Hi Benedicte,
Right now the recommendation in 2.X is to use the Package Comment field
(
https://spdx.github.io/spdx-spec/v2.3/package-information/#720-package-comment-field)
to record the information in a structured fashion, so you can reparse it
later.
SPDX 3.X will have an extension point that can be used to work with this
structured information.
There are a group of others looking at recording this information in a
more standardized way for 3.1
and have some draft schemas under discussion. Hopefully we'll be able to
announce a working group
for this topic soon. Do you want me to put you in touch in the interim?
Thanks,
Kate
On Fri, Nov 3, 2023 at 1:13 PM Benedicte Presse <
[email protected]> wrote:
> Hello,
>
> We may require additional information for packages or third-party software
> components.
>
> For example, on export control (classification, country of origin,
> presence of cryptography, etc.).
>
> Where can we put this information?
> In externalRefs / Category : Other / Type : ? / Locator : ?
>
> Thank in advance for your support,
> Best regards,
> Bénédicte
>
>
>
>
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#5417): https://lists.spdx.org/g/Spdx-tech/message/5417
Mute This Topic: https://lists.spdx.org/mt/102370043/21656
Group Owner: [email protected]
Unsubscribe:
https://lists.spdx.org/g/Spdx-tech/leave/2656181/21656/1901338254/xyzzy
[[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-
