Software unique identification


RUFFIN MICHEL
 

Dear all we are facing a very difficult issue: How to identify uniquely Software.
 
In Alcatel-Lucent (ALU) we would like to link all our databases on SW (FOSS SW, proprietary SW, FOSS SW coming in proprietary solutions, FOSS coming from outsourcing contracts, …) The goal is to automate a lot of things: royalty tracking, producing documentations on FOSS respecting the license obligations automatically, knowing which ALU product is using what SW, automatically connecting with tools such as Blackduck protex or Palamida or any others of their competitors, …………………………………………….
 
The major issue is SW unique identification: Today we have the following:
  • Maven naming system: but it is limited to java open source libraries
  • ALU internal system (but so far limited mostly to commercial SW but we are extending to FOSS but not perfect) and we have to interact with suppliers and customers on this identification
  • Blackduck internal unique identification (One millions FOSS but do not cope with proprietary SW and we do not want to be dependent of a company)
  • SPDX Check sums for binaries (but do not provide the same checksum with .zip and .gpz)
  • SPDX Check sums on source codes but does not work if ALU is doing a small modification to the comments in the file
 
I know that SPDX is not perhaps the best place to discuss this issue, but I would like to engage a discussion on this topic
 
So my question here is: do you have similar concerns in your companies, and what can we do to solve this issue (should we create a group on this?)
 
Michel
 
Michel.Ruffin@..., PhD
Software Coordination Manager, N&P IS/IT
Distinguished Member of Technical Staff
Tel +33 (0) 6 75 25 21 94
Alcatel-Lucent International, Centre de Villarceaux
Route De Villejust, 91620 Nozay, France
 
 
 

Join spdx@lists.spdx.org to automatically receive all group messages.