Re: Import and export function of SPDX
Peter Williams <peter.williams@...>
On Tue Jun 12 12:12:42 2012, William Boyle wrote:
Why not justI cannot speak for Michel, but sometimes it *is* hard. The packageVerificationCode, for example, is constructed from checksums produced by a relatively weak hash algorithm. We analyzed many packages before the advent of SPDX and collected checksums using a much stronger algorithm. We no longer have access to many of those packages. In that situation it is *impossible* to produce an SPDX file with a packageVerificationCode.
So the questions is: Is it better to have SPDX files which contain a large amount of truly useful information but that are incomplete or should we hide all that information because we are missing one tiny little piece?
I'd vote for not letting the best be the enemy of the good. The more information people have the better their decisions will be, even if that information is incomplete. The real world is imperfect, messy and ambiguous which is why being liberal in what is accepted is a virtue for an data exchange format. Just look at HTML -- probably one of the most interoperable formats ever created -- would it have succeeded if browsers had been pedantic about the HTML format? I seriously doubt it, just look at the (lack of) adoption of strict XHTML.