On 09/27/2013 05:29 PM, RUFFIN, MICHEL (MICHEL) wrote:
There is also a big issue to be addressed (by SPDX?) The unique identification
of FOSS in order to automate things. In the java world there is a way to
identify uniquely libraries with the GAV (Group, artifact, version) system of
Maven but for other languages there is nothing except perhaps the CERT
identification but it is not a standard.
Funny, the Maven Central repository is one of the biggest piles of crap
I have seen when it comes to license compliance, with packages with the
same name and version number and completely different files inside so I
am not so sure that is a good example ;-)
There definitely is a generic method for identifying software:
checksums. They are far far more accurate than GAV ever can be. Many
build systems out there actually use them one way or another ranging
from checksumming a tarball and perhaps patches (Yocto, OpenWrt), to
checksumming everything that can possibly be checksummed like Nix (
http://www.nixos.org/ ).
But to be honest I really don't see why this should be addressed in SPDX
in the first place. SPDX is already getting waaaay too complex for my taste.
armijn
--
Armijn Hemel, MSc
Tjaldur Software Governance Solutions
_______________________________________________
Spdx-tech mailing list
[email protected]
https://lists.spdx.org/mailman/listinfo/spdx-tech
