I am currently a senior systems engineer at Nokia, and I can say without reservation that we face this problem also, identifying specific versions of software (binaries as well as sources). Binaries can change, even if the source does not, if for example the compiler is updated, or associated libraries. This is especially problematic when the libraries are (as is often the case) dynamically-linked shared libraries.
Bill Boyle Senior Systems Engineer, Nokia Mobile Phones, Itasca, Illinois On Mon, May 13, 2013 at 9:56 AM, RUFFIN, MICHEL (MICHEL) <[email protected]> wrote: > Dear all we are facing a very difficult issue: How to identify uniquely > Software. > > In Alcatel-Lucent (ALU) we would like to link all our databases on SW (FOSS > SW, proprietary SW, FOSS SW coming in proprietary solutions, FOSS coming > from outsourcing contracts, …) The goal is to automate a lot of things: > royalty tracking, producing documentations on FOSS respecting the license > obligations automatically, knowing which ALU product is using what SW, > automatically connecting with tools such as Blackduck protex or Palamida or > any others of their competitors, ……………………………………………. > > The major issue is SW unique identification: Today we have the following: > > Maven naming system: but it is limited to java open source libraries > ALU internal system (but so far limited mostly to commercial SW but we are > extending to FOSS but not perfect) and we have to interact with suppliers > and customers on this identification > Blackduck internal unique identification (One millions FOSS but do not cope > with proprietary SW and we do not want to be dependent of a company) > SPDX Check sums for binaries (but do not provide the same checksum with .zip > and .gpz) > SPDX Check sums on source codes but does not work if ALU is doing a small > modification to the comments in the file > > > I know that SPDX is not perhaps the best place to discuss this issue, but I > would like to engage a discussion on this topic > > So my question here is: do you have similar concerns in your companies, and > what can we do to solve this issue (should we create a group on this?) > > Michel > > [email protected], PhD > Software Coordination Manager, N&P IS/IT > Distinguished Member of Technical Staff > Tel +33 (0) 6 75 25 21 94 > Alcatel-Lucent International, Centre de Villarceaux > Route De Villejust, 91620 Nozay, France > > > > > _______________________________________________ > Spdx mailing list > [email protected] > https://lists.spdx.org/mailman/listinfo/spdx > _______________________________________________ Spdx mailing list [email protected] https://lists.spdx.org/mailman/listinfo/spdx
