Re: Import and export function of SPDX

Gary O'Neall

I would like to know more about the use case.

If this is a producer use case where the SPDX is included with a set of
files distributed, then the archive file would be the archive file produced
and the verification code could be calculated from the files included in the

If this is an intermediate use case where existing packages are being
documented as SPDX files, I could see where it is more challenging to obtain
the archive file and verification code from the original package unless the
original package included an SPDX file or the original archive file was


-----Original Message-----
From: spdx-bounces@... [mailto:spdx-bounces@...] On
Behalf Of Kevin P. Fleming
Sent: Tuesday, June 12, 2012 3:21 PM
To: spdx@...
Subject: Re: Import and export function of SPDX

On 06/12/2012 03:06 PM, Peter Williams wrote:
So the questions is: Is it better to have SPDX files which contain a
large amount of truly useful information but that are incomplete or
should we hide all that information because we are missing one tiny
little piece?
I would question whether this is one 'tiny little piece' or not. In my role
as a consumer of such incoming license information, I would be unwilling to
accept SPDX data describing a package unless I could conclusively confirm
that the package supplied matched the data in the SPDX file.

Kevin P. Fleming
Digium, Inc. | Director of Software Technologies
Jabber: kfleming@... | SIP: kpfleming@... | Skype: kpfleming
445 Jan Davis Drive NW - Huntsville, AL 35806 - USA
Check us out at &
Spdx mailing list

Join to automatically receive all group messages.