Re: Proposed spec for external packages

Kate Stewart

On Tue, Aug 4, 2015 at 10:45 AM, Mike Milinkovich <mike.milinkovich@...> wrote:
On 04/08/2015 9:34 AM, Philippe Ombredanne wrote:
On Tue, Aug 4, 2015 at 5:00 AM, Yev Bronshteyn
<ybronshteyn@...> wrote:
Here is the spec for the proposed EternalPackage element. While I touch on
usage in the beginning, I'll discuss some specific use cases in the context
of SpdxTools on the call.

I guess you meant External and not Eternal....

I provided a few comments to your proposed spec in the doc at

To add to Philippe's comments, and speaking on behalf of a major producer of open source software, the proposal for an "External Security and Asset Management Identifier" seems to be fundamentally flawed. A quick perusal of the website tells me that the spec is not publicly available (i.e. you must buy it for $265 from ANSI), and that the tools used to tag software assets are available only to members of their private club.

The SPEC being referred to is a NIST one,  rather than ANSI.   see: 
Which is open.

Its in its second reading right now, and its in a public comment window, before NIST adopts it. 

IMO, any requirement that open source communities use a closed standard, and proprietary tools to annotate their open source code is dead on arrival.

I agree we should not depend on closed standards.  However,  the question is do we want to be able to reference to external packages that other systems are supporting?


Join to automatically receive all group messages.