Il 2023-01-15 09:56 Paul Sherwood ha scritto:
Hi Karsten,
thank you. Please see my comments inline
On 2023-01-14 14:10, Karsten Klein wrote:
I would also argue that SPDX does not help you in this context.
Well, in principle, I believe that getting people to think about
licencing in general is better than not, so SPDX contributes at least
in that way. And if we can establish confidence that the metadata is
correct, and in line with our expected usage of software, we can obtain
some mitigation against licence compliance risk.
My concern is specifically the false confidence situation, i.e. where
the presence of SPDX metadata may cause people to assume incorrectly
that licencing has been properly dealt with
"properly dealt with" may require a definition too :). There are
different approaches in dealing with licenses in complex third-party
software components, that depend both on the tools that are used and on
the review policy of the IP audit team - policy which in turn may depend
on case-specific and context-dependent risk assessments. Such
information can hardly, if not at all, be expressed in a
machine-readable way.
A project that may address your concerns is openchainproject.org, aimed
at building trust in the open source supply chain, with a particular
focus on license compliance. It is a Linux Foundation project, too, and
its specifications recently became an ISO standard.
Regards,
Alberto
array.eu
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#4925): https://lists.spdx.org/g/Spdx-tech/message/4925
Mute This Topic: https://lists.spdx.org/mt/96263894/21656
Group Owner: [email protected]
Unsubscribe: https://lists.spdx.org/g/Spdx-tech/unsub [[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-
