Re: Proposed spec for external packages
Jeremiah Foster <jeremiah.foster@...>
On Wed, Aug 5, 2015 at 4:56 PM, Kate Stewart <kstewart@...> wrote:
All I can do is comment on the SPDX spec from the perspective of a small business and FOSS contributor. The spec is already quite heavy weight and adding this tag might make sense for the larger commercial organizations, but it doesn't fit the need for a lightweight process that SME's use in my experience.
I don't see the use case. I already use Debian's security tracking which relies on CVE's and Debian package versions and that works quite well. I personally wouldn't consume this additional tag but I see how it might be used to market commercial tools.
As an aside, after NIST's work with crypto ciphers I wonder how closely FOSS projects will follow their proposals?