Note: lists.spdx.org will be down for maintenance on Monday, September 26th, starting at 9AM Pacific Time (4PM Monday September 26, 2022 UTC), for approximately one hour.
- [Openchain-japan-wg] Question about SPDX Light: Supported Fields
[Openchain-japan-wg] Question about SPDX Light: Supported Fields
Shane Coughlan <coughlan@...>
toggle quoted messageShow quoted text
We have an active discussion via the OpenChain Japan Work Group (mostly in Japanese) about SPDX. Several Japanese companies are using SPDX in production today and are collaborating to this through a common approach and “ask” for suppliers, particularly those with a relatively limited understanding of open source.
This “ask” will be a subset variant of SPDX informally dubbed “SPDX Light.” It is not intended to break the SPDX Mandatory / Optional fields. Instead it is looking like a series of core fields plus some optional codified into one clear procurement request from multiple companies. One note and comment about this is below (English after the Japanese).
(1) Japanese companies operate mostly in Japanese, which is why this discussion has not been occurring on the SPDX mailing list
(2) SPDX calls are at inaccessible times for Japanese companies, which has further hindered interaction
Nevertheless, this is a great moment for us all to jump into a shared discussion.
Begin forwarded message:
皆様福地です組織間のライセンス情報授受のSGで検討している仮称SPDX lightですが、ISSUEリストに海外の方（mcjaeger）から書き込みがありました。SPDX lightというミニマムセットを作るコンセプトに賛成のようで、その上で提案と質問が来ています。関心のある方は、彼の提案を読んでコメントを頂けませんでしょうか。Question about SPDX Light: Supported Fields #2https://github.com/OpenChain-Project/Japan-WG-General/issues/2hello,regarding the SPDX light proposal I would like to express more a question rather than an issue. I like the SPDX light proposal very much. I was wondering about the following additional elements more like a question:for package information: I found the checksum very useful to exchange information about packages, maybe it could be considered as well? is it maybe confusing hwne the same package was compiled multiple times?How about an acknowledgement field attached to license information? (For licenses that ask for acknowledgement, such as https://spdx.org/licenses/BSD-4-Clause-UC.html because then, acknowledgement documentation could easily generated from SPDX.Export control and customs, ECC notice (since patent notice is already envisaged) for a package could be used (with reference in which file it was found)would be package download location also the package management id? (for example it is named "artefact id" for maven packages)ignore flag for files which could be info that this file was not part of license analysis or isnot considered as license analysis because it is considered irrelevant.Please see my remarks just as quick feedback from the posting on openchain mailing list. My idea was it could be a good place here to ask a question about this document:https://github.com/OpenChain-Project/Japan-WG-General/blob/master/License-Info-Exchange/Doc-at-Meeting/Candidate-of-SDPX-light.md---福地 弘行 (Hiroyuki.Fukuchi@...)ソニー（株）UX企画部 アライアンス業務課_______________________________________________Openchain-japan-wg mailing listOpenchain-japan-wg@...https://lists.linuxfoundation.org/mailman/listinfo/openchain-japan-wg