Hello Everyone, REA has created a SPDX V 2.3 Tag Value SBOM, that we "hope" is valid.
Will share this SBOM with anyone interested in testing/validating/discussing SPDX V2.3 SBOM. NOTE: This SBOM is used for software supply chain risk assessment ONLY and does not include license use case information. Thanks, Dick Brooks Active Member of the CISA Critical Manufacturing Sector, Sector Coordinating Council – A Public-Private Partnership Never trust software, always verify and report! ™ http://www.reliableenergyanalytics.com Email: [email protected] Tel: +1 978-696-1788 -----Original Message----- From: [email protected] <[email protected]> On Behalf Of Dick Brooks Sent: Saturday, August 27, 2022 2:45 PM To: Gary O'Neall <[email protected]> Cc: SPDX Technical Mailing List <[email protected]> Subject: Re: [spdx-tech] PDF file for the SPDX 2.3 Specification - partial success! Thanks Gary much appreciate the direction > On Aug 27, 2022, at 1:55 PM, Gary O'Neall <[email protected]> wrote: > > Hi Dick, > > If you have a package with a PrimaryPackagePurpose of "FILE", I would > agree you could just have a packageName property and not be required > to have an additional SpdxFile object. Also, setting FilesAnalyze to > false would be correct IMO. > > Regards, > Gary > >> -----Original Message----- >> From: [email protected] <[email protected]> On Behalf >> Of > Dick >> Brooks >> Sent: Saturday, August 27, 2022 9:37 AM >> To: 'SPDX Technical Mailing List' <[email protected]> >> Subject: Re: [spdx-tech] PDF file for the SPDX 2.3 Specification - >> partial success! >> >> Hello Everyone, >> >> Hoping someone can provide insights under the topic of "Fun with >> FilesAnalyzed" in V 2.3. >> >> Now that we have a PrimaryPackagePurpose with a "FILE" option, do we >> ever need to produce a "FileName" object in a V 2.3 SPDX SBOM? >> If no, should we always set FilesAnalyzed = false and just show > PackageName >> objects? >> >> I welcome your insights. >> >> >> Thanks, >> >> Dick Brooks >> >> Active Member of the CISA Critical Manufacturing Sector, Sector > Coordinating >> Council - A Public-Private Partnership >> >> Never trust software, always verify and report! T >> http://www.reliableenergyanalytics.com >> Email: [email protected] >> Tel: +1 978-696-1788 >> >> -----Original Message----- >> From: [email protected] <[email protected]> On Behalf >> Of Sebastian Crane >> Sent: Tuesday, August 23, 2022 2:12 PM >> To: SPDX Technical Mailing List <[email protected]> >> Subject: [spdx-tech] PDF file for the SPDX 2.3 Specification - >> partial > success! >> >> Dear all, >> >> I have been able to generate a PDF file of the SPDX 2.3 Specification > using the >> TeX template which is present in our GitHub 'Org'. However, there are >> some issues with text overlapping the margins on pages 36 and 183. >> Additionally, I have not yet added the cover page or any headers/footers. >> Finally, the visual presentation appears different from SPDX 2.2.1's >> PDF > file (I >> haven't been able to locate the theming information that's been used >> in > the >> past. Given the typeface used, it appears to have been generated >> using Microsoft Word rather than TeX). >> >> Please see the attached PDF file if you are interested, but don't >> consider > it to >> be an official SPDX document at this point, due to the aforementioned >> typographical errors and any other issues that might be found before >> publication. >> >> If you want the 'real' SPDX 2.3 specification, please see our website >> for > the >> HTML version: https://spdx.dev/specifications/ >> >> Best wishes, >> >> Sebastian >> >> >> >> >> >> >> >> >> > > > > > > > -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#4761): https://lists.spdx.org/g/Spdx-tech/message/4761 Mute This Topic: https://lists.spdx.org/mt/93210505/21656 Group Owner: [email protected] Unsubscribe: https://lists.spdx.org/g/Spdx-tech/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
