Question about optional License fields
|
Gary O'Neall
Thanks Dick – I’ll take you up on the testing 😊
Gary
From: spdx-implementers@... <spdx-implementers@...> On Behalf Of Dick Brooks
Sent: Monday, May 2, 2022 2:59 PM To: spdx-implementers@...; 'Rose Judge' <rjudge@...> Subject: Re: [spdx-implementers] Question about optional License fields
Excellent – Thanks, Gary. Just let me know when you’re ready to do some testing.
Thanks,
Dick Brooks
Active Member of the CISA Critical Manufacturing Sector, Sector Coordinating Council – A Public-Private Partnership
Never trust software, always verify and report! ™ http://www.reliableenergyanalytics.com Email: dick@... Tel: +1 978-696-1788
From: spdx-implementers@... <spdx-implementers@...> On Behalf Of Gary O'Neall
Yep – that would be me 😊
I’ll update the validation tool once the PR’s are merged and the 2.3 version is a bit more stable.
Best,
From: Rose Judge <rjudge@...>
I’ll defer to @Gary O'Neall on this but I suspect he’s working on it.
From: spdx-implementers@... <spdx-implementers@...> on behalf of Dick Brooks via lists.spdx.org <dick=reliableenergyanalytics.com@...> One last item.
Is anyone working on updates to the online validation tool to address these changes?
If so I would like to submit some candidate SBOM’s in V 2.3 for testing.
Thanks,
Dick Brooks
Active Member of the CISA Critical Manufacturing Sector, Sector Coordinating Council – A Public-Private Partnership
Never trust software, always verify and report! ™ http://www.reliableenergyanalytics.com Email: dick@... Tel: +1 978-696-1788
From: Dick Brooks <dick@...>
Thanks, Rose.
Should we also change Cardinality to 0..* instead of 1..* to show that this item in optional?
Thanks,
Dick Brooks
Active Member of the CISA Critical Manufacturing Sector, Sector Coordinating Council – A Public-Private Partnership
Never trust software, always verify and report! ™ http://www.reliableenergyanalytics.com Email: dick@... Tel: +1 978-696-1788
From: spdx-implementers@... <spdx-implementers@...> On Behalf Of Rose Judge
Correct -- PackageLicenseConcluded, PackageLicenseDeclared, PackageCopyrightText will all be optional for 2.3 once the PR is merged.
As for package checksum, it is currently optional in the 2.2 spec and I don’t remember any discussions around making it mandatory in 2.3…
-Rose
From: spdx-implementers@... <spdx-implementers@...> on behalf of Dick Brooks via lists.spdx.org <dick=reliableenergyanalytics.com@...> Thanks, Rose.
Much appreciate the quick response. Just to confirm, all of these fields shown below will be optional after the changes – correct?
PackageLicenseConcluded: NOASSERTION PackageLicenseDeclared: NOASSERTION PackageCopyrightText: NOASSERTION
Also, did we also decide to make PackageChecksum optional in V 2.3?
Thanks,
Dick Brooks
Active Member of the CISA Critical Manufacturing Sector, Sector Coordinating Council – A Public-Private Partnership
Never trust software, always verify and report! ™ http://www.reliableenergyanalytics.com Email: dick@... Tel: +1 978-696-1788
From: spdx-implementers@... <spdx-implementers@...> On Behalf Of Rose Judge
Hi Dick,
I have a PR open right now to make PackageLicenseConcluded (among other currently required licensing fields) optional in 2.3: https://github.com/spdx/spdx-spec/pull/635
Assuming the PR is merged, if the Concluded License field is not present for a file, it implies an equivalent meaning to `NOASSERTION`.
-Rose From: spdx-implementers@... <spdx-implementers@...> on behalf of Dick Brooks via lists.spdx.org <dick=reliableenergyanalytics.com@...> Hello Everyone,
REA has started working on SPDX V 2.3 enhancements and we have a question regarding optional License fields.
The current 2.3 branch shows that certain License elements are still required, but I seem to recall some discussion about making license elements optional in V 2.3, i.e.,
Will the Package License fields still be required?
Thanks,
Dick Brooks
Active Member of the CISA Critical Manufacturing Sector, Sector Coordinating Council – A Public-Private Partnership
Never trust software, always verify and report! ™ http://www.reliableenergyanalytics.com Email: dick@... Tel: +1 978-696-1788
|
||||||
|
|
||||||
|
Excellent – Thanks, Gary. Just let me know when you’re ready to do some testing.
Thanks,
Dick Brooks
Active Member of the CISA Critical Manufacturing Sector, Sector Coordinating Council – A Public-Private Partnership
Never trust software, always verify and report! ™ http://www.reliableenergyanalytics.com Email: dick@... Tel: +1 978-696-1788
From: spdx-implementers@... <spdx-implementers@...> On Behalf Of Gary O'Neall
Sent: Monday, May 2, 2022 4:19 PM To: 'Rose Judge' <rjudge@...>; spdx-implementers@... Subject: Re: [spdx-implementers] Question about optional License fields
Yep – that would be me 😊
I’ll update the validation tool once the PR’s are merged and the 2.3 version is a bit more stable.
Best,
From: Rose Judge <rjudge@...>
I’ll defer to @Gary O'Neall on this but I suspect he’s working on it.
From: spdx-implementers@... <spdx-implementers@...> on behalf of Dick Brooks via lists.spdx.org <dick=reliableenergyanalytics.com@...> One last item.
Is anyone working on updates to the online validation tool to address these changes?
If so I would like to submit some candidate SBOM’s in V 2.3 for testing.
Thanks,
Dick Brooks
Active Member of the CISA Critical Manufacturing Sector, Sector Coordinating Council – A Public-Private Partnership
Never trust software, always verify and report! ™ http://www.reliableenergyanalytics.com Email: dick@... Tel: +1 978-696-1788
From: Dick Brooks <dick@...>
Thanks, Rose.
Should we also change Cardinality to 0..* instead of 1..* to show that this item in optional?
Thanks,
Dick Brooks
Active Member of the CISA Critical Manufacturing Sector, Sector Coordinating Council – A Public-Private Partnership
Never trust software, always verify and report! ™ http://www.reliableenergyanalytics.com Email: dick@... Tel: +1 978-696-1788
From: spdx-implementers@... <spdx-implementers@...> On Behalf Of Rose Judge
Correct -- PackageLicenseConcluded, PackageLicenseDeclared, PackageCopyrightText will all be optional for 2.3 once the PR is merged.
As for package checksum, it is currently optional in the 2.2 spec and I don’t remember any discussions around making it mandatory in 2.3…
-Rose
From: spdx-implementers@... <spdx-implementers@...> on behalf of Dick Brooks via lists.spdx.org <dick=reliableenergyanalytics.com@...> Thanks, Rose.
Much appreciate the quick response. Just to confirm, all of these fields shown below will be optional after the changes – correct?
PackageLicenseConcluded: NOASSERTION PackageLicenseDeclared: NOASSERTION PackageCopyrightText: NOASSERTION
Also, did we also decide to make PackageChecksum optional in V 2.3?
Thanks,
Dick Brooks
Active Member of the CISA Critical Manufacturing Sector, Sector Coordinating Council – A Public-Private Partnership
Never trust software, always verify and report! ™ http://www.reliableenergyanalytics.com Email: dick@... Tel: +1 978-696-1788
From: spdx-implementers@... <spdx-implementers@...> On Behalf Of Rose Judge
Hi Dick,
I have a PR open right now to make PackageLicenseConcluded (among other currently required licensing fields) optional in 2.3: https://github.com/spdx/spdx-spec/pull/635
Assuming the PR is merged, if the Concluded License field is not present for a file, it implies an equivalent meaning to `NOASSERTION`.
-Rose From: spdx-implementers@... <spdx-implementers@...> on behalf of Dick Brooks via lists.spdx.org <dick=reliableenergyanalytics.com@...> Hello Everyone,
REA has started working on SPDX V 2.3 enhancements and we have a question regarding optional License fields.
The current 2.3 branch shows that certain License elements are still required, but I seem to recall some discussion about making license elements optional in V 2.3, i.e.,
Will the Package License fields still be required?
Thanks,
Dick Brooks
Active Member of the CISA Critical Manufacturing Sector, Sector Coordinating Council – A Public-Private Partnership
Never trust software, always verify and report! ™ http://www.reliableenergyanalytics.com Email: dick@... Tel: +1 978-696-1788
|
||||||
|
|
||||||
|
Gary O'Neall
Yep – that would be me 😊
I’ll update the validation tool once the PR’s are merged and the 2.3 version is a bit more stable.
Best,
From: Rose Judge <rjudge@...>
Sent: Monday, May 2, 2022 12:35 PM To: spdx-implementers@...; Gary O'Neall <gary@...> Subject: Re: [spdx-implementers] Question about optional License fields
I’ll defer to @Gary O'Neall on this but I suspect he’s working on it.
From: spdx-implementers@... <spdx-implementers@...> on behalf of Dick Brooks via lists.spdx.org <dick=reliableenergyanalytics.com@...> One last item.
Is anyone working on updates to the online validation tool to address these changes?
If so I would like to submit some candidate SBOM’s in V 2.3 for testing.
Thanks,
Dick Brooks
Active Member of the CISA Critical Manufacturing Sector, Sector Coordinating Council – A Public-Private Partnership
Never trust software, always verify and report! ™ http://www.reliableenergyanalytics.com Email: dick@... Tel: +1 978-696-1788
From: Dick Brooks <dick@...>
Thanks, Rose.
Should we also change Cardinality to 0..* instead of 1..* to show that this item in optional?
Thanks,
Dick Brooks
Active Member of the CISA Critical Manufacturing Sector, Sector Coordinating Council – A Public-Private Partnership
Never trust software, always verify and report! ™ http://www.reliableenergyanalytics.com Email: dick@... Tel: +1 978-696-1788
From: spdx-implementers@... <spdx-implementers@...> On Behalf Of Rose Judge
Correct -- PackageLicenseConcluded, PackageLicenseDeclared, PackageCopyrightText will all be optional for 2.3 once the PR is merged.
As for package checksum, it is currently optional in the 2.2 spec and I don’t remember any discussions around making it mandatory in 2.3…
-Rose
From: spdx-implementers@... <spdx-implementers@...> on behalf of Dick Brooks via lists.spdx.org <dick=reliableenergyanalytics.com@...> Thanks, Rose.
Much appreciate the quick response. Just to confirm, all of these fields shown below will be optional after the changes – correct?
PackageLicenseConcluded: NOASSERTION PackageLicenseDeclared: NOASSERTION PackageCopyrightText: NOASSERTION
Also, did we also decide to make PackageChecksum optional in V 2.3?
Thanks,
Dick Brooks
Active Member of the CISA Critical Manufacturing Sector, Sector Coordinating Council – A Public-Private Partnership
Never trust software, always verify and report! ™ http://www.reliableenergyanalytics.com Email: dick@... Tel: +1 978-696-1788
From: spdx-implementers@... <spdx-implementers@...> On Behalf Of Rose Judge
Hi Dick,
I have a PR open right now to make PackageLicenseConcluded (among other currently required licensing fields) optional in 2.3: https://github.com/spdx/spdx-spec/pull/635
Assuming the PR is merged, if the Concluded License field is not present for a file, it implies an equivalent meaning to `NOASSERTION`.
-Rose From: spdx-implementers@... <spdx-implementers@...> on behalf of Dick Brooks via lists.spdx.org <dick=reliableenergyanalytics.com@...> Hello Everyone,
REA has started working on SPDX V 2.3 enhancements and we have a question regarding optional License fields.
The current 2.3 branch shows that certain License elements are still required, but I seem to recall some discussion about making license elements optional in V 2.3, i.e.,
Will the Package License fields still be required?
Thanks,
Dick Brooks
Active Member of the CISA Critical Manufacturing Sector, Sector Coordinating Council – A Public-Private Partnership
Never trust software, always verify and report! ™ http://www.reliableenergyanalytics.com Email: dick@... Tel: +1 978-696-1788
|
||||||
|
|
||||||
|
Gary,
I’m happy to do some V 2.3 testing whenever you’re ready. Just let me know.
Thanks, Rose. Appreciate your quick turn-around.
Thanks,
Dick Brooks
Active Member of the CISA Critical Manufacturing Sector, Sector Coordinating Council – A Public-Private Partnership
Never trust software, always verify and report! ™ http://www.reliableenergyanalytics.com Email: dick@... Tel: +1 978-696-1788
From: spdx-implementers@... <spdx-implementers@...> On Behalf Of Rose Judge
Sent: Monday, May 2, 2022 3:35 PM To: spdx-implementers@...; Gary O'Neall <gary@...> Subject: Re: [spdx-implementers] Question about optional License fields
I’ll defer to @Gary O'Neall on this but I suspect he’s working on it.
From: spdx-implementers@... <spdx-implementers@...> on behalf of Dick Brooks via lists.spdx.org <dick=reliableenergyanalytics.com@...> One last item.
Is anyone working on updates to the online validation tool to address these changes?
If so I would like to submit some candidate SBOM’s in V 2.3 for testing.
Thanks,
Dick Brooks
Active Member of the CISA Critical Manufacturing Sector, Sector Coordinating Council – A Public-Private Partnership
Never trust software, always verify and report! ™ http://www.reliableenergyanalytics.com Email: dick@... Tel: +1 978-696-1788
From: Dick Brooks <dick@...>
Thanks, Rose.
Should we also change Cardinality to 0..* instead of 1..* to show that this item in optional?
Thanks,
Dick Brooks
Active Member of the CISA Critical Manufacturing Sector, Sector Coordinating Council – A Public-Private Partnership
Never trust software, always verify and report! ™ http://www.reliableenergyanalytics.com Email: dick@... Tel: +1 978-696-1788
From: spdx-implementers@... <spdx-implementers@...> On Behalf Of Rose Judge
Correct -- PackageLicenseConcluded, PackageLicenseDeclared, PackageCopyrightText will all be optional for 2.3 once the PR is merged.
As for package checksum, it is currently optional in the 2.2 spec and I don’t remember any discussions around making it mandatory in 2.3…
-Rose
From: spdx-implementers@... <spdx-implementers@...> on behalf of Dick Brooks via lists.spdx.org <dick=reliableenergyanalytics.com@...> Thanks, Rose.
Much appreciate the quick response. Just to confirm, all of these fields shown below will be optional after the changes – correct?
PackageLicenseConcluded: NOASSERTION PackageLicenseDeclared: NOASSERTION PackageCopyrightText: NOASSERTION
Also, did we also decide to make PackageChecksum optional in V 2.3?
Thanks,
Dick Brooks
Active Member of the CISA Critical Manufacturing Sector, Sector Coordinating Council – A Public-Private Partnership
Never trust software, always verify and report! ™ http://www.reliableenergyanalytics.com Email: dick@... Tel: +1 978-696-1788
From: spdx-implementers@... <spdx-implementers@...> On Behalf Of Rose Judge
Hi Dick,
I have a PR open right now to make PackageLicenseConcluded (among other currently required licensing fields) optional in 2.3: https://github.com/spdx/spdx-spec/pull/635
Assuming the PR is merged, if the Concluded License field is not present for a file, it implies an equivalent meaning to `NOASSERTION`.
-Rose From: spdx-implementers@... <spdx-implementers@...> on behalf of Dick Brooks via lists.spdx.org <dick=reliableenergyanalytics.com@...> Hello Everyone,
REA has started working on SPDX V 2.3 enhancements and we have a question regarding optional License fields.
The current 2.3 branch shows that certain License elements are still required, but I seem to recall some discussion about making license elements optional in V 2.3, i.e.,
Will the Package License fields still be required?
Thanks,
Dick Brooks
Active Member of the CISA Critical Manufacturing Sector, Sector Coordinating Council – A Public-Private Partnership
Never trust software, always verify and report! ™ http://www.reliableenergyanalytics.com Email: dick@... Tel: +1 978-696-1788
|
||||||
|
|
||||||
|
Thanks, Rose.
Thanks,
Dick Brooks
Active Member of the CISA Critical Manufacturing Sector, Sector Coordinating Council – A Public-Private Partnership
Never trust software, always verify and report! ™ http://www.reliableenergyanalytics.com Email: dick@... Tel: +1 978-696-1788
From: spdx-implementers@... <spdx-implementers@...> On Behalf Of Rose Judge
Sent: Monday, May 2, 2022 3:35 PM To: spdx-implementers@... Subject: Re: [spdx-implementers] Question about optional License fields
Yes, this was fixed with a PR I opened that was recently merged for 2.2.2. If you look at the latest github branch, you can see the changes reflected. I suspect the spec has not been updated yet with the latest 2.2.2 changes from GitHub but hopefully will be soon (I can ask at the tech call tomorrow).
From: spdx-implementers@... <spdx-implementers@...> on behalf of Dick Brooks via lists.spdx.org <dick=reliableenergyanalytics.com@...> Thanks, Rose.
Should we also change Cardinality to 0..* instead of 1..* to show that this item in optional?
Thanks,
Dick Brooks
Active Member of the CISA Critical Manufacturing Sector, Sector Coordinating Council – A Public-Private Partnership
Never trust software, always verify and report! ™ http://www.reliableenergyanalytics.com Email: dick@... Tel: +1 978-696-1788
From: spdx-implementers@... <spdx-implementers@...> On Behalf Of Rose Judge
Correct -- PackageLicenseConcluded, PackageLicenseDeclared, PackageCopyrightText will all be optional for 2.3 once the PR is merged.
As for package checksum, it is currently optional in the 2.2 spec and I don’t remember any discussions around making it mandatory in 2.3…
-Rose
From: spdx-implementers@... <spdx-implementers@...> on behalf of Dick Brooks via lists.spdx.org <dick=reliableenergyanalytics.com@...> Thanks, Rose.
Much appreciate the quick response. Just to confirm, all of these fields shown below will be optional after the changes – correct?
PackageLicenseConcluded: NOASSERTION PackageLicenseDeclared: NOASSERTION PackageCopyrightText: NOASSERTION
Also, did we also decide to make PackageChecksum optional in V 2.3?
Thanks,
Dick Brooks
Active Member of the CISA Critical Manufacturing Sector, Sector Coordinating Council – A Public-Private Partnership
Never trust software, always verify and report! ™ http://www.reliableenergyanalytics.com Email: dick@... Tel: +1 978-696-1788
From: spdx-implementers@... <spdx-implementers@...> On Behalf Of Rose Judge
Hi Dick,
I have a PR open right now to make PackageLicenseConcluded (among other currently required licensing fields) optional in 2.3: https://github.com/spdx/spdx-spec/pull/635
Assuming the PR is merged, if the Concluded License field is not present for a file, it implies an equivalent meaning to `NOASSERTION`.
-Rose From: spdx-implementers@... <spdx-implementers@...> on behalf of Dick Brooks via lists.spdx.org <dick=reliableenergyanalytics.com@...> Hello Everyone,
REA has started working on SPDX V 2.3 enhancements and we have a question regarding optional License fields.
The current 2.3 branch shows that certain License elements are still required, but I seem to recall some discussion about making license elements optional in V 2.3, i.e.,
Will the Package License fields still be required?
Thanks,
Dick Brooks
Active Member of the CISA Critical Manufacturing Sector, Sector Coordinating Council – A Public-Private Partnership
Never trust software, always verify and report! ™ http://www.reliableenergyanalytics.com Email: dick@... Tel: +1 978-696-1788
|
||||||
|
|
||||||
|
Rose Judge
I’ll defer to @Gary O'Neall on this but I suspect he’s working on it.
From:
spdx-implementers@... <spdx-implementers@...> on behalf of Dick Brooks via lists.spdx.org <dick=reliableenergyanalytics.com@...> One last item.
Is anyone working on updates to the online validation tool to address these changes?
If so I would like to submit some candidate SBOM’s in V 2.3 for testing.
Thanks,
Dick Brooks
Active Member of the CISA Critical Manufacturing Sector, Sector Coordinating Council – A Public-Private Partnership
Never trust software, always verify and report! ™ http://www.reliableenergyanalytics.com Email: dick@... Tel: +1 978-696-1788
From: Dick Brooks <dick@...>
Sent: Monday, May 2, 2022 12:52 PM To: 'spdx-implementers@...' <spdx-implementers@...> Subject: RE: [spdx-implementers] Question about optional License fields
Thanks, Rose.
Should we also change Cardinality to 0..* instead of 1..* to show that this item in optional?
Thanks,
Dick Brooks
Active Member of the CISA Critical Manufacturing Sector, Sector Coordinating Council – A Public-Private Partnership
Never trust software, always verify and report! ™ http://www.reliableenergyanalytics.com Email: dick@... Tel: +1 978-696-1788
From:
spdx-implementers@... <spdx-implementers@...>
On Behalf Of Rose Judge
Correct -- PackageLicenseConcluded, PackageLicenseDeclared, PackageCopyrightText will all be optional for 2.3 once the PR is merged.
As for package checksum, it is currently optional in the 2.2 spec and I don’t remember any discussions around making it mandatory in 2.3…
-Rose
From:
spdx-implementers@... <spdx-implementers@...> on behalf of Dick Brooks via
lists.spdx.org <dick=reliableenergyanalytics.com@...> Thanks, Rose.
Much appreciate the quick response. Just to confirm, all of these fields shown below will be optional after the changes – correct?
PackageLicenseConcluded: NOASSERTION PackageLicenseDeclared: NOASSERTION PackageCopyrightText: NOASSERTION
Also, did we also decide to make PackageChecksum optional in V 2.3?
Thanks,
Dick Brooks
Active Member of the CISA Critical Manufacturing Sector, Sector Coordinating Council – A Public-Private Partnership
Never trust software, always verify and report! ™ http://www.reliableenergyanalytics.com Email: dick@... Tel: +1 978-696-1788
From:
spdx-implementers@... <spdx-implementers@...>
On Behalf Of Rose Judge
Hi Dick,
I have a PR open right now to make PackageLicenseConcluded (among other currently required licensing fields) optional in 2.3: https://github.com/spdx/spdx-spec/pull/635
Assuming the PR is merged, if the Concluded License field is not present for a file, it implies an equivalent meaning to `NOASSERTION`.
-Rose From:
spdx-implementers@... <spdx-implementers@...> on behalf of Dick Brooks via
lists.spdx.org <dick=reliableenergyanalytics.com@...> Hello Everyone,
REA has started working on SPDX V 2.3 enhancements and we have a question regarding optional License fields.
The current 2.3 branch shows that certain License elements are still required, but I seem to recall some discussion about making license elements optional in V 2.3, i.e.,
Will the Package License fields still be required?
Thanks,
Dick Brooks
Active Member of the CISA Critical Manufacturing Sector, Sector Coordinating Council – A Public-Private Partnership
Never trust software, always verify and report! ™ http://www.reliableenergyanalytics.com Email: dick@... Tel: +1 978-696-1788
|
||||||
|
|
||||||
|
Rose Judge
Yes, this was fixed with a PR I opened that was recently merged for 2.2.2. If you look at the latest github branch, you can see the changes reflected. I suspect the spec has not been updated yet with the latest 2.2.2 changes from GitHub but hopefully will be soon (I can ask at the tech call tomorrow).
From:
spdx-implementers@... <spdx-implementers@...> on behalf of Dick Brooks via lists.spdx.org <dick=reliableenergyanalytics.com@...> Thanks, Rose.
Should we also change Cardinality to 0..* instead of 1..* to show that this item in optional?
Thanks,
Dick Brooks
Active Member of the CISA Critical Manufacturing Sector, Sector Coordinating Council – A Public-Private Partnership
Never trust software, always verify and report! ™ http://www.reliableenergyanalytics.com Email: dick@... Tel: +1 978-696-1788
From: spdx-implementers@... <spdx-implementers@...>
On Behalf Of Rose Judge
Sent: Monday, May 2, 2022 12:39 PM To: spdx-implementers@... Subject: Re: [spdx-implementers] Question about optional License fields
Correct -- PackageLicenseConcluded, PackageLicenseDeclared, PackageCopyrightText will all be optional for 2.3 once the PR is merged.
As for package checksum, it is currently optional in the 2.2 spec and I don’t remember any discussions around making it mandatory in 2.3…
-Rose
From:
spdx-implementers@... <spdx-implementers@...> on behalf of Dick Brooks via
lists.spdx.org <dick=reliableenergyanalytics.com@...> Thanks, Rose.
Much appreciate the quick response. Just to confirm, all of these fields shown below will be optional after the changes – correct?
PackageLicenseConcluded: NOASSERTION PackageLicenseDeclared: NOASSERTION PackageCopyrightText: NOASSERTION
Also, did we also decide to make PackageChecksum optional in V 2.3?
Thanks,
Dick Brooks
Active Member of the CISA Critical Manufacturing Sector, Sector Coordinating Council – A Public-Private Partnership
Never trust software, always verify and report! ™ http://www.reliableenergyanalytics.com Email: dick@... Tel: +1 978-696-1788
From:
spdx-implementers@... <spdx-implementers@...>
On Behalf Of Rose Judge
Hi Dick,
I have a PR open right now to make PackageLicenseConcluded (among other currently required licensing fields) optional in 2.3: https://github.com/spdx/spdx-spec/pull/635
Assuming the PR is merged, if the Concluded License field is not present for a file, it implies an equivalent meaning to `NOASSERTION`.
-Rose From:
spdx-implementers@... <spdx-implementers@...> on behalf of Dick Brooks via
lists.spdx.org <dick=reliableenergyanalytics.com@...> Hello Everyone,
REA has started working on SPDX V 2.3 enhancements and we have a question regarding optional License fields.
The current 2.3 branch shows that certain License elements are still required, but I seem to recall some discussion about making license elements optional in V 2.3, i.e.,
Will the Package License fields still be required?
Thanks,
Dick Brooks
Active Member of the CISA Critical Manufacturing Sector, Sector Coordinating Council – A Public-Private Partnership
Never trust software, always verify and report! ™ http://www.reliableenergyanalytics.com Email: dick@... Tel: +1 978-696-1788
|
||||||
|
|
||||||
|
One last item.
Is anyone working on updates to the online validation tool to address these changes?
If so I would like to submit some candidate SBOM’s in V 2.3 for testing.
Thanks,
Dick Brooks
Active Member of the CISA Critical Manufacturing Sector, Sector Coordinating Council – A Public-Private Partnership
Never trust software, always verify and report! ™ http://www.reliableenergyanalytics.com Email: dick@... Tel: +1 978-696-1788
From: Dick Brooks <dick@...>
Sent: Monday, May 2, 2022 12:52 PM To: 'spdx-implementers@...' <spdx-implementers@...> Subject: RE: [spdx-implementers] Question about optional License fields
Thanks, Rose.
Should we also change Cardinality to 0..* instead of 1..* to show that this item in optional?
Thanks,
Dick Brooks
Active Member of the CISA Critical Manufacturing Sector, Sector Coordinating Council – A Public-Private Partnership
Never trust software, always verify and report! ™ http://www.reliableenergyanalytics.com Email: dick@... Tel: +1 978-696-1788
From: spdx-implementers@... <spdx-implementers@...> On Behalf Of Rose Judge
Correct -- PackageLicenseConcluded, PackageLicenseDeclared, PackageCopyrightText will all be optional for 2.3 once the PR is merged.
As for package checksum, it is currently optional in the 2.2 spec and I don’t remember any discussions around making it mandatory in 2.3…
-Rose
From: spdx-implementers@... <spdx-implementers@...> on behalf of Dick Brooks via lists.spdx.org <dick=reliableenergyanalytics.com@...> Thanks, Rose.
Much appreciate the quick response. Just to confirm, all of these fields shown below will be optional after the changes – correct?
PackageLicenseConcluded: NOASSERTION PackageLicenseDeclared: NOASSERTION PackageCopyrightText: NOASSERTION
Also, did we also decide to make PackageChecksum optional in V 2.3?
Thanks,
Dick Brooks
Active Member of the CISA Critical Manufacturing Sector, Sector Coordinating Council – A Public-Private Partnership
Never trust software, always verify and report! ™ http://www.reliableenergyanalytics.com Email: dick@... Tel: +1 978-696-1788
From: spdx-implementers@... <spdx-implementers@...> On Behalf Of Rose Judge
Hi Dick,
I have a PR open right now to make PackageLicenseConcluded (among other currently required licensing fields) optional in 2.3: https://github.com/spdx/spdx-spec/pull/635
Assuming the PR is merged, if the Concluded License field is not present for a file, it implies an equivalent meaning to `NOASSERTION`.
-Rose From: spdx-implementers@... <spdx-implementers@...> on behalf of Dick Brooks via lists.spdx.org <dick=reliableenergyanalytics.com@...> Hello Everyone,
REA has started working on SPDX V 2.3 enhancements and we have a question regarding optional License fields.
The current 2.3 branch shows that certain License elements are still required, but I seem to recall some discussion about making license elements optional in V 2.3, i.e.,
Will the Package License fields still be required?
Thanks,
Dick Brooks
Active Member of the CISA Critical Manufacturing Sector, Sector Coordinating Council – A Public-Private Partnership
Never trust software, always verify and report! ™ http://www.reliableenergyanalytics.com Email: dick@... Tel: +1 978-696-1788
|
||||||
|
|
||||||
|
Thanks, Rose.
Should we also change Cardinality to 0..* instead of 1..* to show that this item in optional?
Thanks,
Dick Brooks
Active Member of the CISA Critical Manufacturing Sector, Sector Coordinating Council – A Public-Private Partnership
Never trust software, always verify and report! ™ http://www.reliableenergyanalytics.com Email: dick@... Tel: +1 978-696-1788
From: spdx-implementers@... <spdx-implementers@...> On Behalf Of Rose Judge
Sent: Monday, May 2, 2022 12:39 PM To: spdx-implementers@... Subject: Re: [spdx-implementers] Question about optional License fields
Correct -- PackageLicenseConcluded, PackageLicenseDeclared, PackageCopyrightText will all be optional for 2.3 once the PR is merged.
As for package checksum, it is currently optional in the 2.2 spec and I don’t remember any discussions around making it mandatory in 2.3…
-Rose
From: spdx-implementers@... <spdx-implementers@...> on behalf of Dick Brooks via lists.spdx.org <dick=reliableenergyanalytics.com@...> Thanks, Rose.
Much appreciate the quick response. Just to confirm, all of these fields shown below will be optional after the changes – correct?
PackageLicenseConcluded: NOASSERTION PackageLicenseDeclared: NOASSERTION PackageCopyrightText: NOASSERTION
Also, did we also decide to make PackageChecksum optional in V 2.3?
Thanks,
Dick Brooks
Active Member of the CISA Critical Manufacturing Sector, Sector Coordinating Council – A Public-Private Partnership
Never trust software, always verify and report! ™ http://www.reliableenergyanalytics.com Email: dick@... Tel: +1 978-696-1788
From: spdx-implementers@... <spdx-implementers@...> On Behalf Of Rose Judge
Hi Dick,
I have a PR open right now to make PackageLicenseConcluded (among other currently required licensing fields) optional in 2.3: https://github.com/spdx/spdx-spec/pull/635
Assuming the PR is merged, if the Concluded License field is not present for a file, it implies an equivalent meaning to `NOASSERTION`.
-Rose From: spdx-implementers@... <spdx-implementers@...> on behalf of Dick Brooks via lists.spdx.org <dick=reliableenergyanalytics.com@...> Hello Everyone,
REA has started working on SPDX V 2.3 enhancements and we have a question regarding optional License fields.
The current 2.3 branch shows that certain License elements are still required, but I seem to recall some discussion about making license elements optional in V 2.3, i.e.,
Will the Package License fields still be required?
Thanks,
Dick Brooks
Active Member of the CISA Critical Manufacturing Sector, Sector Coordinating Council – A Public-Private Partnership
Never trust software, always verify and report! ™ http://www.reliableenergyanalytics.com Email: dick@... Tel: +1 978-696-1788
|
||||||
|
|
||||||
|
Rose Judge
Correct -- PackageLicenseConcluded, PackageLicenseDeclared, PackageCopyrightText will all be optional for 2.3 once the PR is merged.
As for package checksum, it is currently optional in the 2.2 spec and I don’t remember any discussions around making it mandatory in 2.3…
-Rose
From:
spdx-implementers@... <spdx-implementers@...> on behalf of Dick Brooks via lists.spdx.org <dick=reliableenergyanalytics.com@...> Thanks, Rose.
Much appreciate the quick response. Just to confirm, all of these fields shown below will be optional after the changes – correct?
PackageLicenseConcluded: NOASSERTION PackageLicenseDeclared: NOASSERTION PackageCopyrightText: NOASSERTION
Also, did we also decide to make PackageChecksum optional in V 2.3?
Thanks,
Dick Brooks
Active Member of the CISA Critical Manufacturing Sector, Sector Coordinating Council – A Public-Private Partnership
Never trust software, always verify and report! ™ http://www.reliableenergyanalytics.com Email: dick@... Tel: +1 978-696-1788
From: spdx-implementers@... <spdx-implementers@...>
On Behalf Of Rose Judge
Sent: Sunday, May 1, 2022 11:42 PM To: spdx-implementers@... Subject: Re: [spdx-implementers] Question about optional License fields
Hi Dick,
I have a PR open right now to make PackageLicenseConcluded (among other currently required licensing fields) optional in 2.3: https://github.com/spdx/spdx-spec/pull/635
Assuming the PR is merged, if the Concluded License field is not present for a file, it implies an equivalent meaning to `NOASSERTION`.
-Rose From:
spdx-implementers@... <spdx-implementers@...> on behalf of Dick Brooks via
lists.spdx.org <dick=reliableenergyanalytics.com@...> Hello Everyone,
REA has started working on SPDX V 2.3 enhancements and we have a question regarding optional License fields.
The current 2.3 branch shows that certain License elements are still required, but I seem to recall some discussion about making license elements optional in V 2.3, i.e.,
Will the Package License fields still be required?
Thanks,
Dick Brooks
Active Member of the CISA Critical Manufacturing Sector, Sector Coordinating Council – A Public-Private Partnership
Never trust software, always verify and report! ™ http://www.reliableenergyanalytics.com Email: dick@... Tel: +1 978-696-1788
|
||||||
|
|
||||||
|
Thanks, Rose.
Much appreciate the quick response. Just to confirm, all of these fields shown below will be optional after the changes – correct?
PackageLicenseConcluded: NOASSERTION PackageLicenseDeclared: NOASSERTION PackageCopyrightText: NOASSERTION
Also, did we also decide to make PackageChecksum optional in V 2.3?
Thanks,
Dick Brooks
Active Member of the CISA Critical Manufacturing Sector, Sector Coordinating Council – A Public-Private Partnership
Never trust software, always verify and report! ™ http://www.reliableenergyanalytics.com Email: dick@... Tel: +1 978-696-1788
From: spdx-implementers@... <spdx-implementers@...> On Behalf Of Rose Judge
Sent: Sunday, May 1, 2022 11:42 PM To: spdx-implementers@... Subject: Re: [spdx-implementers] Question about optional License fields
Hi Dick,
I have a PR open right now to make PackageLicenseConcluded (among other currently required licensing fields) optional in 2.3: https://github.com/spdx/spdx-spec/pull/635
Assuming the PR is merged, if the Concluded License field is not present for a file, it implies an equivalent meaning to `NOASSERTION`.
-Rose From: spdx-implementers@... <spdx-implementers@...> on behalf of Dick Brooks via lists.spdx.org <dick=reliableenergyanalytics.com@...> Hello Everyone,
REA has started working on SPDX V 2.3 enhancements and we have a question regarding optional License fields.
The current 2.3 branch shows that certain License elements are still required, but I seem to recall some discussion about making license elements optional in V 2.3, i.e.,
Will the Package License fields still be required?
Thanks,
Dick Brooks
Active Member of the CISA Critical Manufacturing Sector, Sector Coordinating Council – A Public-Private Partnership
Never trust software, always verify and report! ™ http://www.reliableenergyanalytics.com Email: dick@... Tel: +1 978-696-1788
|
||||||
|
|
||||||
|
Rose Judge
Hi Dick,
I have a PR open right now to make PackageLicenseConcluded (among other currently required licensing fields) optional in 2.3: https://github.com/spdx/spdx-spec/pull/635
Assuming the PR is merged, if the Concluded License field is not present for a file, it implies an equivalent meaning to `NOASSERTION`.
-Rose From:
spdx-implementers@... <spdx-implementers@...> on behalf of Dick Brooks via lists.spdx.org <dick=reliableenergyanalytics.com@...> Hello Everyone,
REA has started working on SPDX V 2.3 enhancements and we have a question regarding optional License fields.
The current 2.3 branch shows that certain License elements are still required, but I seem to recall some discussion about making license elements optional in V 2.3, i.e.,
Will the Package License fields still be required?
Thanks,
Dick Brooks
Active Member of the CISA Critical Manufacturing Sector, Sector Coordinating Council – A Public-Private Partnership
Never trust software, always verify and report! ™ http://www.reliableenergyanalytics.com Email: dick@... Tel: +1 978-696-1788
|
||||||
|
|
||||||
|
Hello Everyone,
REA has started working on SPDX V 2.3 enhancements and we have a question regarding optional License fields.
The current 2.3 branch shows that certain License elements are still required, but I seem to recall some discussion about making license elements optional in V 2.3, i.e.,
Will the Package License fields still be required?
Thanks,
Dick Brooks
Active Member of the CISA Critical Manufacturing Sector, Sector Coordinating Council – A Public-Private Partnership
Never trust software, always verify and report! ™ http://www.reliableenergyanalytics.com Email: dick@... Tel: +1 978-696-1788
|
||||||
|
|
