Re: Hello World!
Thank you for bringing this up. Having this clarified is vital for the open chain activities. Let me add one more aspect. As Mark pointed out, SPDX is a format (like, say, XML). There are some tools (and hopefully many more in the future) to process/convert SPDX files. And once V2.0 with important features like hierarchy is out, the adoption rate will increase. But when dealing with license information in the supply chain, the format is only one side of the story. It greatly impacts efficiency but not so much effectiveness. The crucial factor is the quality of the content. As we all know, every member of the supply chain is responsible for the license compliance of its deliveries, including all pieces delivered by other members of the supply chain. Ideally, one would take the SPDX files delivered, add additional content for the pieces produced and pass on the combined SPDX to the downstream recipients. This is very efficient and duplicate work is avoided. But is it effective? Nobody knows, since there are no quality standards for license information. How was it produced? How was it verified? I think that open chain must focus on the “content” aspect rather than on the “format” aspect (which is basically solved with SPDX). We need some standards (like ISO 9001, CMMI,…) for dealing with license information and certification for organizations adhering to these standards.
Von: openchain-bounces@... [mailto:openchain-bounces@...]
Im Auftrag von Jilayne Lovejoy
Thanks for raising the question, Jeremiah, and to Mark for providing the excellent clarification – both to the benefit of all!
Sent: Friday, August 29, 2014 1:18 AM
To: Gisi, Mark
Subject: Re: [OpenChain] Hello World!
On Fri, Aug 29, 2014 at 7:37 AM, Gisi, Mark <Mark.Gisi@...> wrote:
Jeremiah raised some common concerns about SPDX that, as an early adopter, I wanted to share my experiences.
>> while SPDX looks great, its not widely adopted. Debian has its own format and Yocto is using SPDX
>> version 1.1. Its hard to use, has numerous supported versions (1.1, 1.2 and 2.0 in development)
SPDX is a specification and not a tool.
Okay, I confess I view it more as a tool, good to have this clarified for me.
Thanks very much for this email. Puts SPDX into the right perspective for me. I've sort of viewed it from a software engineer's view as this thing I have to add not knowing really why. If it does provide a software Bill of Materials that can effectively provide assurance in the supply chain then clearly its a solution to a very real problem.
Geschäftsführer: Marcel Nickler (Vorsitzender), Hans-Werner Wurzel (stellv. Vorsitzender), Kiumars Hamidian, Kai Wächter, Dr. Robert Wagner
Vorsitzender des Aufsichtsrats: Beat Leimbacher
Sitz: Frankfurt am Main
Registergericht: Amtsgericht Frankfurt am Main HRB 55490
The information in this email is confidential and may be legally privileged. If you are not the intended recipient of this message, any review, disclosure, copying, distribution, retention, or any action taken or omitted to be taken in reliance on it is prohibited and may be unlawful. If you are not the intended recipient, please reply to or forward a copy of this message to the sender and delete the message, any attachments, and any copies thereof from your system.