FOSSology and SPDX
This is a modal window.
The media could not be loaded, either because the server or network failed or because the format is not supported.
Formal Metadata
Title |
| |
Subtitle |
| |
Title of Series | ||
Number of Parts | 542 | |
Author | ||
License | CC Attribution 2.0 Belgium: You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor. | |
Identifiers | 10.5446/61941 (DOI) | |
Publisher | ||
Release Date | ||
Language |
Content Metadata
Subject Area | ||
Genre | ||
Abstract |
|
00:00
Projective planeOpen sourceComputer animation
00:18
Mutual informationCollaborationismTask (computing)Statement (computer science)VorwärtsfehlerkorrekturExecution unitWeb browserOpen sourceOperations support systemMaxima and minimaPublic domainSoftware repositoryInformationFile formatInformationLevel (video gaming)Computer fileCartesian coordinate systemSlide ruleSource codeStatement (computer science)Different (Kate Ryan album)Distribution (mathematics)Operations support systemReading (process)EmailCollaborationismTask (computing)Projective planeTraffic reportingFile formatRevision controlComponent-based software engineeringUniqueness quantificationIP addressGoodness of fitPublic domainComputer animation
03:36
SoftwareRevision controlSource codeInformationReduction of orderSoftwareProjective planeCodeSynchronizationStandard deviationServer (computing)Position operatorMultiplication signPort scannerBelegleserRepresentational state transfer
05:26
Convex setCorrelation and dependencePhase transitionRegulärer Ausdruck <Textverarbeitung>Electronic mailing listRevision controlAlgorithmUniform resource locatorLink (knot theory)CalculationDuality (mathematics)Game theoryTraffic reportingMultiplication signAttribute grammarArithmetic progressionPoint (geometry)Field (computer science)InformationComputer fileCodeFormal verificationCASE <Informatik>WritingStandard deviationInternet service provider2 (number)Exception handlingFile formatRevision controlProjective planeCalculationInclusion mapMathematicsSystem identificationExpressionElectronic mailing listAlgorithmComputer animation
11:34
MomentumComputer animationProgram flowchart
Transcript: English(auto-generated)
00:05
Yeah, hello everyone My name is Shaheem and I am Gaurav with me. We both are working for Phasology community and We are from Siemens so Maybe let me start so Phasology is open source license compliance project
00:23
initially, it was published by HP in 2008 and in 2015 it has become Linux Foundation collaboration project and Phasology is a Linux application it works on Linux distributions and
00:41
different tasks done for OSS license compliance by Phasology are scanning for licenses copyrights authorships emails and ECC statements apart from this we have keywords and IP address statements as well and
01:01
We also generate documentation like Read me OSS text documentation and unified report as well So and then we have export and import of SPDX files So maybe we can discuss about SPDX files later in the slides So
01:21
Phasology is about finding the licenses as I said already so we scan for the source code So the source code might have the license text reference to the license text or a written text explaining some Licensing and then we might also have the license relevant statements. So this all will be identified by Phasology and
01:45
later We have uploaded a component called thrift which is Apache source code and Phasology have found Apache license apart from Apache license We have many more licenses. It is because it is very natural that OSS project reuses the
02:04
available OSS From other projects. So for example, if you see Phasology have found 25 other licenses relevant licenses in Apache Apart from Apache 2.0. So what is the uniqueness about Phasology is we have conclusions. So if you take
02:27
Licensing can be simple, but it might be challenging as well because you might see some unknown licenses Written statements about licenses some licenses might be untier and there might be some
02:41
Incomplete license statements as well. So actually to do this, I think one required A good domain knowledge so Yeah, SBOM and Phasology so we are
03:02
Producers of SBOM as well as the consumers. So Phasology produces SBOM in SPDX version 2.3 format and which includes the file level information license findings and its conclusions and Copyrights as well as the custom license text. So as a consumer
03:24
Phasology import all this information and Add it to a component as well. So more information about the SBOM will be discussed later in the slides so yeah Maybe Gaurav will take over and explain about the releases and more SPDX features of Phasology. Thank you
03:46
Thanks. So yeah with Phasology we recently released few versions and In all of them, we majorly try to sync our license set with the SPDX license set So we are up to date and at the same time we are
04:03
Continuously working to improve our REST API so we can You know provide more automation flexibility to anyone who is interested to use it and Like recently we had some GDPR updates. Thanks to Orens like You know how the user data will be managed in the server and things like that. We recently updated to bootstrap UI
04:27
We are planning to move to React But yeah, it's in the works With 4.1. We recently integrated scan code so you can upload your source code to Phasology itself and let Phasology
04:43
Scan using its own scanners or you if you prefer you can also use a scan code and import the license findings in Phasology itself We also worked a little on our copyright false positive reduction using spaCy and With the latest release so you would like to say we are reuse dot software standard compliant in our source code and we also
05:07
you know try to display the information like whatever Reuse linter provides so you can check if you if any project Supports reuse standard they do it like that so Phasology can you can very easily know
05:26
How much is can you have to do? So we are coming to the recent updates with SPDX within Phasology so since it's a pretty old project and we had some difficulty to You know comply to the SPDX standards. So we decided to take on the challenge in two steps
05:45
So first step is done what we are presenting and the second is actually a work in progress So what we initially started with the pain point was the license name which gets end up in the report So Phasology initially use short names
06:02
So which are supposed to be unique and they are actually used for identification with internally in Phasology So here we added a new field called SPDX ID So where you can have different variants of the same license. So for example in a license, there is a copyright by X But for a different one the same license with a copyright by so the license text changes
06:24
But you can still use the same SPDX ID for both of them and that will be end up in the report Whatever you generate in case the SPDX ID is missing or is not in the SPDX license list So we also perform a check on that So it will be converted as a license ref and we have introduced this license ref Phasology prefix
06:46
for that in the upcoming updates will further enhance this and Provide users way to write actual SPDX license expressions Including the and or and with exceptions
07:02
Yeah So with the reports With Various doc fest with SPDX we came to understand that many of our reports were flawed So we try to fix them as well as at the same time update it to the latest spec 2.3
07:22
So what was wrong? So the extracted licensing info was missing. So as I said, you can have your own custom license text In Phasology, so if any of the file has a finding of that license text or a conclusion on it So the license text itself was missing from the report
07:42
So we have fixed that and also the package verification code used by SPDX The algorithm internally was a little wrong. So yeah, I minor fix and then at the same time we Compared the spec and the fields which Phasology can store So we figured out like we can have the version information as well in the report the release date
08:06
Along with external F2 like PURLs Maven nougat and and such stuff Yeah, and at the same time Phasology also allows you to manage your acknowledgments and obligations, so
08:24
We use the attribution text field for providing acknowledgments to a specific files and The same attribution text field for the entire package if you have any obligation related to a license and also the
08:42
calculation of conjunctive licenses and disjunctive license that was wrong, so yeah there Phasology has a special license called dual license So yeah, we have fixed how we are going to calculate that now so not every license in the report is
09:01
Now a disjunctive license set And yeah, also at the same time added the missing license name and text for also for the listed licenses So yeah with that, I guess pretty much all our SPDX report should now be valid So, yep, thank you and please consider starting us on github if you do use them and if you have any questions
09:25
Yes, please Okay, so the question is which format we use for SPDX so Phasology currently supports the RDF and the tag value format
09:58
Okay
10:02
Okay, so Yeah, the question is like with SPDX ID if there is a custom license checks how it ends up in the report So you have with SPDX RDF format, so it's a self-contained report So it will contain your SPDX ID the license name as well as your custom license checks
10:22
Along with all the other various formats which Phasology supports readmeo SS your unified report They will work the same It's just that instead of using the license name, which was coming from the short name field We are going to use the SPDX ID field now
10:41
Okay Yeah, so if you see here SPDX has this field called license text So you can include information like name of the license license ID its text if you have any external ref And and such stuff
11:01
So it's there for RDF for tag value I am not very sure we need to check because For custom text they do support it for tag value format as well But yeah for a standard they do not
11:21
Any more questions