Mario Tokarz <mario@...>
I have two questions regarding the latest spec from your home
page. Thanks in advance for the time and consideration.
1.) Page 10 states that "A package can contain subpackages". How would
those be added to the description, they do not seem to be part of the
data model as shown on pg 35.
Supporting subpackages with a full set of metadata seems to be a good
approach to support descriptions of a full system image.
2.) Page 11/12: While package verification code is optional (most
likely to be used when SPDX is not part of the src-archive), the
verification code is mandatory.
While discussing this with a colleague we could not quite figure out
why this is the case or whether this should be better one or the other
(i.e. it is mandatory to have one of the two within one description).
I would be glad to get some thoughts on this.
BMW Car IT GmbH