done so far!

> Thomas and I will be talking about this topic in our FOSDEM talk.   We've
> got some ideas on how to help solve this problem we'll be presenting.
> Happy to collaborate with others who have ideas on how to move this along further.   ;-)

​I'm still interested in having the blockchain utilized for assurance in the supply chain. I see that there are a couple of Hyperledger projects doing something similar, namely storing a hash of a document in the blockchain which I think would be useful and fairly easy to implement. ​This way each stage of the supply chain could sign the SPDX document ensuring that there is traceability to the origin.

Completely agree,  and Mark Gisi does too.  ;-)  His talk at OSLS is  going to be on this.    
So,  if we're all reaching this conclusion independently, it must be a good one,  now to figure out
how to make this real!

Kate

Join main@lists.openchainproject.org to automatically receive all group messages.