Re: Import and export function of SPDX

Home Messages Hashtags Subgroups

Kevin P. Fleming <kpfleming@...> #633 On 06/12/2012 06:08 PM, Peter Williams wrote: Even if you choose not to accept an incomplete file verbatim, having it might still be advantageous. If nothing else it gives you a place to start your investigation. For example, if i receive an SPDX file w/o a packageVerificationCode, i might decide i need to do my own analysis of the package i am using because i cannot verify that is exactly the one described by the SPDX file. Fortunately, the licensing of software packages rarely change dramatically between versions so i could use the untrusted SPDX data as a starting point. Such a head start would be likely to save a great deal of time and effort. This would be about the same process needed if i received an SPDX file with a packageVerificationCode that did not match my package. Agreed, and this is pretty much what I just posted in another reply before having read yours :-) -- Kevin P. Fleming Digium, Inc. \| Director of Software Technologies Jabber: kfleming@... \| SIP: kpfleming@... \| Skype: kpfleming 445 Jan Davis Drive NW - Huntsville, AL 35806 - USA Check us out at www.digium.com & www.asterisk.org
More

Join {spdx@lists.spdx.org to automatically receive all group messages.