Hi Bill,
I'm not sure this is really the same as the historical SPDX Lite
requirement, its more of an author centric viewpoint.
By all means though lets all try to find a spot to explore this a bit and
see what's possible while we're here.
Kate
On Wed, Mar 30, 2016 at 4:24 PM, Bill Schineller <
[email protected]> wrote:
> Hi David,
> Gary and I were talking about this at lunch - yes, your use case, which
> is an important one for lowering the barrier for upstream projects to
> declare licenses in a standardized way - represents an 'SPDX Lite'
> requirement/use case that has often come up.
>
> Let's chat about it while we are all here at Collab.
>
> Bill Schineller
> VP Engineering - KnowledgeBase
> Black Duck Software
> 781-425-4405
> 508-308-5921 (cell)
> [email protected]
>
>
>
>
>
>
>
> On 3/30/16, 2:18 PM, "[email protected] on behalf of
> Wheeler, David A" <[email protected] on behalf of
> [email protected]> wrote:
>
> >I'm primarily interested in the use case where software developers
> *assert* their license(s) in terms of a license expression, and the SPDX
> file (if any) is *embedded* in the package as a *hand-created* file
> (created by the developers).
> >
> >In this use case, I think that many of the "mandatory" tags should
> actually *NOT* be mandatory. In particular, these are the *only* tags I
> would use in this use case (filled in with an example):
> > SPDXVersion: SPDX-2.0
> > DataLicense: CC0-1.0
> > PackageName: Foo
> > PackageOriginator: David A. Wheeler
> > PackageHomePage: https://github.com/david-a-wheeler/spdx-tutorial/
> > PackageLicenseDeclared: MIT
> >
> >This means that many tags identified as mandatory should *NOT* be
> mandatory in this use case (in my opinion). For example:
> >* the "Created" datetime stamp should NOT be used. Developers use
> version control systems to manage that, and any value entered will be
> unmaintained (and thus WRONG).
> >* "DocumentName" - you can see what it is, there's no need for it.
> >* "PackageDownloadLocation" - the specific URL for this particular
> version changes all the time.
> >
> >I'm not saying these tags are useless - when SPDX is used to exchange the
> results of external analysis, these tags *are* important. But I think
> people this is a different use case, and it should be unsurprising that
> what's needed is different.
> >
> >I only noticed this when I tried to write a tutorial trying to explain
> how to use the SPDX file in this use case.
> >
> >Anyway, my two cents.
> >
> >--- David A. Wheeler
> >
> >_______________________________________________
> >Spdx-tech mailing list
> >[email protected]
> >https://lists.spdx.org/mailman/listinfo/spdx-tech
>
_______________________________________________
Spdx-tech mailing list
[email protected]
https://lists.spdx.org/mailman/listinfo/spdx-tech
