Hi,
Please correct me if I'm wrong but as far as I understand it, as of today the flow for generating SPDX data to build software BoMs, documented eg. in: - https://www.fossology.org/get-started/basic-workflow/ - https://elinux.org/images/2/20/License_Compliance_in_Embedded_Linux_with_the_Yocto_Project.pdf involves building your own database of SPDX files after reviewing all the sources, which doesn't look to be something at reach of most businesses. I am wondering by extension: - Whether there are businesses selling pre-masticated SPDX data (I can imagine one would be willing to pay a little something to obtain a collection of "certified" (or possibly "insured") SPDX); - Whether there are (plans for having) public, collaborative repositories of SPDX data that could be trusted over automatic scans of source. Best regards, -- Jérôme
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#51807): https://lists.yoctoproject.org/g/yocto/message/51807 Mute This Topic: https://lists.yoctoproject.org/mt/79070135/21656 Group Owner: [email protected] Unsubscribe: https://lists.yoctoproject.org/g/yocto/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
