Re: Import and export function of SPDX
|
Gary O'Neall
I would like to know more about the use case.
toggle quoted message
Show quoted text
If this is a producer use case where the SPDX is included with a set of files distributed, then the archive file would be the archive file produced and the verification code could be calculated from the files included in the archive. If this is an intermediate use case where existing packages are being documented as SPDX files, I could see where it is more challenging to obtain the archive file and verification code from the original package unless the original package included an SPDX file or the original archive file was maintained. Gary -----Original Message-----
From: spdx-bounces@... [mailto:spdx-bounces@...] On Behalf Of Kevin P. Fleming Sent: Tuesday, June 12, 2012 3:21 PM To: spdx@... Subject: Re: Import and export function of SPDX On 06/12/2012 03:06 PM, Peter Williams wrote: So the questions is: Is it better to have SPDX files which contain aI would question whether this is one 'tiny little piece' or not. In my role as a consumer of such incoming license information, I would be unwilling to accept SPDX data describing a package unless I could conclusively confirm that the package supplied matched the data in the SPDX file. -- Kevin P. Fleming Digium, Inc. | Director of Software Technologies Jabber: kfleming@... | SIP: kpfleming@... | Skype: kpfleming 445 Jan Davis Drive NW - Huntsville, AL 35806 - USA Check us out at www.digium.com & www.asterisk.org _______________________________________________ Spdx mailing list Spdx@... https://lists.spdx.org/mailman/listinfo/spdx |
|
|