Hi SPDX friends, I have some questions about the Package supplier attribute and could use some discussion. Like many others here the EO is a concern, and in glancing at the NTIA document ( https://www.ntia.doc.gov/files/ntia/publications/sbom_minimum_elements_report.pdf ) I'm concerned about the definitions between the two fields. Apologies if this was discussed elsewhere, I couldn't find it!
The NTIA doc says that a Supplier Name is: > > The name of an entity that creates, defines, and identifies > components. > The SPDX spec for "Package Supplier" is similar but not quite the same flavor: > > Identify the actual distribution source for the package/directory > identified in the SPDX document. This might or might not be different from > the originating distribution source for the package. The name of the > Package Supplier shall be an organization or recognized author and not a > web site. For example, SourceForge is a host website, not a supplier, the > supplier for https://sourceforge.net/projects/bridge/ is “The Linux > Foundation.” > I feel like since both specs are asking for the *responsible* *entity* , there is some confusion here in the words "Identify the actual distribution source" but explicitly "not a URL". Is there a proper definition of "distribution source"? The example given - "The Linux Foundation" is not referenced anywhere in https://sourceforge.net/projects/bridge/ either on the website itself, nor anywhere in the package contents and I'm left very confused... I'm wondering if the Package Supplier is materially different than the Copyright Holder (in most cases?) Am I totally off base there? Can someone illustrate for me how/when these predicates differ? Thanks, Tyler -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#4814): https://lists.spdx.org/g/Spdx-tech/message/4814 Mute This Topic: https://lists.spdx.org/mt/94586021/21656 Group Owner: [email protected] Unsubscribe: https://lists.spdx.org/g/Spdx-tech/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
