hi,
I saw that a proposal for spdx 2.0 listed some ideas about binaries, ELF
dependencies and so on. Having extensively researched binaries in a
compliance context for the last 8 years I can already tell that it is
impossible to accurately capture binaries in a format like SPDX. You can
get quite far, but never 100% because binary scanning is fuzzy by nature
and there are tons of exceptions. The proposal for 2.0 that is there now
simply isn't good enough to capture the binary world.
At LinuxCon Europe in Edinburgh I will talk about research I did into
binary scanning in a compliance context. I was wondering if anyone would
be interested in discussing SPDX for binaries at LinuxCon Europe.
warm regards,
armijn
--
Armijn Hemel, MSc
Tjaldur Software Governance Solutions
_______________________________________________
Spdx-tech mailing list
[email protected]
https://lists.spdx.org/mailman/listinfo/spdx-tech
