Re: New people, new ideas - new friends from GTC Law

Gary O'Neall

Is there a way for the relationship section to be able to indicate whether a
particular component is distributed (or hosted) as part of a larger codebase?
Something like SPDXRef-A is distributed in binary form as part of SPDXRef-B
(where SPDXRef-A is an open-source dependency of SPDXRef-B which is the
"proprietary" codebase)? The example I am thinking of is when you have a
hosted solution (so the product itself is not distributed), but some of the third
party components included in the solution are part of client-side scripts (which
can be considered to be distributed). It would be great to be able to identify
them within the BOM.
I don't think we considered this use case when we developed the relationships for SPDX version 2.0 (see for the list of use cases considered).

This would be a very useful thing to add to the spec. IMHO.

I added a proposal in the form of a pull request against the spec:

Please feel free to propose different wording/language on the pull request comments or as a pull request against the add-distributed-relationship branch.

As for populating the usage information -- perhaps a way to cut down some of
the work would be to only include the usage information that is necessary to
assess compliance (e.g. you would not need to include any usage info regarding
MIT-licensed components, but for LGPL-licensed components, you would
include distribution, hosting, linking, and modification info -- or a dispositive
subset thereof -- since they can all play into the decision). Since this is
information that is needed as part of the internal review process, it should
already be available, right?
Agree with this approach - this is the approach I have taken with most of my customers when providing audit and analysis work.




Leon Schwartz
GTC Law Group PC & Affiliates
One University Ave., Ste. 302B
Westwood, MA, 02090
Phone: 617.206.3357
Fax: 617.507.6127
Email: lschwartz@...

* Admitted only in Massachusetts.
This email and its attachments may contain legally privileged and/or confidential
information. If you are not the intended recipient of this email, you are hereby
notified that any dissemination, distribution or copying of this email and its
attachments is strictly prohibited. If you receive this email in error, please
immediately notify me at 617.206.3357 and permanently delete both the
original and any copies thereof.

-----Original Message-----
From: openchain-bounces@... <openchain-
bounces@...> On Behalf Of Indira Bhatt
Sent: Wednesday, October 2, 2019 3:14 PM
To: Matija Šuklje <matija@...>
Cc: openchain@...
Subject: Re: [OpenChain] New people, new ideas - new friends from GTC Law

On the tooling side most scan tools do have an option to define how something
is being used linked shipped etc.
Agreed, it sure can be manually taxing to do this for every open source
component found. I’ve usually done this sort of thing during remediation.

On Oct 2, 2019, at 11:30 AM, Matija Šuklje <matija@...> wrote:

On Wednesday 2 October 2019 16:24:55 CEST Leon Schwartz wrote:
Does this make more sense?
This does make much more sense, yes.

On Wednesday 2 October 2019 16:37:19 CEST Steve Winslow wrote:
Relationship fields in SPDX allow you to specify how two different
SPDX elements relate to one another. In an SPDX BOM, each element is
given a unique identifier, and the Relationship is specified between
these two elements in the SPDX tag-value format.
I hoped to steer this discussion into this direction, yes.

One thing I’m still battling with in my mind is how the Relationship
field is populated (e.g. by tools). Doing all of this by hand for a
large code base would be horrendous.

Matija Šuklje
gsm: +386 41 849 552
xmpp: matija.suklje@...
sip: matija_suklje@...

OpenChain mailing list
OpenChain mailing list
OpenChain mailing list

Join to automatically receive all group messages.