Re: New people, new ideas - new friends from GTC Law
Thanks, everyone for your comments!toggle quoted message Show quoted text
Is there a way for the relationship section to be able to indicate whether a particular component is distributed (or hosted) as part of a larger codebase? Something like SPDXRef-A is distributed in binary form as part of SPDXRef-B (where SPDXRef-A is an open-source dependency of SPDXRef-B which is the "proprietary" codebase)? The example I am thinking of is when you have a hosted solution (so the product itself is not distributed), but some of the third party components included in the solution are part of client-side scripts (which can be considered to be distributed). It would be great to be able to identify them within the BOM.
As for populating the usage information -- perhaps a way to cut down some of the work would be to only include the usage information that is necessary to assess compliance (e.g. you would not need to include any usage info regarding MIT-licensed components, but for LGPL-licensed components, you would include distribution, hosting, linking, and modification info -- or a dispositive subset thereof -- since they can all play into the decision). Since this is information that is needed as part of the internal review process, it should already be available, right?
GTC Law Group PC & Affiliates
One University Ave., Ste. 302B
Westwood, MA, 02090
* Admitted only in Massachusetts.
This email and its attachments may contain legally privileged and/or confidential information. If you are not the intended recipient of this email, you are hereby notified that any dissemination, distribution or copying of this email and its attachments is strictly prohibited. If you receive this email in error, please immediately notify me at 617.206.3357 and permanently delete both the original and any copies thereof.
From: openchain-bounces@... <openchain-bounces@...> On Behalf Of Indira Bhatt
Sent: Wednesday, October 2, 2019 3:14 PM
To: Matija Šuklje <matija@...>
Subject: Re: [OpenChain] New people, new ideas - new friends from GTC Law
On the tooling side most scan tools do have an option to define how something is being used linked shipped etc.
Agreed, it sure can be manually taxing to do this for every open source component found. I’ve usually done this sort of thing during remediation.
On Oct 2, 2019, at 11:30 AM, Matija Šuklje <matija@...> wrote:_______________________________________________On Wednesday 2 October 2019 16:24:55 CEST Leon Schwartz wrote:This does make much more sense, yes.
OpenChain mailing list