regards,
Reejo Joseph
1 reply
my email id. g00g1y5p4@gmail.com
I am looking for guidance adding SPDX info for my existing software product.
My current understanding is that I should create TAG file for each DLL/EXEs that my CI/CD generate and then use some tool(?) to concatenate them into a an SPDX file.
Appreciate any feedback received.
2 replies
1 reply
Hey there everyone, I was wondering whether there is any sort of best practice for annotating proprietary licensed or not-yet open licensed code with spdx identifiers aside from saying LicenseRef-XYZ
I'm currently annotating part of our codebase and there are simply parts that are not yet open to the public but I want to make sure that they are properly prepared and annotated.
1 reply
(Ping pombredanne (Philippe Ombredanne); this sounds like your kind of thing ๐)
Welcome, @Blackclaws!
If you intend to release the codebase to the public for the first time as open source software, I would suggest labelling the code with the appropriate SPDX License Identifier for the open source license you intend to release it as. Then, you can simply withhold the SPDX document and release it with the software.
On the other hand, if you want to release your codebase now (as proprietary software) with an accompanying SPDX document, you could indeed use LicenseRef-XYZ as you suggested. Alternatively, you could use NOASSERTION, which means that your customers have to assume it is proprietary until you say otherwise.
I hope that helps in some way! Let me know if I've misunderstood or missed something. ๐
1 reply
Hi all,
What would be the recommended properties in an SPDX 2.2 document for storing information on the following package attributes:
- a package's usage in a product, so something like 'dynamically linked' or 'statically linked'
- a package's attribution notice, which is shown in the attribution report produced from the BOM.
Looking at the specs, I could not find a suitable package property. I could use the 'comment' attribute, of course, or maybe an external reference, but I am hoping for a more specific property.
If this is not the right place to post this question, just let me know. I'd appreciate any feedback.
Cheers,
Uwe
re: 1. way to represent static vs. dynamic link is via a relationship (see: https://spdx.github.io/spdx-spec/relationships-between-SPDX-elements/ STATIC_LINK, DYNAMIC_LINK)
re: 2: attribution notice can be represented in https://spdx.github.io/spdx-spec/package-information/#723-package-attribution-text-field
Hope this helps,
Kate
2 replies
Hi all,
What's the recommended way to include the license text of a package that has a SPDX-listed license (e.g. Apache-2.0) with an extra paragraph added below the original license text? Note that the extra paragraph is not intended to change the license itself (so it remains an Apache 2.0 license), but provides extra information like contact details or something similar the developers of the package wanted to include.
I would like my SPDX JSON representation of this package to include or reference the full license text while the 'licenseDeclared' attribute is set to the license's SPDX-listed license ID.
I don't think I can add an ExtractedLicenseInfo in this case as it this seems to require a license ID that starts with 'LicenseRef-' which I don't have. The 'licenseComments' attribute might serve as a workaround here, but I'm looking for better approaches.
I could not find any resources for this scenario so I'd appreciate any recommendations.
Thanks!
Hi all,
What's the recommended way to include the license text of a package that has a SPDX-listed license (e.g. Apache-2.0) with an extra paragraph added below the original license text? Note that the extra paragraph is not intended to change the license itself (so it remains an Apache 2.0 license), but provides extra information like contact details or something similar the developers of the package wanted to include.
I would like my SPDX JSON representation of this package to include or reference the full license text while the 'licenseDeclared' attribute is set to the license's SPDX-listed license ID.
I don't think I can add an ExtractedLicenseInfo in this case as it this seems to require a license ID that starts with 'LicenseRef-' which I don't have. The 'licenseComments' attribute might serve as a workaround here, but I'm looking for better approaches.I could not find any resources for this scenario so I'd appreciate any recommendations.
Thanks!
I'm interested in knowing this as well
DEPENDENCY_MANIFEST_OF and METAFILE_OF, the descriptions sound pretty similar and for me pom.xml and package.json live in the same bucket:METAFILE_OFsais A SOURCE filepom.xmlis a metafile of the APPLICATION โApache Xercesโ.DEPENDENCY_MANIFEST_OFsais A filepackage.jsonis the dependency manifest of a packagefoo.
And as a potentially last question I would like to understand the relation types FILE_ADDED and FILE_DELETED. They feel like ternary relations, since I always would want to say "from archive A.tgz in deleted file B.txt and the result was the archive C.tgz".
Or in other words: in the example "A SOURCE file foo.diff has been deleted from package ARCHIVE bar.tgz." does the archive still contain the foo.diff or not? How to reference the original input or the output?
I do not understand how to interpret or use these relations if I would see them in the wild.