Dear Tyler,
I hope I can shed some light on this. The SPDX field 'Package Supplier' doesn't
refer to the original creator of a package, but rather the person or
organisation that the package was distributed by - in other words, the
'middle-man' in a software supply chain. This is very common of course in free
and open source environments, where you get companies such as Red Hat
distributing lots of software, much of which was not created by Red Hat (such
as the vast repositories of packages available in RHEL).
The SPDX 'Package Originator' field, however, refers to the initial author of
the software, and seems to align more closely with what the NTIA document calls
a 'Supplier'. As conjecture, I would imagine this is due to a focus on more
proprietary software supply chains in the NTIA discussions, where such
intermediate steps of packaging, modification and repackaging are a little less
common.
Since you mentioned copyright, I'll also add that the copyright holder of a
package is usually the 'Package Originator'. However, there are very often many
more one-off contributors to packages who would hold copyright over some
portion of the software (e.g. contractors or individuals not affiliated with
the same organisation), so SPDX had a number of other fields available to more
precisely capture this information (the 'Package Copyright Text' field for
instance).
That 'actual distribution source' that the specification mentions just means
that the name of the entity should be used in the field, rather than the
entity's web address. As for that section's example, I think it used to be
clear, so we probably ought to update that in SPDX 3.0 to be less confusing :-)
Hope this helps, and let me know if I've missed anything!
Best wishes,
Sebastian
On 26 October 2022 17:44:27 BST, "rtp via lists.spdx.org"
<[email protected]> wrote:
>Hi SPDX friends,
>
>I have some questions about the Package supplier attribute and could use some
>discussion. Like many others here the EO is a concern, and in glancing at the
>NTIA document (
>https://www.ntia.doc.gov/files/ntia/publications/sbom_minimum_elements_report.pdf
> ) I'm concerned about the definitions between the two fields. Apologies if
>this was discussed elsewhere, I couldn't find it!
>
>The NTIA doc says that a Supplier Name is:
>
>>
>> The name of an entity that creates, defines, and identifies
>> components.
>>
>
>The SPDX spec for "Package Supplier" is similar but not quite the same flavor:
>
>>
>> Identify the actual distribution source for the package/directory
>> identified in the SPDX document. This might or might not be different from
>> the originating distribution source for the package. The name of the
>> Package Supplier shall be an organization or recognized author and not a
>> web site. For example, SourceForge is a host website, not a supplier, the
>> supplier for https://sourceforge.net/projects/bridge/ is “The Linux
>> Foundation.”
>>
>
>I feel like since both specs are asking for the *responsible* *entity* , there
>is some confusion here in the words "Identify the actual distribution source"
>but explicitly "not a URL". Is there a proper definition of "distribution
>source"? The example given - "The Linux Foundation" is not referenced anywhere
>in https://sourceforge.net/projects/bridge/ either on the website itself, nor
>anywhere in the package contents and I'm left very confused...
>
>I'm wondering if the Package Supplier is materially different than the
>Copyright Holder (in most cases?) Am I totally off base there? Can someone
>illustrate for me how/when these predicates differ?
>
>Thanks,
>
>Tyler
>
>
>
>
>
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#4815): https://lists.spdx.org/g/Spdx-tech/message/4815
Mute This Topic: https://lists.spdx.org/mt/94586021/21656
Group Owner: [email protected]
Unsubscribe: https://lists.spdx.org/g/Spdx-tech/unsub [[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-
