Kevin P. Fleming <kpfleming@...>
On 06/13/2012 10:51 AM, RUFFIN, MICHEL (MICHEL) wrote:
Well, today we solve more or less this issue by requesting the URL where the FOSs can be downloaded, so URL + name + version number determine the FOSS used. It is not perfect but I never manage a good solution to identify uniquely an open source.Right, and this is what the package checksum was intended to solve. If you have that, then no matter where you go the source archive, you can confirm (with nearly 100% confidence) that it has the some contents as were used by the person who constructed the SPDX file.
In other words, the problem you've been struggling with has been addressed as part of SPDX, but you aren't in a position to be able to take advantage of it, which is somewhat unfortunate.
Kevin P. Fleming
Digium, Inc. | Director of Software Technologies
Jabber: kfleming@... | SIP: kpfleming@... | Skype: kpfleming
445 Jan Davis Drive NW - Huntsville, AL 35806 - USA
Check us out at www.digium.com & www.asterisk.org