Re: Software unique identification

William Boyle

I am currently a senior systems engineer at Nokia, and I can say
without reservation that we face this problem also, identifying
specific versions of software (binaries as well as sources). Binaries
can change, even if the source does not, if for example the compiler
is updated, or associated libraries. This is especially problematic
when the libraries are (as is often the case) dynamically-linked
shared libraries.

Bill Boyle
Senior Systems Engineer, Nokia Mobile Phones, Itasca, Illinois

On Mon, May 13, 2013 at 9:56 AM, RUFFIN, MICHEL (MICHEL)
<michel.ruffin@...> wrote:
Dear all we are facing a very difficult issue: How to identify uniquely

In Alcatel-Lucent (ALU) we would like to link all our databases on SW (FOSS
SW, proprietary SW, FOSS SW coming in proprietary solutions, FOSS coming
from outsourcing contracts, …) The goal is to automate a lot of things:
royalty tracking, producing documentations on FOSS respecting the license
obligations automatically, knowing which ALU product is using what SW,
automatically connecting with tools such as Blackduck protex or Palamida or
any others of their competitors, …………………………………………….

The major issue is SW unique identification: Today we have the following:

Maven naming system: but it is limited to java open source libraries
ALU internal system (but so far limited mostly to commercial SW but we are
extending to FOSS but not perfect) and we have to interact with suppliers
and customers on this identification
Blackduck internal unique identification (One millions FOSS but do not cope
with proprietary SW and we do not want to be dependent of a company)
SPDX Check sums for binaries (but do not provide the same checksum with .zip
and .gpz)
SPDX Check sums on source codes but does not work if ALU is doing a small
modification to the comments in the file

I know that SPDX is not perhaps the best place to discuss this issue, but I
would like to engage a discussion on this topic

So my question here is: do you have similar concerns in your companies, and
what can we do to solve this issue (should we create a group on this?)


Michel.Ruffin@..., PhD
Software Coordination Manager, N&P IS/IT
Distinguished Member of Technical Staff
Tel +33 (0) 6 75 25 21 94
Alcatel-Lucent International, Centre de Villarceaux
Route De Villejust, 91620 Nozay, France

Spdx mailing list

Join { to automatically receive all group messages.