Re: End Of Life Tag in spdx

Home Messages Hashtags Subgroups

#1523

Re: End Of Life Tag in spdx
#spdx

Dick Brooks #1523 I agree: “I would suggest to keep this information "out of band" and not inside SPDX documents” Thanks, Dick Brooks Active Member of the CISA Critical Manufacturing Sector, Sector Coordinating Council – A Public-Private Partnership *Never trust software, always verify and report!* ™ http://www.reliableenergyanalytics.com Email: dick@... Tel: +1 978-696-1788 toggle quoted messageShow quoted text From: spdx@... <spdx@...> On Behalf Of Armijn Hemel - Tjaldur Software Governance Solutions Sent: Thursday, May 19, 2022 6:21 AM To: spdx@... Subject: Re: [spdx] End Of Life Tag in spdx #spdx hello, I would suggest to keep this information "out of band" and not inside SPDX documents. Current information inside SPDX documents is largely static: package, license, checksum, and so on. Of course there could have been errors that need to be fixed, but overall these fields are static. EOL information, commercial status and support status on the other hand are much more dynamic. Sometimes packages are supported for only a few hours, sometimes for decades. Very often it is also not clear when a package is EOL or supported as many authors/maintainers do not announce it. The support is sometimes also not done by the author/maintainers, but by an external entity (for example: enterprise grade Linux distributions). Does this mean it is supported, or only supported for people willing to pay for it, or .... ? It is simply not clear and it adds a lot of fuzziness. This would make SPDX a lot more cumbersome, as not only do the documents need to be generated, but they also need to be updated all the time to avoid falling out of sync. It also mixes syntax and semantics, which is never a good idea. armijn Kate and Sandeep, Our customers are also interested in this information. There are two concepts to consider: Commercial Status: <enumeration value="Available"></enumeration> <enumeration value="Retired"></enumeration> <enumeration value="EOL"></enumeration> <enumeration value="BetaTest"></enumeration> <enumeration value="Pilot"></enumeration> <enumeration value="Abandoned"></enumeration> Support Status: <enumeration value="Supported"></enumeration> <enumeration value="Unsupported"></enumeration> <enumeration value="Community"></enumeration> Both are described in the open-source Vendor Response File (VRF) XML schema available here: https://raw.githubusercontent.com/rjb4standards/REA-Products/master/SAGVendorSchema.xsd Thanks, Dick Brooks Active Member of the CISA Critical Manufacturing Sector, Sector Coordinating Council – A Public-Private Partnership *Never trust software, always verify and report!* ™ http://www.reliableenergyanalytics.com Email: dick@... Tel: +1 978-696-1788 From: spdx@... <spdx@...> On Behalf Of Kate Stewart Sent: Friday, May 6, 2022 3:34 PM To: SPDX-general <spdx@...> Subject: Re: [spdx] End Of Life Tag in spdx #spdx Hi Sandeep, There is a pull request expected shortly from the Usage profile team, to add this specific field to 2.3. When it comes in, please feel free to review and make sure it's going to suffice for your needs. For now, with 2.2 documents, suggest you use the Package Comment field (https://spdx.github.io/spdx-spec/package-information/#720-package-comment-field) and standardize on a tag (like EndOfSupport: ) and the date. Will that work for now? Thanks, Kate On Fri, May 6, 2022 at 2:27 PM Patil, Sandeep via lists.spdx.org <sandeep.patil=philips.com@...> wrote: Hi All, We have requirement to specify End Of Life as part of package information in SBoM , Is there way current SPDX format support this ? Regards Sandeep -- Armijn Hemel, MSc Tjaldur Software Governance Solutions
More All Messages By This Member

View All 9 Messages In Topic

#1523

Join spdx@lists.spdx.org to automatically receive all group messages.

Home Hashtags Subgroups Terms