Dear Sebastian, > many package managers (Maven, NPM etc.) have a dedicated "authors" (or > something "developers") metadata field that is distinct from copyright > holder information. I'm looking for a way to track this metadata in > SPDX YAML files. The closest thing I've found is the PackageOriginator > field, but I'm not entirely sure if it's suitable. And more > importantly, if I'm safe to assume that any mentioned > PackageOriginator in an SPDX file I receive also is an author / > developer. Any insights on that? > > Thanks in advance!
Section 4.14 of the SPDX 2.2 specification describes the FileContributor data, which seems to be what you are looking for - its cardinality is unlimited, so you can list multiple authors who may not be copyright holders. However, I could not see any equivalent property for describing authors of packages. PackageOriginator has a maximum cardinality of only 1, so it would only really be useful for describing a single organisation or project. If I recall correctly, the tooling that you develop creates file-level Software Bill of Materials, so maybe the FileContributor information is suitable for your use-case? Best wishes, Sebastian PS. Nice name by the way ;) -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#4170): https://lists.spdx.org/g/Spdx-tech/message/4170 Mute This Topic: https://lists.spdx.org/mt/85432130/21656 Group Owner: [email protected] Unsubscribe: https://lists.spdx.org/g/Spdx-tech/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
