Hi Karsten, thank you. Please see my comments inline
On 2023-01-14 14:10, Karsten Klein wrote:
I would also argue that SPDX does not help you in this context.
Well, in principle, I believe that getting people to think about licencing in general is better than not, so SPDX contributes at least in that way. And if we can establish confidence that the metadata is correct, and in line with our expected usage of software, we can obtain some mitigation against licence compliance risk.
My concern is specifically the false confidence situation, i.e. where the presence of SPDX metadata may cause people to assume incorrectly that licencing has been properly dealt with
However, there are tools available - most of them also supporting SPDX - that enable you to establish a license monitoring for the software assets you consume or provide.
I'll look into that more deeply - any pointers or recommendations would be appreciated.
Initiatives - such as the PEP driven by Phillipe - drive improvement, based on the observed monitoring results.
Agreed... and that was triggered by the original discussion within the SPDX community :-)
br Paul -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#4922): https://lists.spdx.org/g/Spdx-tech/message/4922 Mute This Topic: https://lists.spdx.org/mt/96263894/21656 Group Owner: [email protected] Unsubscribe: https://lists.spdx.org/g/Spdx-tech/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
