Hi, Heinz, I would say the most important difference between 2.0 and 1.x is the addition of relationships. Reltionships can describe how a file is related to its containing package and how a package is related to other packages. Other differences include annotations to document reviewing information, ability to reference external SPDX documents, and a few other changes. You can find a full listing of differences on page 8 of the 2.0 spec (https://spdx.org/sites/cpstandard/files/pages/files/spdx-2.0.pdf),
Generally, the ability to take advantage of relationships has been limited by the constraint that in order to document a relationship to a package in SPDX 2.0, the full contents of that package must also be documented. For this reason, when BlackDuck generates SPDX 2.0 (using its knowledge base<https://www.blackducksoftware.com/products/knowledgebase> of over 1.1 million open source projects), we use the more generic artifactOf field to presenting relationships of scanned projects to detected open source components. If you’d like more information about Black Duck products, I’d be happy to put you in touch with a product specialist. It’s important to note that the newly-release SPDX 2.1 specification alleviates the above limitation, thus allowing for very meaningful and descriptive use of relationships. It also has support for external references, such as those to vulnerability databases and package managers, and snippets, allowing you to document which portions of a file are related to other files or packages. The specification of SPDX 2.1 is available here (https://spdx.org/sites/cpstandard/files/pages/files/spdxversion2.1.pdf) and a full listing of differences between the previous specification starts on page 7. If you are looking to institutionalize support for SPDX, I would suggest going with the new 2.1 specification. I hope this helps. Please let me know if I can answer any further questions. [cid:[email protected]] Yev Bronshteyn Senior Software Engineer E: [email protected]<mailto:[email protected]> blackducksoftware.com<https://www.blackducksoftware.com/> P.S. I will be doing a more detailed presentation on the underpinnings of SPDX at LinuxCon Europe in Berlin. I hope to see you there. From: <[email protected]> on behalf of "[email protected]" <[email protected]> Date: Wednesday, July 27, 2016 at 9:22 AM To: "[email protected]" <[email protected]> Subject: Question about different SPDX versions Dear Sir or Madam, I would like to get detailed information about differences in the versions of the specification 1.x and 2.0. We want to use the SPDX for the exchange of FOSS related information. We have several development teams and one of them is using Yocto and therefore only the SPDX version 1.x is available. Is there a documentation available showing the differences of the specification versions? How long will be SPDX 1.x supported? How is your experience with tools, e.g. BlackDuck, … Do they support different versions of the specification? Viele Grüße / Best Regards, Heinz Hille Daimler AG Group Research & Advanced Engineering Safeguarding Hardware & Software (RD/EEQ) HPC G012-BB Hanns-Klemm-Str. 45 71034 Böblingen Deutschland Mobile: +4915158613567 Fax: +49 711 3052140503 email: [email protected]<mailto:[email protected]> If you are not the addressee, please inform us immediately that you have received this e-mail by mistake, and delete it. We thank you for your support.
_______________________________________________ Spdx-tech mailing list [email protected] https://lists.spdx.org/mailman/listinfo/spdx-tech
