coapp-developers team mailing list archive

[Eric Schultz <wwahammy@xxxxxxxxx>]

Fredrik,

Just skimming through this and looking at some of the sample files, I see
the use of something along these lines. One issue I see though is that the
standard seems incredibly verbose. Every file in a package must be
checksummed and must have it's own license defined. Also since our packages
are MSIs, they don't necessarily have a folder hierarchy for File.fileName
element. I'm not sure how SPDX would handle this.

I'm also unsure who could trust this data since it's not provided by the
authors of the original code necessarily, it's provided by the packager. I
don't see what stops the packager from lying in the SPDX. Obviously one
should verify that the license in the SPDX is correct but at that point,
you've done exactly what the SPDX was designed to eliminate.

If someone wants to work with the folks at SPDX on figuring out a way to
make this work easily with CoApp packages, I'm more than willing to add a
feature to Autopackage to create an SPDX file and embed it in a package.

Eric

On Sun, Aug 21, 2011 at 4:02 PM, Fredrik Sundqvist <fsundqvist@xxxxxxxxx>wrote:

> "The SPDX standard helps facilitate compliance with free and open
> source software licenses by standardizing the way license information
> is shared across the software supply chain. SPDX reduces redundant
> work by providing a common format for companies and communities to
> share important data about software licenses and copyrights, thereby
> streamlining and improving compliance."
>
> http://spdx.org/
>
> Any thoughts on this?
>
> Hälsningar,
> Fredrik Sundqvist
>
> _______________________________________________
> Mailing list: https://launchpad.net/~coapp-developers
> Post to     : coapp-developers@xxxxxxxxxxxxxxxxxxx
> Unsubscribe : https://launchpad.net/~coapp-developers
> More help   : https://help.launchpad.net/ListHelp
>