Re: OpenChain for projects
Kate Stewart
Hi Jeremiah, On Wed, Jan 25, 2017 at 1:53 PM, Jeremiah Foster <jeremiah.foster@...> wrote:
DEP5 isn't quite SPDX, its missing a few fields, but is certainly very similar to the SPDX tag:value format. In fact, we effectively started with DEP5 and added fields to it that the lawyers felt essential to accurately capture the information and be able to tell if a file in the project has been updated or not since the licensing information was generated. Debian has captured all the necessary fields though to generate SPDX files in the debsources project last year. [1]
Agree with you, if Debian starts generating SPDX part of builds automatically, the distros will pick it up, esp. if their customers start asking for it (via OpenChain). However we're going to need a proof of concept, and get FOSSology more robust interacting with the command line to make this possible. Step by open source step.... ;-) Kate
|
|