Thanks, everyone for your comments!

Is there a way for the relationship section to be able to indicate whether a particular component is distributed (or hosted) as part of a larger codebase? Something like SPDXRef-A is distributed in binary form as part of SPDXRef-B (where SPDXRef-A is an open-source dependency of SPDXRef-B which is the "proprietary" codebase)? The example I am thinking of is when you have a hosted solution (so the product itself is not distributed), but some of the third party components included in the solution are part of client-side scripts (which can be considered to be distributed). It would be great to be able to identify them within the BOM.

As for populating the usage information -- perhaps a way to cut down some of the work would be to only include the usage information that is necessary to assess compliance (e.g. you would not need to include any usage info regarding MIT-licensed components, but for LGPL-licensed components, you would include distribution, hosting, linking, and modification info -- or a dispositive subset thereof -- since they can all play into the decision). Since this is information that is needed as part of the internal review process, it should already be available, right?

Thanks,

Leon

Leon Schwartz
GTC Law Group PC & Affiliates
One University Ave., Ste. 302B
Westwood, MA, 02090
Phone: 617.206.3357
Fax: 617.507.6127
Email: lschwartz@...
www.gtclawgroup.com

* Admitted only in Massachusetts.
__________________________________________________
Confidentiality
This email and its attachments may contain legally privileged and/or confidential information. If you are not the intended recipient of this email, you are hereby notified that any dissemination, distribution or copying of this email and its attachments is strictly prohibited. If you receive this email in error, please immediately notify me at 617.206.3357 and permanently delete both the original and any copies thereof.