1. posterid:548471
  2. Proposed spec for external packages

Re: Proposed spec for external packages

Kate Stewart
 



On Tue, Aug 4, 2015 at 10:45 AM, Mike Milinkovich <mike.milinkovich@...> wrote:
On 04/08/2015 9:34 AM, Philippe Ombredanne wrote:
On Tue, Aug 4, 2015 at 5:00 AM, Yev Bronshteyn
<ybronshteyn@...> wrote:
Here is the spec for the proposed EternalPackage element. While I touch on
usage in the beginning, I'll discuss some specific use cases in the context
of SpdxTools on the call.

https://docs.google.com/document/d/1WfArS8_xR_CQ_5plOOMtj1y9ps5M-gXFjofUBXR8hyE/edit?usp=sharinghttps://docs.google.com/document/d/1WfArS8_xR_CQ_5plOOMtj1y9ps5M-gXFjofUBXR8hyE/edit?usp=sharing

Yev:
I guess you meant External and not Eternal....

I provided a few comments to your proposed spec in the doc at
https://docs.google.com/document/d/1WfArS8_xR_CQ_5plOOMtj1y9ps5M-gXFjofUBXR8hyE/edit#

 To add to Philippe's comments, and speaking on behalf of a major producer of open source software, the proposal for an "External Security and Asset Management Identifier" seems to be fundamentally flawed. A quick perusal of the tagvault.org website tells me that the spec is not publicly available (i.e. you must buy it for $265 from ANSI), and that the tools used to tag software assets are available only to members of their private club.

The SPEC being referred to is a NIST one,  rather than ANSI.   see:  http://csrc.nist.gov/publications/PubsDrafts.html#NIST-IR-8060 
Which is open.

Its in its second reading right now, and its in a public comment window, before NIST adopts it. 

IMO, any requirement that open source communities use a closed standard, and proprietary tools to annotate their open source code is dead on arrival.

I agree we should not depend on closed standards.  However,  the question is do we want to be able to reference to external packages that other systems are supporting?

Kate
Join {spdx@lists.spdx.org to automatically receive all group messages.