On Tue, Aug 4, 2015 at 8:09 PM, Kate Stewart <[email protected]> wrote:
> On Tue, Aug 4, 2015 at 11:40 AM, Mike Milinkovich < > [email protected]> wrote: > >> On 04/08/2015 12:15 PM, Kate Stewart wrote: >> >>> I agree we should not depend on closed standards. However, the >>> question is do we want to be able to reference to external packages that >>> other systems are supporting? >>> >> >> Beats me. But to me the proposed solution looks much worse than whatever >> problem it is that you're trying to solve. Speaking of which, where is the >> document that describes the problem you're trying to solve? >> > > The base document that these changes are being proposed for is SPDX 2.0 > see: http://spdx.org/SPDX-specifications/spdx-version-2.0 > >> >> My impression is that the consumers of open source software are trying to >> create a system to make it easier to identify and manage the artifacts used >> within their organization. Is that correct? > > > The goal of software package data exchange (SPDX) is to create a common > way to communicate copyright and licensing information in the entire > ecosystem. There are producers and consumers through out the entire > supply chain. > > Open source projects are built on top of other open source projects all > the time (libraries, dependencies, etc.) Providing a clear way that can > be *machine readable* and *trusted*,` > How do you propose it be trusted? It is just a string! You need substantially more infrastructure than just a SPDX tag to generate trust. Regards, Jeremiah
_______________________________________________ Spdx mailing list [email protected] https://lists.spdx.org/mailman/listinfo/spdx
