First blog post about collaboration published yesterday. Thomas gives update on future plans for collaboration.
Sebastian: Will they start contributing code to ORT, e.g. scanner integration?
Thomas: Starting slowly, FOSSID will provide access to a copy of FOSSID. We need to run it on our own, because they have no SAAS offering.
Current status of integration: FOSS ID shows results of the analyzer as a flat list.
Thomas: We need a way to share secrets between team members.
AP Sebastian: Search for options like LastPass, or a hosted drive like Dropbox that works on Linux as well.
We need a way to provide data to ORT about dependencies of unmanaged projects. For this SPDX package manifests could be used: spdx/spdx-spec#439
AP Sebastian: Try integration of the SPDX package manifest with the analyzer (see #2838).
Sebastian: The format is missing a way to classify the dependencies, e.g. is it a third-party dependency or company-internal, closed- or open-source, or requires a license. Also the type of application, e.g. is it a service or a library, was the package modified, and so on.
Thomas: Please add the requirements to the ticket.
Thomas: Currently custom data is added to the ORT result using jq. There should be an easy way to add this custom data on the command line when calling ORT, like it's possible for the reporter options. (TODO: Make GitHub ticket)
Frank: Question regarding optionss 1 and 2. How should detected licenses be associated with the packages defined in the spdx.yml? Seems obvious in option 1, but not in 2.
Sebastian: Benefit of option 2 is that no "Unmanaged" project is required.
Frank: The potential problem is that detected licenses of packages which are part of the same file tree need to be associated to the packages, not the project. This needs to be solved in the implementation.
Sebastian: Correctly matching this would probably require to implement scan-by-repository first.
Martin: Problem with git-repo was the blocker why scan-by-repository is not already implemented.
Thomas: What would happen if there are multiple spdx.yml in the file tree? -> Needs to be solved later, e.g. when implementing it.
Sebastian: Should the filenames be limited to project.spdx.yml and package.spdx.yml?
Thomas: It was actually requested to allow other names, like e.g. curl.spex.yml.
Frank: For projects that support multiple langauges in one directory it could be useful to allow e.g. protobuf.java.xml, protobuf.c.yml.
Slowly making progress, original copyright holders need to sign off to formally agree that they are ok to change the copyrights.
Sebastian: Does the Linux Foundation provide any infrastructure?
Thomas: No, we have to set it up ourselves. Maybe Jenkins Foundation could provide one.
Martin: Future meetings should always start with review of open action points.
TSC agrees to schedule the next TSC meeting on August 5th, 2020 at 10am CEST.