Re: Import and export function of SPDX

Kevin P. Fleming <kpfleming@...>

On 06/13/2012 10:51 AM, RUFFIN, MICHEL (MICHEL) wrote:
Well, today we solve more or less this issue by requesting the URL where the FOSs can be downloaded, so URL + name + version number determine the FOSS used. It is not perfect but I never manage a good solution to identify uniquely an open source.

Even the URL is not enough, when our foss evaluators received a URL to study a FOSS, they have first to check that it is the good one. For instance people are providing the URL on Sourceforge or on a mirror site, while this is not the home page for the software. So our internal recommendation is to use the home page of the copyright owner whenever possible.

Not that the URL and version number are the only mandatory fields in our database
Right, and this is what the package checksum was intended to solve. If you have that, then no matter where you go the source archive, you can confirm (with nearly 100% confidence) that it has the some contents as were used by the person who constructed the SPDX file.

In other words, the problem you've been struggling with has been addressed as part of SPDX, but you aren't in a position to be able to take advantage of it, which is somewhat unfortunate.

Kevin P. Fleming
Digium, Inc. | Director of Software Technologies
Jabber: kfleming@... | SIP: kpfleming@... | Skype: kpfleming
445 Jan Davis Drive NW - Huntsville, AL 35806 - USA
Check us out at &

Join to automatically receive all group messages.