Re: Hello World!
Claus-Peter Wiedemann
Hi Soren,
I fully agree that SPDX should stay neutral wrt to quality of the “content”. It is not a matter of the format, it is a matter of the process creating the content. The “creator” identifier is useful to identify the origin. But in real life, it is important to know who conveyed the SPDX file to you and if that person/entity is “certified”, i.e. adheres to a certain standard for creating the content.
Best regards Claus-Peter
Von: Soeren_Rabenstein@... [mailto:Soeren_Rabenstein@...]
Hi Peter
Quality standards make perfect sense. I think however that spdx itself should stay completely neutral of them and may merely convey the information which quality standards have been complied with, they may also include a verification code or the like, but should not define the standards in any way. Maybe the “creator”-identifier could be used for QA information?
Mit freundlichen Grüßen / Kind regards
Sören Rabenstein ____________________________________________________________
Sören Rabenstein, LL.M. ASUS Legal Affairs Center - Europe Tel.: (+49) 2102 5609 317
ASUS Computer GmbH Geschäftsführer: Eric Chen Amtsgericht Düsseldorf: HRB43472
From:
openchain-bounces@... [mailto:openchain-bounces@...]
On Behalf Of Wiedemann, Claus-Peter
Hi everyone,
Thank you for bringing this up. Having this clarified is vital for the open chain activities. Let me add one more aspect. As Mark pointed out, SPDX is a format (like, say, XML). There are some tools (and hopefully many more in the future) to process/convert SPDX files. And once V2.0 with important features like hierarchy is out, the adoption rate will increase. But when dealing with license information in the supply chain, the format is only one side of the story. It greatly impacts efficiency but not so much effectiveness. The crucial factor is the quality of the content. As we all know, every member of the supply chain is responsible for the license compliance of its deliveries, including all pieces delivered by other members of the supply chain. Ideally, one would take the SPDX files delivered, add additional content for the pieces produced and pass on the combined SPDX to the downstream recipients. This is very efficient and duplicate work is avoided. But is it effective? Nobody knows, since there are no quality standards for license information. How was it produced? How was it verified? I think that open chain must focus on the “content” aspect rather than on the “format” aspect (which is basically solved with SPDX). We need some standards (like ISO 9001, CMMI,…) for dealing with license information and certification for organizations adhering to these standards.
Best regards Claus-Peter
Von:
openchain-bounces@... [mailto:openchain-bounces@...]
Im Auftrag von Jilayne Lovejoy
Thanks for raising the question, Jeremiah, and to Mark for providing the excellent clarification – both to the benefit of all!
Jilayne
From:
openchain-bounces@... [mailto:openchain-bounces@...]
On Behalf Of Jeremiah Foster
On Fri, Aug 29, 2014 at 7:37 AM, Gisi, Mark <Mark.Gisi@...> wrote:
Jeremiah raised some common concerns about SPDX that, as an early adopter, I wanted to share my experiences.
>> while SPDX looks great, its not widely adopted. Debian has its own format and Yocto is using SPDX >> version 1.1. Its hard to use, has numerous supported versions (1.1, 1.2 and 2.0 in development)
SPDX is a specification and not a tool.
Okay, I confess I view it more as a tool, good to have this clarified for me.
Thanks very much for this email. Puts SPDX into the right perspective for me. I've sort of viewed it from a software engineer's view as this thing I have to add not knowing really why. If it does provide a software Bill of Materials that can effectively provide assurance in the supply chain then clearly its a solution to a very real problem.
Regards,
Jeremiah
BearingPoint GmbH
BearingPoint GmbH Geschäftsführer: Marcel Nickler (Vorsitzender), Hans-Werner Wurzel (stellv. Vorsitzender), Kiumars Hamidian, Kai Wächter, Dr. Robert Wagner Vorsitzender des Aufsichtsrats: Beat Leimbacher Sitz: Frankfurt am Main Registergericht: Amtsgericht Frankfurt am Main HRB 55490 The information in this email is confidential and may be legally privileged. If you are not the intended recipient of this message, any review, disclosure, copying, distribution, retention, or any action taken or omitted to be taken in reliance on it is prohibited and may be unlawful. If you are not the intended recipient, please reply to or forward a copy of this message to the sender and delete the message, any attachments, and any copies thereof from your system.
|
|