Comments (28)
There is an account a project (see Max' correction below) that is used for tools-python, but I don't think it was intended as an "official SPDX account". @maxhbr and @pombredanne have access to it. I am not sure whether it makes more sense to use this account and extend the list of people with access, or create a new one for various SPDX releases.
from ntia-conformance-checker.
@anthonyharrison - We don't have an email list specific to the tools or this project. We do have an email alias for security, but that probably wouldn't be appropriate for the PyPI registration.
@kestewart - How hard would it be to setup another email alias like the one suggested above?
If you can add multiple emails, there are 4 maintainers - we could add those.
from ntia-conformance-checker.
+1 on semantic versioning and any automation.
Not much of an opinion on hosting releases on GitHub - It would make the automation easier, but PyPI would make the releases more accessible.
from ntia-conformance-checker.
For this first, manual release, I propose doing a release here, on GitHub, in the so-called releases page. That's very easy.
@jspeed-meyers - Works for me
from ntia-conformance-checker.
@jspeed-meyers Happy to help getting this tool onto PyPi.
Here is an SPDX SBOM of the current release of the checker (created using sbom4python)
sbom4python --module ntia-conformance-checker --output ntia.spdx
Would be useful if this was included as part of the release process.
from ntia-conformance-checker.
I don't know of an official SPDX account on PyPI.
@pombredanne, @nicoweidner, @licquia - any input on this?
from ntia-conformance-checker.
I don't know of an official SPDX account on PyPI.
I do not know of any technical LF account. For the tools python the individual accounts were granted permissions and they published the releases.
There is an account that is used for tools-python, ...
The tools-python
on PyPI is a project, not an account.
from ntia-conformance-checker.
Thanks for the info @maxhbr @nicoweidner @goneall.
If there isn't a spdx account on Pyp, we will set up an account specifically for the ntia-conformance-checker
When setting up the metadata for PyPI, we should provide an email address for the project author(s) and maintainer(s). I was wondering if there is an email address e.g. [email protected] which can then be the single point of contact rather than an arbitrary developer account.
from ntia-conformance-checker.
@goneall - we do have an implementers mailing list for tools https://lists.spdx.org/g/spdx-implementers.
If folks want emails per tools, that should be possible to set up, but I'd like someone else to volunteer to be owner for them, so that I'm not having to deal with SPAM, etc.
from ntia-conformance-checker.
@goneall my only hesitation there is blasting those subscribed to the list with emails that aren't relevant to them.. I worry it may make them ignore the emails that come from humans trying to reach subscribers. Could we use the spdx-implementers owner email? [email protected]?
from ntia-conformance-checker.
I just tested the email and to goes to Kate - so as long as @kestewart is good with this, it sounds like a solution.
from ntia-conformance-checker.
@rnjudge, @goneall - I'd rather not be on point for forwarding information here, as my inbox is a disaster, and I'm likely to miss something. Rose, can I make you the owner of the mailing list (which kinda makes sense since you're running the implementers discussions)?
from ntia-conformance-checker.
@kestewart Yes, this makes sense for me to be the owner of the mailing list. I thought I already was which is why I suggested it :) I did receive an email from @goneall yesterday early evening... so maybe we both were listed as owners already?
from ntia-conformance-checker.
Given the helpful information above (thank you all), I think I'll put in a PR to use [email protected], and expect for @rnjudge to field any emails and send them to Gary and me should it be necessary. I expect no/low traffic.
from ntia-conformance-checker.
Good point on PyPI making releases more accessible. That works equally well for me. I just didn't want to obligate the project to also having dependencies on PyPI unless others thought it was worth it.
from ntia-conformance-checker.
@jspeed-meyers What do you think of spinning a manual release? I'm going to do an update to the SPDX online tools in the next couple of days and it would be great to include a released version of the conformance checker.
from ntia-conformance-checker.
@goneall, a manual release is fine by me! Do you want help? Do you want me to do it? Should we do it together?
I have a little experience with doing PyPI releases, but I have done one in a couple years.
from ntia-conformance-checker.
@jspeed-meyers - I'd appreciate the help. I'm more of a Java person and have not done a PyPI release. I'd be happy to help, but since I've no experience it may be faster if you produce the build - do let me know, however, if I can help out and take on any tasks.
from ntia-conformance-checker.
@goneall, I have a proposal. For this first, manual release, I propose doing a release here, on GitHub, in the so-called releases page. That's very easy.
And then, I'll work on creating a proper, automated release on PyPI next. Does that work for you?
from ntia-conformance-checker.
Manual release via GitHub releases done: https://github.com/spdx/ntia-conformance-checker/releases/tag/v0.1.0
@goneall, please let me know if this does the trick. I hope so! (And think so!)
But I'll keep this issue open until I actually put in a PR to do this in automated fashion. Here's one resource I'll probably use to do this.
from ntia-conformance-checker.
@anthonyharrison, indeed! That is very helpful. Thank you.
How would you like to proceed? Do you want me to start a PR (I could on Friday) and then ping you?
from ntia-conformance-checker.
@jspeed-meyers Yes a PR would be good. I will see if can start putting a pull request together. Is there an spdx account on pypi that can be used? Does @goneall know?
from ntia-conformance-checker.
@anthonyharrison, I don't know if there is an SPDX account on PyPI. But I like where you're going. It would be nice to use an account that is associated with SPDX so that it is not associated with our personal accounts.
We can wait for @goneall's response.
As a plan B: We could create a gmail account specific to this project and ensure only a small set of SPDX-affiliated maintainers have the credentials. We could then use that gmail to register a PyPI account and claim a PyPI namespace.
from ntia-conformance-checker.
@goneall - I'd suggest we use [email protected] then.
How does that sound?
from ntia-conformance-checker.
@rnjudge - what do you think about using the [email protected]
as the contact for the Python PyPI account?
from ntia-conformance-checker.
Could we use the spdx-implementers owner email? [email protected]?
Good call. We'll use [email protected] unless someone objects then. Thank you, @rnjudge and @goneall.
And for associating a PyPI package with one or more PyPI maintainers: I'll plan on tying the project to a single new gmail address and I'll share the credentials privately with the maintainers of this project.
from ntia-conformance-checker.
Just a heads up @jspeed-meyers that I believe PyPI will require 2FA in order to push releases to PyPI (they do with Tern) so make sure to set that up and save the recovery codes they give you!
from ntia-conformance-checker.
Ah, thank you, @rnjudge.
from ntia-conformance-checker.
Related Issues (20)
- ntia-checker fails for files under fileName must not be an absolute path HOT 5
- ntia-checker --version does not give the version HOT 4
- Bug: test the presence of the --file argument if another argument is present HOT 1
- Syntax of the short arguments HOT 3
- Package supplier and originator fields, is having both as NOASSERTION is not EO compliant? HOT 10
- Cut a v1.0.0 Release? HOT 1
- Move Python Support From 3.8 to 3.9
- licenseId is not a case-sensitive as per spdx ,but this tool follows case-sensitve? HOT 13
- get_components_without_* functions shold return the SPDX ID of the component if there is one HOT 9
- Add Black and Pylint to Contributing Doc
- Getting confused about tri licensed package HOT 6
- Spelling: Minimum vs mininum HOT 10
- What GitHub Badges (or Practices) Do You Want This Repo to Have? HOT 1
- [Docs] Add Documentation on Pre-Built Container Applications of `ntia-conformance-checker` HOT 1
- `check_dependency_relationships` Function Does Not Match SPDX Minimum Elements Definition of "Relationship" Field HOT 1
- Should .idea Folder and Contents Be Deleted?
- Cut v2.0.0 Release
- Cut New Release - v2.0.0 HOT 3
- check_dependency_relationships test does not seem correct HOT 17
- Add a OpenSSF Scorecard GitHub Badge to Repo README
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from ntia-conformance-checker.