spdx@lists.spdx.org | Software unique identification

Home Messages Hashtags Subgroups

Date Date 1 - 4 of 4

Software unique identification

RUFFIN MICHEL #814 Dear all we are facing a very difficult issue: How to identify uniquely Software. In Alcatel-Lucent (ALU) we would like to link all our databases on SW (FOSS SW, proprietary SW, FOSS SW coming in proprietary solutions, FOSS coming from outsourcing contracts, …) The goal is to automate a lot of things: royalty tracking, producing documentations on FOSS respecting the license obligations automatically, knowing which ALU product is using what SW, automatically connecting with tools such as Blackduck protex or Palamida or any others of their competitors, ……………………………………………. The major issue is SW unique identification: Today we have the following: Maven naming system: but it is limited to java open source libraries ALU internal system (but so far limited mostly to commercial SW but we are extending to FOSS but not perfect) and we have to interact with suppliers and customers on this identification Blackduck internal unique identification (One millions FOSS but do not cope with proprietary SW and we do not want to be dependent of a company) SPDX Check sums for binaries (but do not provide the same checksum with .zip and .gpz) SPDX Check sums on source codes but does not work if ALU is doing a small modification to the comments in the file I know that SPDX is not perhaps the best place to discuss this issue, but I would like to engage a discussion on this topic So my question here is: do you have similar concerns in your companies, and what can we do to solve this issue (should we create a group on this?) Michel Michel.Ruffin@..., PhD Software Coordination Manager, N&P IS/IT Distinguished Member of Technical Staff Tel +33 (0) 6 75 25 21 94 Alcatel-Lucent International, Centre de Villarceaux Route De Villejust, 91620 Nozay, France
More All Messages By This Member
William Boyle #815 I am currently a senior systems engineer at Nokia, and I can say without reservation that we face this problem also, identifying specific versions of software (binaries as well as sources). Binaries can change, even if the source does not, if for example the compiler is updated, or associated libraries. This is especially problematic when the libraries are (as is often the case) dynamically-linked shared libraries. Bill Boyle Senior Systems Engineer, Nokia Mobile Phones, Itasca, Illinois On Mon, May 13, 2013 at 9:56 AM, RUFFIN, MICHEL (MICHEL) <michel.ruffin@...> wrote: Dear all we are facing a very difficult issue: How to identify uniquely Software. In Alcatel-Lucent (ALU) we would like to link all our databases on SW (FOSS SW, proprietary SW, FOSS SW coming in proprietary solutions, FOSS coming from outsourcing contracts, …) The goal is to automate a lot of things: royalty tracking, producing documentations on FOSS respecting the license obligations automatically, knowing which ALU product is using what SW, automatically connecting with tools such as Blackduck protex or Palamida or any others of their competitors, ……………………………………………. The major issue is SW unique identification: Today we have the following: Maven naming system: but it is limited to java open source libraries ALU internal system (but so far limited mostly to commercial SW but we are extending to FOSS but not perfect) and we have to interact with suppliers and customers on this identification Blackduck internal unique identification (One millions FOSS but do not cope with proprietary SW and we do not want to be dependent of a company) SPDX Check sums for binaries (but do not provide the same checksum with .zip and .gpz) SPDX Check sums on source codes but does not work if ALU is doing a small modification to the comments in the file I know that SPDX is not perhaps the best place to discuss this issue, but I would like to engage a discussion on this topic So my question here is: do you have similar concerns in your companies, and what can we do to solve this issue (should we create a group on this?) Michel Michel.Ruffin@..., PhD Software Coordination Manager, N&P IS/IT Distinguished Member of Technical Staff Tel +33 (0) 6 75 25 21 94 Alcatel-Lucent International, Centre de Villarceaux Route De Villejust, 91620 Nozay, France _______________________________________________ Spdx mailing list Spdx@... https://lists.spdx.org/mailman/listinfo/spdx
More All Messages By This Member
Armijn Hemel - Tjaldur Software Governance Solutions <armijn@...> #816 hi, I am currently a senior systems engineer at Nokia, and I can say without reservation that we face this problem also, identifying specific versions of software (binaries as well as sources). Binaries can change, even if the source does not, if for example the compiler is updated, or associated libraries. This is especially problematic when the libraries are (as is often the case) dynamically-linked shared libraries. This is not my experience at all. In the Binary Analysis Tool I use fingerprinting using string constants, function names, variable names, and so on, and I can reliably tell versions of binaries apart (granted: the information has to be in my database). This is absolutely no problem at all. armijn -- Armijn Hemel, MSc Tjaldur Software Governance Solutions
More
Roger Meier <roger@...> #817 Hi Michel I think the "Official Common Platform Enumeration (CPE) Dictionary" http://nvd.nist.gov/cpe.cfm is a good starting point for this topic. another source to consider is ISO/IEC 19770 all the best! -roger ;-r Quoting "RUFFIN, MICHEL (MICHEL)" <michel.ruffin@...>: toggle quoted message Show quoted text Dear all we are facing a very difficult issue: How to identify uniquely Software. In Alcatel-Lucent (ALU) we would like to link all our databases on SW (FOSS SW, proprietary SW, FOSS SW coming in proprietary solutions, FOSS coming from outsourcing contracts, ...) The goal is to automate a lot of things: royalty tracking, producing documentations on FOSS respecting the license obligations automatically, knowing which ALU product is using what SW, automatically connecting with tools such as Blackduck protex or Palamida or any others of their competitors, .................................................... The major issue is SW unique identification: Today we have the following: - Maven naming system: but it is limited to java open source libraries - ALU internal system (but so far limited mostly to commercial SW but we are extending to FOSS but not perfect) and we have to interact with suppliers and customers on this identification - Blackduck internal unique identification (One millions FOSS but do not cope with proprietary SW and we do not want to be dependent of a company) - SPDX Check sums for binaries (but do not provide the same checksum with .zip and .gpz) - SPDX Check sums on source codes but does not work if ALU is doing a small modification to the comments in the file I know that SPDX is not perhaps the best place to discuss this issue, but I would like to engage a discussion on this topic So my question here is: do you have similar concerns in your companies, and what can we do to solve this issue (should we create a group on this?) Michel Michel.Ruffin@..., PhD Software Coordination Manager, N&P IS/IT Distinguished Member of Technical Staff Tel +33 (0) 6 75 25 21 94 Alcatel-Lucent International, Centre de Villarceaux Route De Villejust, 91620 Nozay, France
More All Messages By This Member

1 - 4 of 4

1

Previous Topic Next Topic

Home Hashtags Subgroups Terms