Dear all We have an active discussion via the OpenChain Japan Work Group (mostly in Japanese) about SPDX. Several Japanese companies are using SPDX in production today and are collaborating to this through a common approach and “ask” for suppliers, particularly those with a relatively limited understanding of open source.
This “ask” will be a subset variant of SPDX informally dubbed “SPDX Light.” It is not intended to break the SPDX Mandatory / Optional fields. Instead it is looking like a series of core fields plus some optional codified into one clear procurement request from multiple companies. One note and comment about this is below (English after the Japanese). Please note: (1) Japanese companies operate mostly in Japanese, which is why this discussion has not been occurring on the SPDX mailing list (2) SPDX calls are at inaccessible times for Japanese companies, which has further hindered interaction Nevertheless, this is a great moment for us all to jump into a shared discussion. Regards Shane Begin forwarded message: > From: <[email protected]> > Date: 16 January 2019 at 12:34:57 GMT+9 > To: <[email protected]> > Subject: [Openchain-japan-wg] Question about SPDX Light: Supported Fields > > 皆様 > > 福地です > > 組織間のライセンス情報授受のSGで検討している仮称SPDX light > ですが、ISSUEリストに海外の方(mcjaeger)から書き込みがありました。 > > SPDX lightというミニマムセットを作るコンセプトに賛成のようで、 > その上で提案と質問が来ています。 > > 関心のある方は、彼の提案を読んでコメントを頂けませんでしょうか。 > > > Question about SPDX Light: Supported Fields #2 > https://github.com/OpenChain-Project/Japan-WG-General/issues/2 > > hello, > > regarding the SPDX light proposal I would like to express more a question > rather than an issue. I like the SPDX light proposal very much. I was > wondering about the following additional elements more like a question: > > for package information: I found the checksum very useful to exchange > information about packages, maybe it could be considered as well? is it maybe > confusing hwne the same package was compiled multiple times? > > How about an acknowledgement field attached to license information? (For > licenses that ask for acknowledgement, such as > https://spdx.org/licenses/BSD-4-Clause-UC.html because then, acknowledgement > documentation could easily generated from SPDX. > > Export control and customs, ECC notice (since patent notice is already > envisaged) for a package could be used (with reference in which file it was > found) > > would be package download location also the package management id? (for > example it is named "artefact id" for maven packages) > > ignore flag for files which could be info that this file was not part of > license analysis or isnot considered as license analysis because it is > considered irrelevant. > > Please see my remarks just as quick feedback from the posting on openchain > mailing list. My idea was it could be a good place here to ask a question > about this document: > > https://github.com/OpenChain-Project/Japan-WG-General/blob/master/License-Info-Exchange/Doc-at-Meeting/Candidate-of-SDPX-light.md > > > --- > 福地 弘行 ([email protected]) > ソニー(株)UX企画部 アライアンス業務課 > > _______________________________________________ > Openchain-japan-wg mailing list > [email protected] > https://lists.linuxfoundation.org/mailman/listinfo/openchain-japan-wg -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#1206): https://lists.spdx.org/g/spdx/message/1206 Mute This Topic: https://lists.spdx.org/mt/29144822/21656 Group Owner: [email protected] Unsubscribe: https://lists.spdx.org/g/spdx/leave/2655439/1698928721/xyzzy [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
