On Tue, Aug 4, 2015 at 10:45 AM, Mike Milinkovich < [email protected]> wrote:
> On 04/08/2015 9:34 AM, Philippe Ombredanne wrote: > >> On Tue, Aug 4, 2015 at 5:00 AM, Yev Bronshteyn >> <[email protected]> wrote: >> >>> Here is the spec for the proposed EternalPackage element. While I touch >>> on >>> usage in the beginning, I'll discuss some specific use cases in the >>> context >>> of SpdxTools on the call. >>> >>> >>> https://docs.google.com/document/d/1WfArS8_xR_CQ_5plOOMtj1y9ps5M-gXFjofUBXR8hyE/edit?usp=sharinghttps://docs.google.com/document/d/1WfArS8_xR_CQ_5plOOMtj1y9ps5M-gXFjofUBXR8hyE/edit?usp=sharing >>> >>> Yev: >> I guess you meant External and not Eternal.... >> >> I provided a few comments to your proposed spec in the doc at >> >> https://docs.google.com/document/d/1WfArS8_xR_CQ_5plOOMtj1y9ps5M-gXFjofUBXR8hyE/edit# >> > > To add to Philippe's comments, and speaking on behalf of a major producer > of open source software, the proposal for an "External Security and Asset > Management Identifier" seems to be fundamentally flawed. A quick perusal of > the tagvault.org website tells me that the spec is not publicly available > (i.e. you must buy it for $265 from ANSI), and that the tools used to tag > software assets are available only to members of their private club. > The SPEC being referred to is a NIST one, rather than ANSI. see: http://csrc.nist.gov/publications/PubsDrafts.html#NIST-IR-8060 Which is open. Its in its second reading right now, and its in a public comment window, before NIST adopts it. > > IMO, any requirement that open source communities use a closed standard, > and proprietary tools to annotate their open source code is dead on arrival. I agree we should not depend on closed standards. However, the question is do we want to be able to reference to external packages that other systems are supporting? Kate
_______________________________________________ Spdx mailing list [email protected] https://lists.spdx.org/mailman/listinfo/spdx
