FYI: FOSSology training at LinuxCon NA on August 25
Kate Stewart
Hi, Sorry if this is a bit off topic, but some of you have expressed interest in understanding how to use the latest version of FOSSology (which generates SPDX output) for doing license reviews, etc. and how to generate artifacts that will address OpenChain. There's been a late addition to the LinuxCon NA, to provide a free training day on FOSSology. The course will cover what FOSSology is, how to use it to do license clearing for projects, how to generate SPDX, BOM's, etc. and hands on advice for installing on your system. If you're interested in understanding how to install and use FOSSology, this is a great chance to learn from the expert for free. Information on signing up can be found https://lcccna2016. Please let me know if you have any questions. Thanks, Kate
|
|
Jeremiah Foster <jeremiah.foster@...>
Thanks Kate! Will the session be recorded or slides published for those who cannot make it? Regards, Jeremiah
On Aug 9, 2016 3:40 PM, "Kate Stewart" <kstewart@...> wrote:
|
|
Kate Stewart
Hi Jeremiah, Its just planned as an in-person course right now, with the focus on hands-on. Based on the feedback, we're thinking of having it other future LinuxCon events for those who can't make it this time. Kate
On Tue, Aug 9, 2016 at 2:48 PM, Jeremiah Foster <jeremiah.foster@...> wrote:
--
Kate Stewart Sr. Director of Strategic Programs, The Linux Foundation Mobile: +1.512.657.3669 Email / Google Talk: kstewart@...
|
|
Jilayne Lovejoy <Jilayne.Lovejoy@...>
Perhaps LinuxCon Europe, by any chance… ?? :)
On 8/9/16, 2:05 PM, "openchain-bounces@... on behalf of Kate Stewart" <openchain-bounces@...
on behalf of kstewart@...> wrote:
Hi Jeremiah,
Its just planned as an in-person course right now, with the focus on hands-on.
Based on the feedback, we're thinking of having it other future LinuxCon events
for those who can't make it this time.
Kate
On Tue, Aug 9, 2016 at 2:48 PM, Jeremiah Foster
<jeremiah.foster@...> wrote:
Kate Stewart
Sr. Director of Strategic Programs, The Linux Foundation
Mobile: +1.512.657.3669
Email / Google Talk:
kstewart@...
|
|
Die 09. 08. 16 et hora 20.11.22 Jilayne Lovejoy scripsit:
Perhaps LinuxCon Europe, by any chance… ?? :)+1 There’s this: https://linuxconcontainerconeurope2016.sched.org/event/7o9d/fossology-efficient-license-analysis-in-hd-michael-jaeger-siemens-ag And from what I saw on the registration page there will also be the following training, but unfortunately for a 100 US$ fee: FOSSology - Hands On Training Click here to add FOSSology - Hands On Training to your LinuxCon + ContainerCon Europe registration. FOSSology is an open source license compliance software system and toolkit. As a toolkit, you can run license, copyright and export control scans from the command line. As a system, a database and Web user interface provide you with a compliance workflow. License, copyright and export scanners are tools used in the workflow. Analyzing open source license compliance requires expert knowledge. As a consequence the use of the tool requires understanding of license analysis problems and how they are covered by FOSSology. This training will provide the following elements: - Challenges in real world examples at license analysis of open source components - Learning how to cope with license proliferation and custom license texts - Efficiently managing large open source components with heterogeneous licensing - Saving work with reusing license conclusions of open source packages when analyzing a newer version - Getting an overview about an example workflow for component analysis with FOSSology This course will be valuable to anyone concerned with and involved in Open Source Management, including operational and legal executives, software development managers, open source program managers, and developers. Date: Friday, October 07, 2016 9:00 AM - 5:00 PM (GMT) Location: Bishop, InterContinental Berlin Price: $100.00 cheers, Matija -- gsm: tel:+386.41.849.552 www: http://matija.suklje.name xmpp: matija.suklje@... sip: matija_suklje@...
|
|
Kate Stewart
Hi Matija, On Wed, Aug 10, 2016 at 11:44 AM, Matija Šuklje <matija@...> wrote: Die 09. 08. 16 et hora 20.11.22 Jilayne Lovejoy scripsit: We're piloting it in North America, so its free there. ;-) The FOSSology project doesn't have any funding associated with it though, so we're looking to charge the fee to recover costs (room, refreshments for participants, team travel) associated with holding the training. If the cost is a blocking point on attending, please contact me off list. Thanks, Kate
|
|
Die 10. 08. 16 et hora 15.42.55 Kate Stewart scripsit:
We're piloting it in North America, so its free there. ;-)That makes sense then :) The FOSSology project doesn't have any funding associated withAh, didn’t realise that such an important piece of SW for business use is not properly funded – which is surprising TBH. I actually find the 100 US$ price tag fair, but was taken aback by the difference between the two events so close together. Piloting for gratis makes sense of course. :) cheers, Matija -- gsm: tel:+386.41.849.552 www: http://matija.suklje.name xmpp: matija.suklje@... sip: matija_suklje@...
|
|
Jeremiah Foster <jeremiah.foster@...>
On Fri, Aug 12, 2016 at 9:25 AM, Matija Šuklje <matija@...> wrote:
Die 10. 08. 16 et hora 15.42.55 Kate Stewart scripsit: This is the main issue -- LF has done a lot here, sponsoring OpenChain and giving resources to Fossology and more, but companies have not stepped up to provide a solid open source ecosystem around the tooling. OpenChain will do a great deal to help but there are currently the open source tooling is far away from the commercial tooling in quality and commercial tools can be expensive. In addition, the tooling that does exist is often not suitable for things like embedded GNU/Linux, with clients running on Windows (which is just not used at all in many shops) and tools written in Java that don't integrate into things like Yocto or baserock. I'm very thankful for the work of the LF and companies like ARM, Qualcomm, Wind River and of course others, but we need more tools that fit the embedded space and more training on use that is accessible to "engilawyers" as Google sometimes calls them.
+1 Cheers, Jeremiah
|
|
Nuno Brito <nuno.brito@...>
One of the reasons to write tooling in Java is to keep it platform independent. Speaking for the TripleCheck tooling, integration with Yocto should be possible. Would just ask for some guidance because I'm not a Yocto distributor nor user, but would be happy to enable this feature if there is interest. Best Nuno 12.08.2016, 15:34, "Jeremiah Foster" <jeremiah.foster@...>:
-- http://triplecheck.net
|
|
Jeremiah Foster <jeremiah.foster@...>
On Fri, Aug 12, 2016 at 9:47 AM, Nuno Brito <nuno.brito@...> wrote:
Well, Java *is* the platform no? :-) Or rather the JVM, and it is definitely not independent, its owned by Oracle and even the open source versions suffer significant politics. Its also an enterprise language, not an embedded language, even Android (which is not Java) has a ton of apps that use C/C++, HTML, CSS, etc.
We've done some integration with other Java Eclispse-based tooling in Yocto and it is a poor fit for build from source systems that rely on C, bash and python, for one thing it increases build times significantly. This is a problem when you're doing continuous integration and building entire OS images triggered by changes to git repos. In fact when Yocto integrated SPDX 1.1 it was in python.
I'd say look at the sources that Yocto preserves in a directory of its build image. That might be easy to go over and do SPDX reports on. Embedding a Java tool in Yocto will be quite difficult, not least because you build a cross-compiler toolchain on qemu. You might look at the earlier SPDX implementation to see if there is low-hanging fruit: http://www.pelagicore.com/using-yocto-and-fossology-to-get-spdx-licence-output/ Please note that this is old and SPDX is up to 2.2 for its spec I believe. Regards, Jeremiah
Jeremiah C. Foster GENIVI COMMUNITY MANAGER Pelagicore AB Ekelundsgatan 4, 6tr, SE-411 18 Gothenburg, Sweden M: +1.860.772.9242
|
|
Kate Stewart
On Fri, Aug 12, 2016 at 9:05 AM, Jeremiah Foster <jeremiah.foster@...> wrote:
SPDX specification is currently 2.0 and about to be 2.1. :-) We're just polishing (formatting, grammer) off the draft now, and it should be announced shortly. Draft is publicly available https://docs.google.com/document/d/112x3s3g1Qg2tj8bjvIPsqIBlWUp3Sob37cvAx2eiS6U/edit, feel free to have a look, and comment in the document if you spot any problems. Thanks, Kate
|
|
Nuno Brito <nuno.brito@...>
OpenJDK is the default JVM. Oracle might dislike, but so is the GPL nature: https://en.wikipedia.org/wiki/OpenJDK#Release_of_the_class_library Interesting enough is that Java is too an embedded language, reason why 2 billion older generation devices got a JVM by default before smartphones as Android surfaced, which also recently moved to OpenJDK: http://www.theregister.co.uk/2015/12/30/android_openjdk/ So, would say it is quite a battle field between major organizations, same as Linux or OpenStack alike. However, I am Java fan so anything that I write on this topic will be too biased towards making Java look good, my apologies.. :-)
You would probably have more interest in a command line edition than a GUI tool. On my work laptop a vanilla Linux kernel takes some 15 minutes on the first run to be analyzed and output an SPDX. After that only the modified files get scanned so we are talking about a few seconds to get the fresh SPDX file.
Ok, will do. When ready will contact you in private to help on the testing side if you don't mind. Thanks, Nuno 12.08.2016, 16:05, "Jeremiah Foster" <jeremiah.foster@...>:
-- http://triplecheck.net
|
|
Jeremiah Foster <jeremiah.foster@...>
(Dropped Matija from CC since I think he's on the list.) On Fri, Aug 12, 2016 at 12:42 PM, Nuno Brito <nuno.brito@...> wrote:
No need to apologize! We all have our selection bias -- mine is perl so you can imagine the kind of pushback I get. :-}
Okay, that sounds interesting. I'll test the tool against the artifacts that a GENIVI development platform produces and report back to you. Where do you do your development? GitHub?
I don't mind at all, I'm very happy to help. Happy to move this to another forum to keep the signal to noise ratio better for the rest of this list who may not be interested. :-) Cheers, Jeremiah
Jeremiah C. Foster GENIVI COMMUNITY MANAGER Pelagicore AB Ekelundsgatan 4, 6tr, SE-411 18 Gothenburg, Sweden M: +1.860.772.9242
|
|