Re: Proposed spec for external packages
On Mon, Aug 10, 2015 at 9:54 AM, Sai Uday Shankar Korlimarla <skorlimarla@...> wrote:
I don't think so. This is an optional field to permit linkage to security information IF it exists. If it doesn't exist, its more the responsibility of the package creator or distributor to register it (or the person finding a security issue - might force it to be created). SPDX would only reference it if it exists (its an optional field for that reason). Similar story for CPE's I think.
If someone can describe a good use case that is counter though, we can certainly discuss further. :-)