Hi Hideki, Quoting Hideki Yamane (2023-09-08 08:39:09) ½> > tl;dr: How about considering updating debian/copyright format to have > more compatibility with SPDX format > > > SBOM is expected to be used widely and several tools support it as a trend > now, since US government asks to use it. There are two formats for it, > Software Package Data Exchange (SPDX) and CycloneDX. > > SPDX is led by the Linux foundation project, OpenChain for license > compliance. And CycloneDX is developed by the Open Web Application Security > Project (OWASP), so it is intended to use track vulnerabilities, IMO. > > > Well, as I said above, several tools support SPDX and CycloneDX now and > continue to be expanded, so I consider it'd be better if debian/copyright > has more compatibilities with them, especially SPDX. It would be easier > to handle debian/copyright data with tools that are outside of Debian. > > > Making appropriate debian/copyright file is hard and boring task, IMHO, > but if non-Debian people also can help it, it would be easier to fix it.
Only issue I am aware of is that SPDX shortname "MIT" equals Debian shortname "Expat". It sounds like you are referring to more and larger incompatibilities than that. Do you mean e.g. support for checksums of files (which will blow up size and kill readability of the file)? Perhaps as a start compile a list of incompatibilities on a wiki page - or point to it if one already exists. Then we can add pros and cons at that page, as the discussion here progresses. - Jonas -- * Jonas Smedegaard - idealist & Internet-arkitekt * Tlf.: +45 40843136 Website: http://dr.jones.dk/ * Sponsorship: https://ko-fi.com/drjones [x] quote me freely [ ] ask before reusing [ ] keep private
signature.asc
Description: signature