https://bugs.linuxfoundation.org/show_bug.cgi?id=1113
Bill Schineller <[email protected]> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED CC| |bschineller@blackducksoftwa | |re.com Resolution| |FIXED --- Comment #4 from Bill Schineller <[email protected]> 2015-03-10 17:36:22 UTC --- Here is the current text in SPDX 2.0 for Download Location: "3.7.1 Purpose: This section identifies the download Universal Resource Locator (URL), or a specific location within a version control system (VCS) for the package at the time that the SPDX file was created. If there is no public (or internal) URL, then it is explicitly marked as NONE. If there is insufficient knowledge about whether a public or internal download mechanism exists or not, then NOASSERTION should be used. 3.7.2 Intent: Here, where and how to download the exact package being referenced is critical verification and tracking data. " Methinks the language 'at the time that the SPDX file was created' makes clear that this field can be for wherever the SPDX producer got the code. That would include a mirror, if that's where code came from. Gary did write up best practices. -- Configure bugmail: https://bugs.linuxfoundation.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug. You are the assignee for the bug. _______________________________________________ Spdx-tech mailing list [email protected] https://lists.spdx.org/mailman/listinfo/spdx-tech
