Thanks for your feedback, Paul. Regarding: " With regard to licencing, the base premise that a human asserts licence in metadata, without qualification, seems risky to me. Is there any traceability for who makes the assertion in the first place, and on what basis? And when the software changes, is there any way to force reassessment (or at least reassertion) by someone competent?"
Each supplier decides for themselves the terms and conditions upon which a party may use their software, which is expressed in a license. There is no right or wrong or anyone to verify that the party issuing the license is valid. A user of the software decides to accept the terms and conditions in the license, or not. No validation required, the license contains the terms and conditions as determined by the party issuing the license. Thanks, Dick Brooks Active Member of the CISA Critical Manufacturing Sector, Sector Coordinating Council - A Public-Private Partnership Never trust software, always verify and report! T http://www.reliableenergyanalytics.com Email: [email protected] Tel: +1 978-696-1788 -----Original Message----- From: Paul Sherwood <[email protected]> Sent: Sunday, January 15, 2023 3:47 AM To: [email protected] Cc: [email protected] Subject: Re: [spdx-tech] SPDX - true or false? (was Re: Getting started...) Hi Dick thank you for your comments. Please see my thoughts inline On 2023-01-14 13:12, Dick Brooks wrote: > There is no escaping manual input from the process that leads to an > SBOM, SPDX or CycloneDX. Someone has to input the data somewhere in > order for it to be available at SBOM creation time. True, but my interest relates to - repeatable construction of evolving software at scale (where automation provides significant benefits) - safety-critical and security-critical systems Broadly this leads me towards solutions where, once the manual input has occurred, we can aim to enforce rules and/or automation to mitigate against errors being introduced. > If you are concerned that manual entry occurs somewhere in the > process that ultimately results in an SBOM then I don't think this > concern will ever go away. > > Manual effort is an inherent part of software creation, and yes, human > error can, and does occasionally occur. You're correct - I expect to remain concerned about human errors, at least until the AI community comes up with tools to generate the software without human intervention, at which point we'll have no clue about whether the metadata is truthful or not :-) However, for the versioning example I mentioned, we have techniques that mitigate very effectively against the problem. A common approach is for software versioning to be heavily controlled or even generated by tooling. For example, if we use git, we can ensure that only one version of software has a given tag. With regard to licencing, the base premise that a human asserts licence in metadata, without qualification, seems risky to me. Is there any traceability for who makes the assertion in the first place, and on what basis? And when the software changes, is there any way to force reassessment (or at least reassertion) by someone competent? br Paul -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#4923): https://lists.spdx.org/g/Spdx-tech/message/4923 Mute This Topic: https://lists.spdx.org/mt/96263894/21656 Group Owner: [email protected] Unsubscribe: https://lists.spdx.org/g/Spdx-tech/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
