Re: Question about optional License fields


Gary O'Neall
 

Yep – that would be me 😊

 

I’ll update the validation tool once the PR’s are merged and the 2.3 version is a bit more stable.

 

Best,
Gary

 

From: Rose Judge <rjudge@...>
Sent: Monday, May 2, 2022 12:35 PM
To: spdx-implementers@...; Gary O'Neall <gary@...>
Subject: Re: [spdx-implementers] Question about optional License fields

 

I’ll defer to @Gary O'Neall on this but I suspect he’s working on it.

 

From: spdx-implementers@... <spdx-implementers@...> on behalf of Dick Brooks via lists.spdx.org <dick=reliableenergyanalytics.com@...>
Date: Monday, May 2, 2022 at 10:30 AM
To: spdx-implementers@... <spdx-implementers@...>
Subject: Re: [spdx-implementers] Question about optional License fields

One last item.

 

Is anyone working on updates to the online validation tool to address these changes?

 

If so I would like to  submit some candidate SBOM’s in V 2.3 for testing.

 

Thanks,

 

Dick Brooks

 

Active Member of the CISA Critical Manufacturing Sector,

Sector Coordinating Council – A Public-Private Partnership

 

Never trust software, always verify and report!

http://www.reliableenergyanalytics.com

Email: dick@...

Tel: +1 978-696-1788

 

From: Dick Brooks <dick@...>
Sent: Monday, May 2, 2022 12:52 PM
To: 'spdx-implementers@...' <spdx-implementers@...>
Subject: RE: [spdx-implementers] Question about optional License fields

 

Thanks, Rose.

Attribute

Value

Required

No

Cardinality

1..*

 

Should we also change Cardinality to 0..* instead of 1..* to show that this item in optional?

 

Thanks,

 

Dick Brooks

 

Active Member of the CISA Critical Manufacturing Sector,

Sector Coordinating Council – A Public-Private Partnership

 

Never trust software, always verify and report!

http://www.reliableenergyanalytics.com

Email: dick@...

Tel: +1 978-696-1788

 

From: spdx-implementers@... <spdx-implementers@...> On Behalf Of Rose Judge
Sent: Monday, May 2, 2022 12:39 PM
To: spdx-implementers@...
Subject: Re: [spdx-implementers] Question about optional License fields

 

Correct --  PackageLicenseConcluded, PackageLicenseDeclared, PackageCopyrightText will all be optional for 2.3 once the PR is merged.

 

As for package checksum, it is currently optional in the 2.2 spec and I don’t remember any discussions around making it mandatory in 2.3…

 

-Rose

 

From: spdx-implementers@... <spdx-implementers@...> on behalf of Dick Brooks via lists.spdx.org <dick=reliableenergyanalytics.com@...>
Date: Monday, May 2, 2022 at 9:02 AM
To: spdx-implementers@... <spdx-implementers@...>
Subject: Re: [spdx-implementers] Question about optional License fields

Thanks, Rose.

 

Much appreciate the quick response. Just to confirm, all of these fields shown below will be optional after the changes – correct?

 

PackageLicenseConcluded: NOASSERTION

PackageLicenseDeclared: NOASSERTION

PackageCopyrightText: NOASSERTION

 

Also, did we also decide to make PackageChecksum optional in V 2.3?

 

 

Thanks,

 

Dick Brooks

 

Active Member of the CISA Critical Manufacturing Sector,

Sector Coordinating Council – A Public-Private Partnership

 

Never trust software, always verify and report!

http://www.reliableenergyanalytics.com

Email: dick@...

Tel: +1 978-696-1788

 

From: spdx-implementers@... <spdx-implementers@...> On Behalf Of Rose Judge
Sent: Sunday, May 1, 2022 11:42 PM
To: spdx-implementers@...
Subject: Re: [spdx-implementers] Question about optional License fields

 

Hi Dick,

 

I have a PR open right now to make PackageLicenseConcluded (among other currently required licensing fields) optional in 2.3: https://github.com/spdx/spdx-spec/pull/635

 

Assuming the PR is merged, if the Concluded License field is not present for a file, it implies an equivalent meaning to `NOASSERTION`.

 

-Rose

From: spdx-implementers@... <spdx-implementers@...> on behalf of Dick Brooks via lists.spdx.org <dick=reliableenergyanalytics.com@...>
Date: Saturday, April 30, 2022 at 10:56 AM
To: spdx-implementers@... <spdx-implementers@...>
Subject: [spdx-implementers] Question about optional License fields

Hello Everyone,

 

REA has started working on SPDX V 2.3 enhancements and we have a question regarding optional License fields.

 

The current 2.3 branch shows that certain License elements are still required, but I seem to recall some discussion about making license elements optional in V 2.3, i.e., PackageLicenseConcluded, etc..

 

Will the Package License fields still be required?

 

Thanks,

 

Dick Brooks

 

Active Member of the CISA Critical Manufacturing Sector,

Sector Coordinating Council – A Public-Private Partnership

 

Never trust software, always verify and report!

http://www.reliableenergyanalytics.com

Email: dick@...

Tel: +1 978-696-1788

 

 


Join spdx-implementers@lists.spdx.org to automatically receive all group messages.