FYI: FOSSology training at LinuxCon NA on August 25


Kate Stewart
 

Hi,
    Sorry if this is a bit off topic, but some of you have expressed interest in 
understanding how to use the latest version of FOSSology (which generates 
SPDX output) for doing license reviews, etc. and how to generate artifacts 
that will address OpenChain. 

   There's been a late addition to the LinuxCon NA, to provide a free training
day on FOSSology.   The course will cover what FOSSology is, how to use it 
to do license clearing for projects, how to generate SPDX,  BOM's, etc. 
and hands on advice for installing on your system.   

   If you're interested in understanding how to install and use FOSSology,  this is a great chance to learn from the expert for free.

   Information on signing up can be found https://lcccna2016.sched.org/event/7pGQ

Please let me know if you have any questions.

Thanks, Kate


Jeremiah Foster <jeremiah.foster@...>
 

Thanks Kate! Will the session be recorded or slides published for those who cannot make it?

Regards,

Jeremiah


On Aug 9, 2016 3:40 PM, "Kate Stewart" <kstewart@...> wrote:
Hi,
    Sorry if this is a bit off topic, but some of you have expressed interest in 
understanding how to use the latest version of FOSSology (which generates 
SPDX output) for doing license reviews, etc. and how to generate artifacts 
that will address OpenChain. 

   There's been a late addition to the LinuxCon NA, to provide a free training
day on FOSSology.   The course will cover what FOSSology is, how to use it 
to do license clearing for projects, how to generate SPDX,  BOM's, etc. 
and hands on advice for installing on your system.   

   If you're interested in understanding how to install and use FOSSology,  this is a great chance to learn from the expert for free.

   Information on signing up can be found https://lcccna2016.sched.org/event/7pGQ

Please let me know if you have any questions.

Thanks, Kate


_______________________________________________
OpenChain mailing list
OpenChain@lists.linuxfoundation.org
https://lists.linuxfoundation.org/mailman/listinfo/openchain



Kate Stewart
 

Hi Jeremiah,
    Its just planned as an in-person course right now,  with the focus on hands-on.

Based on the feedback, we're thinking of having it other future LinuxCon events
for those who can't make it this time.

Kate

On Tue, Aug 9, 2016 at 2:48 PM, Jeremiah Foster <jeremiah.foster@...> wrote:

Thanks Kate! Will the session be recorded or slides published for those who cannot make it?

Regards,

Jeremiah


On Aug 9, 2016 3:40 PM, "Kate Stewart" <kstewart@...> wrote:
Hi,
    Sorry if this is a bit off topic, but some of you have expressed interest in 
understanding how to use the latest version of FOSSology (which generates 
SPDX output) for doing license reviews, etc. and how to generate artifacts 
that will address OpenChain. 

   There's been a late addition to the LinuxCon NA, to provide a free training
day on FOSSology.   The course will cover what FOSSology is, how to use it 
to do license clearing for projects, how to generate SPDX,  BOM's, etc. 
and hands on advice for installing on your system.   

   If you're interested in understanding how to install and use FOSSology,  this is a great chance to learn from the expert for free.

   Information on signing up can be found https://lcccna2016.sched.org/event/7pGQ

Please let me know if you have any questions.

Thanks, Kate


_______________________________________________
OpenChain mailing list
OpenChain@...n.org
https://lists.linuxfoundation.org/mailman/listinfo/openchain





--
Kate Stewart
Sr. Director of Strategic Programs,  The Linux Foundation
Mobile: +1.512.657.3669
Email / Google Talk: kstewart@...


Jilayne Lovejoy <Jilayne.Lovejoy@...>
 

Perhaps LinuxCon Europe, by any chance… ??  :)

On 8/9/16, 2:05 PM, "openchain-bounces@... on behalf of Kate Stewart" <openchain-bounces@... on behalf of kstewart@...> wrote:

Hi Jeremiah,
    Its just planned as an in-person course right now,  with the focus on hands-on.

Based on the feedback, we're thinking of having it other future LinuxCon events
for those who can't make it this time.

Kate

On Tue, Aug 9, 2016 at 2:48 PM, Jeremiah Foster <jeremiah.foster@...> wrote:

Thanks Kate! Will the session be recorded or slides published for those who cannot make it?

Regards,

Jeremiah


On Aug 9, 2016 3:40 PM, "Kate Stewart" <kstewart@...> wrote:
Hi,
    Sorry if this is a bit off topic, but some of you have expressed interest in 
understanding how to use the latest version of FOSSology (which generates 
SPDX output) for doing license reviews, etc. and how to generate artifacts 
that will address OpenChain. 

   There's been a late addition to the LinuxCon NA, to provide a free training
day on FOSSology.   The course will cover what FOSSology is, how to use it 
to do license clearing for projects, how to generate SPDX,  BOM's, etc. 
and hands on advice for installing on your system.   

   If you're interested in understanding how to install and use FOSSology,  this is a great chance to learn from the expert for free.

   Information on signing up can be found https://lcccna2016.sched.org/event/7pGQ

Please let me know if you have any questions.

Thanks, Kate


_______________________________________________
OpenChain mailing list
OpenChain@...n.org
https://lists.linuxfoundation.org/mailman/listinfo/openchain





--
Kate Stewart
Sr. Director of Strategic Programs,  The Linux Foundation
Mobile: +1.512.657.3669
Email / Google Talk: kstewart@...
IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.


Matija Šuklje
 

Die 09. 08. 16 et hora 20.11.22 Jilayne Lovejoy scripsit:
Perhaps LinuxCon Europe, by any chance… ?? :)
+1

There’s this:
https://linuxconcontainerconeurope2016.sched.org/event/7o9d/fossology-efficient-license-analysis-in-hd-michael-jaeger-siemens-ag

And from what I saw on the registration page there will also be the following
training, but unfortunately for a 100 US$ fee:

FOSSology - Hands On Training
Click here to add FOSSology - Hands On Training to your LinuxCon +
ContainerCon Europe registration.

FOSSology is an open source license compliance software system and toolkit.
As a toolkit, you can run license, copyright and export control scans from the
command line. As a system, a database and Web user interface provide you
with a compliance workflow. License, copyright and export scanners are tools
used in the workflow.

Analyzing open source license compliance requires expert knowledge. As a
consequence the use of the tool requires understanding of license analysis
problems and how they are covered by FOSSology. This training will provide the
following elements: - Challenges in real world examples at license analysis of
open source components - Learning how to cope with license proliferation and
custom license texts - Efficiently managing large open source components with
heterogeneous licensing - Saving work with reusing license conclusions of open
source packages when analyzing a newer version - Getting an overview about
an example workflow for component analysis with FOSSology

This course will be valuable to anyone concerned with and involved in Open
Source Management, including operational and legal executives, software
development managers, open source program managers, and developers.

Date: Friday, October 07, 2016 9:00 AM - 5:00 PM (GMT)
Location: Bishop, InterContinental Berlin
Price: $100.00



cheers,
Matija
--
gsm: tel:+386.41.849.552
www: http://matija.suklje.name
xmpp: matija.suklje@...
sip: matija_suklje@...


Kate Stewart
 

Hi Matija,

On Wed, Aug 10, 2016 at 11:44 AM, Matija Šuklje <matija@...> wrote:
Die 09. 08. 16 et hora 20.11.22 Jilayne Lovejoy scripsit:
> Perhaps LinuxCon Europe, by any chance… ??  :)

+1

There’s this:
https://linuxconcontainerconeurope2016.sched.org/event/7o9d/fossology-efficient-license-analysis-in-hd-michael-jaeger-siemens-ag

And from what I saw on the registration page there will also be the following
training, but unfortunately for a 100 US$ fee:

We're piloting it in North America, so its free there.  ;-)

The FOSSology project doesn't have any funding associated with
it though, so we're looking to charge the fee to recover costs 
(room, refreshments for participants, team travel) associated 
with holding the training.  
 
If the cost is a blocking point on attending, please contact me off list.

Thanks, Kate


Matija Šuklje
 

Die 10. 08. 16 et hora 15.42.55 Kate Stewart scripsit:
We're piloting it in North America, so its free there. ;-)
That makes sense then :)

The FOSSology project doesn't have any funding associated with
it though, so we're looking to charge the fee to recover costs
(room, refreshments for participants, team travel) associated
with holding the training.
Ah, didn’t realise that such an important piece of SW for business use is not
properly funded – which is surprising TBH.

I actually find the 100 US$ price tag fair, but was taken aback by the
difference between the two events so close together. Piloting for gratis makes
sense of course. :)


cheers,
Matija
--
gsm: tel:+386.41.849.552
www: http://matija.suklje.name
xmpp: matija.suklje@...
sip: matija_suklje@...


Jeremiah Foster <jeremiah.foster@...>
 



On Fri, Aug 12, 2016 at 9:25 AM, Matija Šuklje <matija@...> wrote:
Die 10. 08. 16 et hora 15.42.55 Kate Stewart scripsit:
> We're piloting it in North America, so its free there.  ;-)

That makes sense then :)

> The FOSSology project doesn't have any funding associated with
> it though, so we're looking to charge the fee to recover costs
> (room, refreshments for participants, team travel) associated
> with holding the training.

Ah, didn’t realise that such an important piece of SW for business use is not
properly funded – which is surprising TBH.

This is the main issue -- LF has done a lot here, sponsoring OpenChain and giving resources to Fossology and more, but companies have not stepped up to provide a solid open source ecosystem around the tooling. OpenChain will do a great deal to help but there are currently the open source tooling is far away from the commercial tooling in quality and commercial tools can be expensive. In addition, the tooling that does exist is often not suitable for things like embedded GNU/Linux, with clients running on Windows (which is just not used at all in many shops) and tools written in Java that don't integrate into things like Yocto or baserock. 

I'm very thankful for the work of the LF and companies like ARM, Qualcomm, Wind River and of course others, but we need more tools that fit the embedded space and more training on use that is accessible to "engilawyers" as Google sometimes calls them.
 

I actually find the 100 US$ price tag fair, but was taken aback by the
difference between the two events so close together. Piloting for gratis makes
sense of course. :)

+1

Cheers,

Jeremiah 


Nuno Brito <nuno.brito@...>
 

In addition, the tooling that does exist is often not suitable for things like embedded GNU/Linux, with clients running on Windows (which is just not used at all in many shops) and tools written in Java that don't integrate into things like Yocto or baserock.
 
One of the reasons to write tooling in Java is to keep it platform independent. Speaking for the TripleCheck tooling, integration with Yocto should be possible. Would just ask for some guidance because I'm not a Yocto distributor nor user, but would be happy to enable this feature if there is interest.
 
Best
Nuno
 
12.08.2016, 15:34, "Jeremiah Foster" <jeremiah.foster@...>:


On Fri, Aug 12, 2016 at 9:25 AM, Matija Šuklje <matija@...> wrote:
Die 10. 08. 16 et hora 15.42.55 Kate Stewart scripsit:
> We're piloting it in North America, so its free there.  ;-)

That makes sense then :)

> The FOSSology project doesn't have any funding associated with
> it though, so we're looking to charge the fee to recover costs
> (room, refreshments for participants, team travel) associated
> with holding the training.

Ah, didn’t realise that such an important piece of SW for business use is not
properly funded – which is surprising TBH.
 
This is the main issue -- LF has done a lot here, sponsoring OpenChain and giving resources to Fossology and more, but companies have not stepped up to provide a solid open source ecosystem around the tooling. OpenChain will do a great deal to help but there are currently the open source tooling is far away from the commercial tooling in quality and commercial tools can be expensive. In addition, the tooling that does exist is often not suitable for things like embedded GNU/Linux, with clients running on Windows (which is just not used at all in many shops) and tools written in Java that don't integrate into things like Yocto or baserock. 
 
I'm very thankful for the work of the LF and companies like ARM, Qualcomm, Wind River and of course others, but we need more tools that fit the embedded space and more training on use that is accessible to "engilawyers" as Google sometimes calls them.
 

I actually find the 100 US$ price tag fair, but was taken aback by the
difference between the two events so close together. Piloting for gratis makes
sense of course. :)
 
+1
 
Cheers,
 
Jeremiah 
,

_______________________________________________
OpenChain mailing list
OpenChain@...
https://lists.linuxfoundation.org/mailman/listinfo/openchain

 
 
--
http://triplecheck.net
 


Jeremiah Foster <jeremiah.foster@...>
 



On Fri, Aug 12, 2016 at 9:47 AM, Nuno Brito <nuno.brito@...> wrote:
In addition, the tooling that does exist is often not suitable for things like embedded GNU/Linux, with clients running on Windows (which is just not used at all in many shops) and tools written in Java that don't integrate into things like Yocto or baserock.
 
One of the reasons to write tooling in Java is to keep it platform independent.

Well, Java *is* the platform no? :-) Or rather the JVM, and it is definitely not independent, its owned by Oracle and even the open source versions suffer significant politics. Its also an enterprise language, not an embedded language, even Android (which is not Java) has a ton of apps that use C/C++, HTML, CSS, etc.
 
Speaking for the TripleCheck tooling, integration with Yocto should be possible.

We've done some integration with other Java Eclispse-based tooling in Yocto and it is a poor fit for build from source systems that rely on C, bash and python, for one thing it increases build times significantly. This is a problem when you're doing continuous integration and building entire OS images triggered by changes to git repos. In fact when Yocto integrated SPDX 1.1 it was in python. 
 
Would just ask for some guidance because I'm not a Yocto distributor nor user, but would be happy to enable this feature if there is interest.

I'd say look at the sources that Yocto preserves in a directory of its build image. That might be easy to go over and do SPDX reports on. Embedding a Java tool in Yocto will be quite difficult, not least because you build a cross-compiler toolchain on qemu. You might look at the earlier SPDX implementation to see if there is low-hanging fruit: http://www.pelagicore.com/using-yocto-and-fossology-to-get-spdx-licence-output/   Please note that this is old and SPDX is up to 2.2 for its spec I believe.

Regards,

Jeremiah
 
 
Best
Nuno
 
12.08.2016, 15:34, "Jeremiah Foster" <jeremiah.foster@pelagicore.com>:


On Fri, Aug 12, 2016 at 9:25 AM, Matija Šuklje <matija@...> wrote:
Die 10. 08. 16 et hora 15.42.55 Kate Stewart scripsit:
> We're piloting it in North America, so its free there.  ;-)

That makes sense then :)

> The FOSSology project doesn't have any funding associated with
> it though, so we're looking to charge the fee to recover costs
> (room, refreshments for participants, team travel) associated
> with holding the training.

Ah, didn’t realise that such an important piece of SW for business use is not
properly funded – which is surprising TBH.
 
This is the main issue -- LF has done a lot here, sponsoring OpenChain and giving resources to Fossology and more, but companies have not stepped up to provide a solid open source ecosystem around the tooling. OpenChain will do a great deal to help but there are currently the open source tooling is far away from the commercial tooling in quality and commercial tools can be expensive. In addition, the tooling that does exist is often not suitable for things like embedded GNU/Linux, with clients running on Windows (which is just not used at all in many shops) and tools written in Java that don't integrate into things like Yocto or baserock. 
 
I'm very thankful for the work of the LF and companies like ARM, Qualcomm, Wind River and of course others, but we need more tools that fit the embedded space and more training on use that is accessible to "engilawyers" as Google sometimes calls them.
 

I actually find the 100 US$ price tag fair, but was taken aback by the
difference between the two events so close together. Piloting for gratis makes
sense of course. :)
 
+1
 
Cheers,
 
Jeremiah 
,

_______________________________________________
OpenChain mailing list
OpenChain@lists.linuxfoundation.org
https://lists.linuxfoundation.org/mailman/listinfo/openchain

 
 
 



--
Jeremiah C. Foster
GENIVI COMMUNITY MANAGER

Pelagicore AB
Ekelundsgatan 4, 6tr, SE-411 18
Gothenburg, Sweden
M: +1.860.772.9242


Kate Stewart
 



On Fri, Aug 12, 2016 at 9:05 AM, Jeremiah Foster <jeremiah.foster@...> wrote:


On Fri, Aug 12, 2016 at 9:47 AM, Nuno Brito <nuno.brito@...> wrote:
In addition, the tooling that does exist is often not suitable for things like embedded GNU/Linux, with clients running on Windows (which is just not used at all in many shops) and tools written in Java that don't integrate into things like Yocto or baserock.
 
One of the reasons to write tooling in Java is to keep it platform independent.

Well, Java *is* the platform no? :-) Or rather the JVM, and it is definitely not independent, its owned by Oracle and even the open source versions suffer significant politics. Its also an enterprise language, not an embedded language, even Android (which is not Java) has a ton of apps that use C/C++, HTML, CSS, etc.
 
Speaking for the TripleCheck tooling, integration with Yocto should be possible.

We've done some integration with other Java Eclispse-based tooling in Yocto and it is a poor fit for build from source systems that rely on C, bash and python, for one thing it increases build times significantly. This is a problem when you're doing continuous integration and building entire OS images triggered by changes to git repos. In fact when Yocto integrated SPDX 1.1 it was in python. 
 
Would just ask for some guidance because I'm not a Yocto distributor nor user, but would be happy to enable this feature if there is interest.

I'd say look at the sources that Yocto preserves in a directory of its build image. That might be easy to go over and do SPDX reports on. Embedding a Java tool in Yocto will be quite difficult, not least because you build a cross-compiler toolchain on qemu. You might look at the earlier SPDX implementation to see if there is low-hanging fruit: http://www.pelagicore.com/using-yocto-and-fossology-to-get-spdx-licence-output/   Please note that this is old and SPDX is up to 2.2 for its spec I believe.

SPDX specification is currently 2.0 and about to be 2.1.   :-)    

We're just polishing (formatting, grammer) off the draft now, and it should be announced shortly.    
have a look, and comment in the document if you spot any problems.

Thanks, Kate


Nuno Brito <nuno.brito@...>
 

Well, Java *is* the platform no? :-) Or rather the JVM, and it is definitely not independent, its owned by Oracle and even the open source versions suffer significant politics. Its also an enterprise language, not an embedded language, even Android (which is not Java) has a ton of apps that use C/C++, HTML, CSS, etc.
 
OpenJDK is the default JVM. Oracle might dislike, but so is the GPL nature: https://en.wikipedia.org/wiki/OpenJDK#Release_of_the_class_library
 
Interesting enough is that Java is too an embedded language, reason why 2 billion older generation devices got a JVM by default before smartphones as Android surfaced, which also recently moved to OpenJDK: http://www.theregister.co.uk/2015/12/30/android_openjdk/ So, would say it is quite a battle field between major organizations, same as Linux or OpenStack alike. However, I am Java fan so anything that I write on this topic will be too biased towards making Java look good, my apologies.. :-)
 
 
We've done some integration with other Java Eclispse-based tooling in Yocto and it is a poor fit for build from source systems that rely on C, bash and python, for one thing it increases build times significantly. This is a problem when you're doing continuous integration and building entire OS images triggered by changes to git repos. In fact when Yocto integrated SPDX 1.1 it was in python.
 
You would probably have more interest in a command line edition than a GUI tool. On my work laptop a vanilla Linux kernel takes some 15 minutes on the first run to be analyzed and output an SPDX. After that only the modified files get scanned so we are talking about a few seconds to get the fresh SPDX file.
 
 
I'd say look at the sources that Yocto preserves in a directory of its build image. That might be easy to go over and do SPDX reports on. Embedding a Java tool in Yocto will be quite difficult, not least because you build a cross-compiler toolchain on qemu. You might look at the earlier SPDX implementation to see if there is low-hanging fruit: http://www.pelagicore.com/using-yocto-and-fossology-to-get-spdx-licence-output/   Please note that this is old and SPDX is up to 2.2 for its spec I believe.
 
Ok, will do. When ready will contact you in private to help on the testing side if you don't mind.
 
Thanks,
Nuno
 
 
 
12.08.2016, 16:05, "Jeremiah Foster" <jeremiah.foster@...>:


On Fri, Aug 12, 2016 at 9:47 AM, Nuno Brito <nuno.brito@...> wrote:
In addition, the tooling that does exist is often not suitable for things like embedded GNU/Linux, with clients running on Windows (which is just not used at all in many shops) and tools written in Java that don't integrate into things like Yocto or baserock.
 
One of the reasons to write tooling in Java is to keep it platform independent.
 
Well, Java *is* the platform no? :-) Or rather the JVM, and it is definitely not independent, its owned by Oracle and even the open source versions suffer significant politics. Its also an enterprise language, not an embedded language, even Android (which is not Java) has a ton of apps that use C/C++, HTML, CSS, etc.
 
Speaking for the TripleCheck tooling, integration with Yocto should be possible.
 
We've done some integration with other Java Eclispse-based tooling in Yocto and it is a poor fit for build from source systems that rely on C, bash and python, for one thing it increases build times significantly. This is a problem when you're doing continuous integration and building entire OS images triggered by changes to git repos. In fact when Yocto integrated SPDX 1.1 it was in python. 
 
Would just ask for some guidance because I'm not a Yocto distributor nor user, but would be happy to enable this feature if there is interest.
 
I'd say look at the sources that Yocto preserves in a directory of its build image. That might be easy to go over and do SPDX reports on. Embedding a Java tool in Yocto will be quite difficult, not least because you build a cross-compiler toolchain on qemu. You might look at the earlier SPDX implementation to see if there is low-hanging fruit: http://www.pelagicore.com/using-yocto-and-fossology-to-get-spdx-licence-output/   Please note that this is old and SPDX is up to 2.2 for its spec I believe.
 
Regards,
 
Jeremiah
 
 
Best
Nuno
 
12.08.2016, 15:34, "Jeremiah Foster" <jeremiah.foster@...>:


On Fri, Aug 12, 2016 at 9:25 AM, Matija Šuklje <matija@...> wrote:
Die 10. 08. 16 et hora 15.42.55 Kate Stewart scripsit:
> We're piloting it in North America, so its free there.  ;-)

That makes sense then :)

> The FOSSology project doesn't have any funding associated with
> it though, so we're looking to charge the fee to recover costs
> (room, refreshments for participants, team travel) associated
> with holding the training.

Ah, didn’t realise that such an important piece of SW for business use is not
properly funded – which is surprising TBH.
 
This is the main issue -- LF has done a lot here, sponsoring OpenChain and giving resources to Fossology and more, but companies have not stepped up to provide a solid open source ecosystem around the tooling. OpenChain will do a great deal to help but there are currently the open source tooling is far away from the commercial tooling in quality and commercial tools can be expensive. In addition, the tooling that does exist is often not suitable for things like embedded GNU/Linux, with clients running on Windows (which is just not used at all in many shops) and tools written in Java that don't integrate into things like Yocto or baserock. 
 
I'm very thankful for the work of the LF and companies like ARM, Qualcomm, Wind River and of course others, but we need more tools that fit the embedded space and more training on use that is accessible to "engilawyers" as Google sometimes calls them.
 

I actually find the 100 US$ price tag fair, but was taken aback by the
difference between the two events so close together. Piloting for gratis makes
sense of course. :)
 
+1
 
Cheers,
 
Jeremiah 
,

_______________________________________________
OpenChain mailing list
OpenChain@...
https://lists.linuxfoundation.org/mailman/listinfo/openchain

 
 
 


 
--
Jeremiah C. Foster
GENIVI COMMUNITY MANAGER
 
Pelagicore AB
Ekelundsgatan 4, 6tr, SE-411 18
Gothenburg, Sweden
M: +1.860.772.9242
 
 
--
http://triplecheck.net
 


Jeremiah Foster <jeremiah.foster@...>
 

(Dropped Matija from CC since I think he's on the list.)

On Fri, Aug 12, 2016 at 12:42 PM, Nuno Brito <nuno.brito@...> wrote:
Well, Java *is* the platform no? :-) Or rather the JVM, and it is definitely not independent, its owned by Oracle and even the open source versions suffer significant politics. Its also an enterprise language, not an embedded language, even Android (which is not Java) has a ton of apps that use C/C++, HTML, CSS, etc.
 
OpenJDK is the default JVM. Oracle might dislike, but so is the GPL nature: https://en.wikipedia.org/wiki/OpenJDK#Release_of_the_class_library
 
Interesting enough is that Java is too an embedded language, reason why 2 billion older generation devices got a JVM by default before smartphones as Android surfaced, which also recently moved to OpenJDK: http://www.theregister.co.uk/2015/12/30/android_openjdk/ So, would say it is quite a battle field between major organizations, same as Linux or OpenStack alike. However, I am Java fan so anything that I write on this topic will be too biased towards making Java look good, my apologies.. :-)

No need to apologize! We all have our selection bias -- mine is perl so you can imagine the kind of pushback I get. :-}
 
We've done some integration with other Java Eclispse-based tooling in Yocto and it is a poor fit for build from source systems that rely on C, bash and python, for one thing it increases build times significantly. This is a problem when you're doing continuous integration and building entire OS images triggered by changes to git repos. In fact when Yocto integrated SPDX 1.1 it was in python.
 
You would probably have more interest in a command line edition than a GUI tool. On my work laptop a vanilla Linux kernel takes some 15 minutes on the first run to be analyzed and output an SPDX. After that only the modified files get scanned so we are talking about a few seconds to get the fresh SPDX file.

Okay, that sounds interesting. I'll test the tool against the artifacts that a GENIVI development platform produces and report back to you. Where do you do your development? GitHub?
 
I'd say look at the sources that Yocto preserves in a directory of its build image. That might be easy to go over and do SPDX reports on. Embedding a Java tool in Yocto will be quite difficult, not least because you build a cross-compiler toolchain on qemu. You might look at the earlier SPDX implementation to see if there is low-hanging fruit: http://www.pelagicore.com/using-yocto-and-fossology-to-get-spdx-licence-output/   Please note that this is old and SPDX is up to 2.2 for its spec I believe.
 
Ok, will do. When ready will contact you in private to help on the testing side if you don't mind.

I don't mind at all, I'm very happy to help. Happy to move this to another forum to keep the signal to noise ratio better for the rest of this list who may not be interested. :-)

Cheers,

Jeremiah
 
 
Thanks,
Nuno
 
 
 
12.08.2016, 16:05, "Jeremiah Foster" <jeremiah.foster@pelagicore.com>:


On Fri, Aug 12, 2016 at 9:47 AM, Nuno Brito <nuno.brito@...> wrote:
In addition, the tooling that does exist is often not suitable for things like embedded GNU/Linux, with clients running on Windows (which is just not used at all in many shops) and tools written in Java that don't integrate into things like Yocto or baserock.
 
One of the reasons to write tooling in Java is to keep it platform independent.
 
Well, Java *is* the platform no? :-) Or rather the JVM, and it is definitely not independent, its owned by Oracle and even the open source versions suffer significant politics. Its also an enterprise language, not an embedded language, even Android (which is not Java) has a ton of apps that use C/C++, HTML, CSS, etc.
 
Speaking for the TripleCheck tooling, integration with Yocto should be possible.
 
We've done some integration with other Java Eclispse-based tooling in Yocto and it is a poor fit for build from source systems that rely on C, bash and python, for one thing it increases build times significantly. This is a problem when you're doing continuous integration and building entire OS images triggered by changes to git repos. In fact when Yocto integrated SPDX 1.1 it was in python. 
 
Would just ask for some guidance because I'm not a Yocto distributor nor user, but would be happy to enable this feature if there is interest.
 
I'd say look at the sources that Yocto preserves in a directory of its build image. That might be easy to go over and do SPDX reports on. Embedding a Java tool in Yocto will be quite difficult, not least because you build a cross-compiler toolchain on qemu. You might look at the earlier SPDX implementation to see if there is low-hanging fruit: http://www.pelagicore.com/using-yocto-and-fossology-to-get-spdx-licence-output/   Please note that this is old and SPDX is up to 2.2 for its spec I believe.
 
Regards,
 
Jeremiah
 
 
Best
Nuno
 
12.08.2016, 15:34, "Jeremiah Foster" <jeremiah.foster@pelagicore.com>:


On Fri, Aug 12, 2016 at 9:25 AM, Matija Šuklje <matija@...> wrote:
Die 10. 08. 16 et hora 15.42.55 Kate Stewart scripsit:
> We're piloting it in North America, so its free there.  ;-)

That makes sense then :)

> The FOSSology project doesn't have any funding associated with
> it though, so we're looking to charge the fee to recover costs
> (room, refreshments for participants, team travel) associated
> with holding the training.

Ah, didn’t realise that such an important piece of SW for business use is not
properly funded – which is surprising TBH.
 
This is the main issue -- LF has done a lot here, sponsoring OpenChain and giving resources to Fossology and more, but companies have not stepped up to provide a solid open source ecosystem around the tooling. OpenChain will do a great deal to help but there are currently the open source tooling is far away from the commercial tooling in quality and commercial tools can be expensive. In addition, the tooling that does exist is often not suitable for things like embedded GNU/Linux, with clients running on Windows (which is just not used at all in many shops) and tools written in Java that don't integrate into things like Yocto or baserock. 
 
I'm very thankful for the work of the LF and companies like ARM, Qualcomm, Wind River and of course others, but we need more tools that fit the embedded space and more training on use that is accessible to "engilawyers" as Google sometimes calls them.
 

I actually find the 100 US$ price tag fair, but was taken aback by the
difference between the two events so close together. Piloting for gratis makes
sense of course. :)
 
+1
 
Cheers,
 
Jeremiah 
,

_______________________________________________
OpenChain mailing list
OpenChain@lists.linuxfoundation.org
https://lists.linuxfoundation.org/mailman/listinfo/openchain

 
 
 


 
--
Jeremiah C. Foster
GENIVI COMMUNITY MANAGER
 
Pelagicore AB
Ekelundsgatan 4, 6tr, SE-411 18
Gothenburg, Sweden
 
 
 



--
Jeremiah C. Foster
GENIVI COMMUNITY MANAGER

Pelagicore AB
Ekelundsgatan 4, 6tr, SE-411 18
Gothenburg, Sweden
M: +1.860.772.9242