[Openchain-japan-wg] Question about SPDX Light: Supported Fields

Shane Coughlan <coughlan@...>

Dear all

We have an active discussion via the OpenChain Japan Work Group (mostly in Japanese) about SPDX. Several Japanese companies are using SPDX in production today and are collaborating to this through a common approach and “ask” for suppliers, particularly those with a relatively limited understanding of open source.

This “ask” will be a subset variant of SPDX informally dubbed “SPDX Light.” It is not intended to break the SPDX Mandatory / Optional fields. Instead it is looking like a series of core fields plus some optional codified into one clear procurement request from multiple companies. One note and comment about this is below (English after the Japanese).

Please note:
(1) Japanese companies operate mostly in Japanese, which is why this discussion has not been occurring on the SPDX mailing list
(2) SPDX calls are at inaccessible times for Japanese companies, which has further hindered interaction

Nevertheless, this is a great moment for us all to jump into a shared discussion.



Begin forwarded message:

From: <Hiroyuki.Fukuchi@...>
Date: 16 January 2019 at 12:34:57 GMT+9
To: <openchain-japan-wg@...>
Subject: [Openchain-japan-wg] Question about SPDX Light: Supported Fields



組織間のライセンス情報授受のSGで検討している仮称SPDX light

SPDX lightというミニマムセットを作るコンセプトに賛成のようで、


Question about SPDX Light: Supported Fields #2


regarding the SPDX light proposal I would like to express more a question rather than an issue. I like the SPDX light proposal very much. I was wondering about the following additional elements more like a question:

for package information: I found the checksum very useful to exchange information about packages, maybe it could be considered as well? is it maybe confusing hwne the same package was compiled multiple times?

How about an acknowledgement field attached to license information? (For licenses that ask for acknowledgement, such as https://spdx.org/licenses/BSD-4-Clause-UC.html because then, acknowledgement documentation could easily generated from SPDX.

Export control and customs, ECC notice (since patent notice is already envisaged) for a package could be used (with reference in which file it was found)

would be package download location also the package management id? (for example it is named "artefact id" for maven packages)

ignore flag for files which could be info that this file was not part of license analysis or isnot considered as license analysis because it is considered irrelevant.

Please see my remarks just as quick feedback from the posting on openchain mailing list. My idea was it could be a good place here to ask a question about this document:


福地 弘行 (Hiroyuki.Fukuchi@...)
ソニー(株)UX企画部 アライアンス業務課

Openchain-japan-wg mailing list