Request for collaboration on SPDX

[Gary O'Neall <ga...@sourceauditor.com>]

Greetings all,

I am new to Apache Creadur, but have been working on a very related effort,
the Software Product Data Exchange (SPDX).

It seems that there are some good potential collaborations ranging from
simply comparing notes on meta data definitions to very specific tooling
efforts.

More background and a couple specific proposal/questions below:

The SPDX specification is a standard format for communicating the
components, licenses and copyrights associated with a software package.  We
are on version 1.2 of the spec and is in use at several of the SPDX
participating companies (see www.spdx.org for more info).

I have also been working on a prototype Maven plugin to produce SPDX
documents with some help from the Maven developer community
(https://github.com/goneall/spdx-maven-plugin). 

The motivation for the plugin was the result of a discussion between Phil
Odence and myself (from SPDX) and Jim Jagielski and Henri Yandell (from
Apache) on ideas for how Apache projects could produce or utilize SPDX.  It
was suggested that a maven plugin would substantially reduce the effort for
several Apache projects.
 
After learning more about Creadur and especially Whisker, Henri and I are
now thinking it may make a lot more sense to work with the Creadur project
within the Apache community.

I have the Whisker code now in my development environment and I have browsed
the code and the model documentation on the web.

It seems that Whisker could be extended to produce SPDX documents.  It is
also possible to go the other way and generate some of the Whisker meta data
from SPDX.

I would be happy to contribute substantially to such an effort if the
Creadur community agrees that this makes sense.  Please let me know if there
is interest in such a collaboration.  

Question 1: Please let me you your thoughts on extending Whisker to produce
SPDX documents.

A key goal for the SPDX community is for SPDX documents to be generated by
code originators to increase the fidelity of license information to
downstream consumers.  I would like to find a path to get SPDX documents
generated as a standard practice for Apache (e.g. include a plugin in the
parent POM for Maven built Apache projects).  

Question 2: I would appreciate any advice on the best path to Apache
projects producing SPDX documents - integration with Creadur efforts, an
independent maven plugin/ant script, or some other approach.

Thanks,
Gary