spdx@lists.spdx.org | Followup question after Linuxcon talk

Home Messages Hashtags Subgroups

Date Date 1 - 3 of 3

Followup question after Linuxcon talk

Bracewell, Robert <rbracewe@...> #752 Thanks for a great discussion on spdx its got me interested in wrapping spdx into my current release activities as a release manager. Say for example I ship an SDK and for a customer to use this SDK they need to download a number of other files that were unable to ship within the package. What would be the best way with spdx to indicate such? Ideally if I could ship them I would but for reasons outside of my control I am unable to do so. To date I have been using Nexus pro to decorate the artifacts that make up the bill of materials by adding metadata to this tool. The metadata i've been storing is inline with what spdx already tracks. I wrote my own Maven plugins to take care of the metadata aspect of adding it and pulling it out of Nexus when producing the bill of materials. What I am thinking is that instead of storing metadata i'll just attach an spdx file as an attached artifact with a classifier and for every artifact that is subsequently packaged it will just pull down the spdx files and aggregate. Looks like I need to do some reading of the spec and whitepapers etc to get up to speed. -- Robert
More
Lamons, Scott (Open Source Program Office) <scott.lamons@...> #754 Robert, Thanks for your message and joining the list. You pose an interesting scenario! While the SPDX is typically provided with the corresponding code I suspect there might be some way that this could be accomplished or communicated -- perhaps using some of the comment fields or maybe it makes sense to create and contribute SPDX for the code you're not shipping but I will defer to the technical experts on the list. Regards, Scott Lamons SPDX Business Team toggle quoted message Show quoted text -----Original Message----- From: spdx-bounces@... [mailto:spdx-bounces@...] On Behalf Of Bracewell, Robert Sent: Thursday, August 30, 2012 9:03 PM To: spdx@... Subject: Followup question after Linuxcon talk Thanks for a great discussion on spdx its got me interested in wrapping spdx into my current release activities as a release manager. Say for example I ship an SDK and for a customer to use this SDK they need to download a number of other files that were unable to ship within the package. What would be the best way with spdx to indicate such? Ideally if I could ship them I would but for reasons outside of my control I am unable to do so. To date I have been using Nexus pro to decorate the artifacts that make up the bill of materials by adding metadata to this tool. The metadata i've been storing is inline with what spdx already tracks. I wrote my own Maven plugins to take care of the metadata aspect of adding it and pulling it out of Nexus when producing the bill of materials. What I am thinking is that instead of storing metadata i'll just attach an spdx file as an attached artifact with a classifier and for every artifact that is subsequently packaged it will just pull down the spdx files and aggregate. Looks like I need to do some reading of the spec and whitepapers etc to get up to speed. -- Robert _______________________________________________ Spdx mailing list Spdx@... https://lists.spdx.org/mailman/listinfo/spdx
More
Manbeck, Jack #755 Robert, I'm glad to hear that and thanks for your kind words. Your question is an interesting one and it is not a use case that we may have specifically solved yet in that we don't have a field that expresses there is a mandatory dependency on source that needs to be fetched. Here are my thoughts. Ideally you could point to the code with the Package Download Location field (4.5). That would work if all the code they need is at one location (as that field only allows one instance I believe). To clarify that the there is a code dependency (this the spec doesn't do explicitly) you could add information to one of the many optional comment fields in the SPDX: For example, the Source Information field (4.9), Creator Comments (3.3) etc. Keep us up to date with how this progresses. I think documenting solutions to real world problems with SPDX will be valuable for us to capture and put on the site for others and for making adjustments to the specification as needed. Possibly you could even write up your solution and contribute it back? We may need to take this discussion off of the general list. Jack toggle quoted message Show quoted text -----Original Message----- From: spdx-bounces@... [mailto:spdx-bounces@...] On Behalf Of Bracewell, Robert Sent: Friday, August 31, 2012 12:03 AM To: spdx@... Subject: Followup question after Linuxcon talk Thanks for a great discussion on spdx its got me interested in wrapping spdx into my current release activities as a release manager. Say for example I ship an SDK and for a customer to use this SDK they need to download a number of other files that were unable to ship within the package. What would be the best way with spdx to indicate such? Ideally if I could ship them I would but for reasons outside of my control I am unable to do so. To date I have been using Nexus pro to decorate the artifacts that make up the bill of materials by adding metadata to this tool. The metadata i've been storing is inline with what spdx already tracks. I wrote my own Maven plugins to take care of the metadata aspect of adding it and pulling it out of Nexus when producing the bill of materials. What I am thinking is that instead of storing metadata i'll just attach an spdx file as an attached artifact with a classifier and for every artifact that is subsequently packaged it will just pull down the spdx files and aggregate. Looks like I need to do some reading of the spec and whitepapers etc to get up to speed. -- Robert _______________________________________________ Spdx mailing list Spdx@... https://lists.spdx.org/mailman/listinfo/spdx
More All Messages By This Member

1 - 3 of 3

1

Previous Topic Next Topic

Home Hashtags Subgroups Terms