On 04/08/2015 9:34 AM, Philippe Ombredanne wrote:
On Tue, Aug 4, 2015 at 5:00 AM, Yev Bronshteyn
<[email protected]> wrote:
Here is the spec for the proposed EternalPackage element. While I touch on
usage in the beginning, I'll discuss some specific use cases in the context
of SpdxTools on the call.
https://docs.google.com/document/d/1WfArS8_xR_CQ_5plOOMtj1y9ps5M-gXFjofUBXR8hyE/edit?usp=sharinghttps://docs.google.com/document/d/1WfArS8_xR_CQ_5plOOMtj1y9ps5M-gXFjofUBXR8hyE/edit?usp=sharing
Yev:
I guess you meant External and not Eternal....
I provided a few comments to your proposed spec in the doc at
https://docs.google.com/document/d/1WfArS8_xR_CQ_5plOOMtj1y9ps5M-gXFjofUBXR8hyE/edit#
To add to Philippe's comments, and speaking on behalf of a major
producer of open source software, the proposal for an "External Security
and Asset Management Identifier" seems to be fundamentally flawed. A
quick perusal of the tagvault.org website tells me that the spec is not
publicly available (i.e. you must buy it for $265 from ANSI), and that
the tools used to tag software assets are available only to members of
their private club.
IMO, any requirement that open source communities use a closed standard,
and proprietary tools to annotate their open source code is dead on
arrival.
--
Mike Milinkovich
Executive Director,
Eclipse Foundation
[email protected]
+1.613.220.3223 (mobile)
_______________________________________________
Spdx mailing list
[email protected]
https://lists.spdx.org/mailman/listinfo/spdx
