Re: Import and export function of SPDX


Kevin P. Fleming <kpfleming@...>
 

On 06/12/2012 06:08 PM, Peter Williams wrote:
Even if you choose not to accept an incomplete file verbatim, having it
might still be advantageous. If nothing else it gives you a place to
start your investigation. For example, if i receive an SPDX file w/o a
packageVerificationCode, i might decide i need to do my own analysis of
the package i am using because i cannot verify that is exactly the one
described by the SPDX file. Fortunately, the licensing of software
packages rarely change dramatically between versions so i could use the
untrusted SPDX data as a starting point. Such a head start would be
likely to save a great deal of time and effort. This would be about the
same process needed if i received an SPDX file with a
packageVerificationCode that did not match my package.
Agreed, and this is pretty much what I just posted in another reply before having read yours :-)

--
Kevin P. Fleming
Digium, Inc. | Director of Software Technologies
Jabber: kfleming@... | SIP: kpfleming@... | Skype: kpfleming
445 Jan Davis Drive NW - Huntsville, AL 35806 - USA
Check us out at www.digium.com & www.asterisk.org

Join spdx@lists.spdx.org to automatically receive all group messages.