Re: How to best handle modification notices and notices of origin in SPDX
On Sunday 28 July 2019 22:16:34 CEST
[G.O.] First a disclaimer - I have not implemented this specificI can see how this could work in the sense where we are using
packages. But it also seems like quite a tooling-heavy approach.
If I understand you correctly, this would imply you have an
inventory of all the packages used with corresponding SPDX files,
and then this inventory (or build system) could be used to track
the relationships and modification status.
BTW, if we’re talking about small single-file situations (e.g.
CSS, JS, fonts, images), it seems quite a hassle. Imagine doing
this for every single placeholder image.
In any case, there is still the attribution/provenance question
The hack I currently have in mind is to misuse the SPDX-
FileCopyrightText tag in REUSE, but would very much like to depend
on something better.
gsm: +386 41 849 552