Re: End Of Life Tag in spdx #spdx
Armijn Hemel - Tjaldur Software Governance Solutions
hello,
I would suggest to keep this
information "out of band" and not inside SPDX documents. Current
information inside SPDX documents is largely static: package,
license, checksum, and so on. Of course there could have been
errors that need to be fixed, but overall these fields are static.
EOL information, commercial status and
support status on the other hand are much more dynamic. Sometimes
packages are supported for only a few hours, sometimes for
decades. Very often it is also not clear when a package is EOL or
supported as many authors/maintainers do not announce it. The
support is sometimes also not done by the author/maintainers, but
by an external entity (for example: enterprise grade Linux
distributions). Does this mean it is supported, or only supported
for people willing to pay for it, or .... ? It is simply not clear
and it adds a lot of fuzziness.
This would make SPDX a lot more
cumbersome, as not only do the documents need to be generated, but
they also need to be updated all the time to avoid falling out of
sync. It also mixes syntax and semantics, which is never a good
idea.
armijn
-- Armijn Hemel, MSc Tjaldur Software Governance Solutions
|
|