Clarification on purpose and participation

Karim Ratib <karim.ratib@...>


I just discovered SPDX and after watching the 3-minute video and
reading through the Web site, I am eager to understand more - and
possibly to participate in the effort, in my capacity as a software

I develop web applications using the open source Drupal CMS, and each
implementation typically uses tens, if not hundreds, of contributed
modules. Each module as well as the core system are GPL licensed. I
would like to generate a bill of material for the whole application,
and eventually for the server that hosts the application.

My initial thought is to write a software tool that generates a single
SPDX file based on the Drupal installation's metadata - core version,
installed modules, additional libraries, etc.

Is this what would be expected to comply with the SPDX vision?

As follow-up questions:
- Is there a convention to query Web applications for their SPDX (e.g.
a well-known URI) ?
- Are there existing tools within Linux distributions to generate SPDX
for installed packages ?
- Is there a recommended workflow for generating a comprehensive SPDX
document for a given computer (desktop/server) ?

Sorry of these are naive questions - thanks in advance for taking the
time to enlighten me.


Join { to automatically receive all group messages.