Thanks Sebastian, one more comment below here - On Wed, Oct 26, 2022 at 11:28 AM Sebastian Crane <[email protected]> wrote:
> > > Dear Tyler, > > I hope I can shed some light on this. The SPDX field 'Package Supplier' > doesn't refer to the original creator of a package, but rather the person > or organisation that the package was distributed by - in other words, the > 'middle-man' in a software supply chain. This is very common of course in > free and open source environments, where you get companies such as Red Hat > distributing lots of software, much of which was not created by Red Hat > (such as the vast repositories of packages available in RHEL). > > The SPDX 'Package Originator' field, however, refers to the initial author > of the software, and seems to align more closely with what the NTIA > document calls a 'Supplier'. As conjecture, I would imagine this is due to > a focus on more proprietary software supply chains in the NTIA discussions, > where such intermediate steps of packaging, modification and repackaging > are a little less common. > > Since you mentioned copyright, I'll also add that the copyright holder of > a package is usually the 'Package Originator'. However, there are very > often many more one-off contributors to packages who would hold copyright > over some portion of the software (e.g. contractors or individuals not > affiliated with the same organisation), so SPDX had a number of other > fields available to more precisely capture this information (the 'Package > Copyright Text' field for instance). > > That 'actual distribution source' that the specification mentions just > means that the name of the entity should be used in the field, rather than > the entity's web address. As for that section's example, I think it used to > be clear, so we probably ought to update that in SPDX 3.0 to be less > confusing :-) > > Hope this helps, and let me know if I've missed anything! > > This is super helpful - one last clarification then regarding the SourceForge example? "Linux Foundation" is assumed to be the entity responsible for the distribution source (SourceForge in this case?) Is that correct? (If so i think that might be out of date, SourceForge is currently owned and operated by Slashdot Media <https://sourceforge.net/about>) > Best wishes, > > Sebastian > > On 26 October 2022 17:44:27 BST, "rtp via lists.spdx.org" <rtp= > [email protected]> wrote: > >Hi SPDX friends, > > > >I have some questions about the Package supplier attribute and could use > some discussion. Like many others here the EO is a concern, and in glancing > at the NTIA document ( > https://www.ntia.doc.gov/files/ntia/publications/sbom_minimum_elements_report.pdf > ) I'm concerned about the definitions between the two fields. Apologies if > this was discussed elsewhere, I couldn't find it! > > > >The NTIA doc says that a Supplier Name is: > > > >> > >> The name of an entity that creates, defines, and identifies > >> components. > >> > > > >The SPDX spec for "Package Supplier" is similar but not quite the same > flavor: > > > >> > >> Identify the actual distribution source for the package/directory > >> identified in the SPDX document. This might or might not be different > from > >> the originating distribution source for the package. The name of the > >> Package Supplier shall be an organization or recognized author and not a > >> web site. For example, SourceForge is a host website, not a supplier, > the > >> supplier for https://sourceforge.net/projects/bridge/ is “The Linux > >> Foundation.” > >> > > > >I feel like since both specs are asking for the *responsible* *entity* , > there is some confusion here in the words "Identify the actual distribution > source" but explicitly "not a URL". Is there a proper definition of > "distribution source"? The example given - "The Linux Foundation" is not > referenced anywhere in https://sourceforge.net/projects/bridge/ either on > the website itself, nor anywhere in the package contents and I'm left very > confused... > > > >I'm wondering if the Package Supplier is materially different than the > Copyright Holder (in most cases?) Am I totally off base there? Can someone > illustrate for me how/when these predicates differ? > > > >Thanks, > > > >Tyler > > > > > > > > > > > > > > > > -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#4816): https://lists.spdx.org/g/Spdx-tech/message/4816 Mute This Topic: https://lists.spdx.org/mt/94586021/21656 Group Owner: [email protected] Unsubscribe: https://lists.spdx.org/g/Spdx-tech/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
