Re: Question about optional License fields
Excellent – Thanks, Gary. Just let me know when you’re ready to do some testing.
Thanks,
Dick Brooks
Active Member of the CISA Critical Manufacturing Sector, Sector Coordinating Council – A Public-Private Partnership
Never trust software, always verify and report! ™ http://www.reliableenergyanalytics.com Email: dick@... Tel: +1 978-696-1788
From: spdx-implementers@... <spdx-implementers@...> On Behalf Of Gary O'Neall
Sent: Monday, May 2, 2022 4:19 PM To: 'Rose Judge' <rjudge@...>; spdx-implementers@... Subject: Re: [spdx-implementers] Question about optional License fields
Yep – that would be me 😊
I’ll update the validation tool once the PR’s are merged and the 2.3 version is a bit more stable.
Best,
From: Rose Judge <rjudge@...>
I’ll defer to @Gary O'Neall on this but I suspect he’s working on it.
From: spdx-implementers@... <spdx-implementers@...> on behalf of Dick Brooks via lists.spdx.org <dick=reliableenergyanalytics.com@...> One last item.
Is anyone working on updates to the online validation tool to address these changes?
If so I would like to submit some candidate SBOM’s in V 2.3 for testing.
Thanks,
Dick Brooks
Active Member of the CISA Critical Manufacturing Sector, Sector Coordinating Council – A Public-Private Partnership
Never trust software, always verify and report! ™ http://www.reliableenergyanalytics.com Email: dick@... Tel: +1 978-696-1788
From: Dick Brooks <dick@...>
Thanks, Rose.
Should we also change Cardinality to 0..* instead of 1..* to show that this item in optional?
Thanks,
Dick Brooks
Active Member of the CISA Critical Manufacturing Sector, Sector Coordinating Council – A Public-Private Partnership
Never trust software, always verify and report! ™ http://www.reliableenergyanalytics.com Email: dick@... Tel: +1 978-696-1788
From: spdx-implementers@... <spdx-implementers@...> On Behalf Of Rose Judge
Correct -- PackageLicenseConcluded, PackageLicenseDeclared, PackageCopyrightText will all be optional for 2.3 once the PR is merged.
As for package checksum, it is currently optional in the 2.2 spec and I don’t remember any discussions around making it mandatory in 2.3…
-Rose
From: spdx-implementers@... <spdx-implementers@...> on behalf of Dick Brooks via lists.spdx.org <dick=reliableenergyanalytics.com@...> Thanks, Rose.
Much appreciate the quick response. Just to confirm, all of these fields shown below will be optional after the changes – correct?
PackageLicenseConcluded: NOASSERTION PackageLicenseDeclared: NOASSERTION PackageCopyrightText: NOASSERTION
Also, did we also decide to make PackageChecksum optional in V 2.3?
Thanks,
Dick Brooks
Active Member of the CISA Critical Manufacturing Sector, Sector Coordinating Council – A Public-Private Partnership
Never trust software, always verify and report! ™ http://www.reliableenergyanalytics.com Email: dick@... Tel: +1 978-696-1788
From: spdx-implementers@... <spdx-implementers@...> On Behalf Of Rose Judge
Hi Dick,
I have a PR open right now to make PackageLicenseConcluded (among other currently required licensing fields) optional in 2.3: https://github.com/spdx/spdx-spec/pull/635
Assuming the PR is merged, if the Concluded License field is not present for a file, it implies an equivalent meaning to `NOASSERTION`.
-Rose From: spdx-implementers@... <spdx-implementers@...> on behalf of Dick Brooks via lists.spdx.org <dick=reliableenergyanalytics.com@...> Hello Everyone,
REA has started working on SPDX V 2.3 enhancements and we have a question regarding optional License fields.
The current 2.3 branch shows that certain License elements are still required, but I seem to recall some discussion about making license elements optional in V 2.3, i.e.,
Will the Package License fields still be required?
Thanks,
Dick Brooks
Active Member of the CISA Critical Manufacturing Sector, Sector Coordinating Council – A Public-Private Partnership
Never trust software, always verify and report! ™ http://www.reliableenergyanalytics.com Email: dick@... Tel: +1 978-696-1788
|
||||||
|