Re: Proposed spec for external packages

Kate Stewart

Hi Uday,

On Mon, Aug 10, 2015 at 9:54 AM, Sai Uday Shankar Korlimarla <skorlimarla@...> wrote:
Hi Kate,

Thanks a ton for the clarification. It definitely helps, I am sorry for this delayed response.

I have one more question/doubt though. In 2.2.1 Corpus Tags, What I infer is that either the distributor or software vendor produces the SWID tag. In the future, assuming SWIDs are prevalent, Are we considering SPDX tools to accommodate creation of SWID tags if a vendor does not do so?

I don't think so.   This is an optional field to permit linkage to security information IF it exists.   If it doesn't exist,  its more the responsibility of the package creator or distributor to register it (or the person finding a security issue - might force it to be created).   SPDX would only reference it if it exists (its an optional field for that reason).   Similar story for CPE's I think.

If someone can describe a good use case that is counter though, we can certainly discuss further.  :-)


Join { to automatically receive all group messages.