From: Ralf Glaser <glaser@iotmaxx.de>
To: "ptxdist@pengutronix.de" <ptxdist@pengutronix.de>
Subject: [ptxdist] creating a valid SPDX-SBOM
Date: Tue, 3 Jun 2025 15:42:13 +0000 [thread overview]
Message-ID: <BEZP281MB33612D7F1BD7C9B60A9B1DF9A56DA@BEZP281MB3361.DEUP281.PROD.OUTLOOK.COM> (raw)
My current goal is to use ptxdist to create a SPDX-SBOM that is recognized by https://tools.spdx.org/app/validate/ as valid.
I have already sent patches to remedy the demands of spdx.org that go beyond the JSON schema. Now I'm trying to figure out how to handle not SPDX recognized licenses:
public_domain
==========
- no license file to copy from
- set to NOASSERTION seems inaccurate
option: create a LicenseRef-PublicDomain which is added and referenced whenever a public_domain licenses package is included and add some clever text for it (proposals welcome)
unknown
======
This is uses ambiguously in the ptxdist rules and could mean:
- "unknown": setting it to NOASSERTION seems accurate then
- "for some reason i did not specify the correct license": setting it to NOASSERTION would hide this
option: set to NOASSERTION but issue a warning, possibly find a term that says 'NOASSERTION is what i really want' to get rid of the warnings
other licenses
=========
This is the tricky one.
option: use an additional variable like <pkg>_LICENSE_FILES_NONSPDX which contains the usual file://SOMEFILE;md5=abcd syntax and is concatenated to <pkg>_LICENSE_FILES so nothing breaks and pick this up later to create a set of LicenseRef-<pkg>-# licenses that can be referenced by the package. Seems like an ugly hack though...
Best regards,
Ralf
next reply other threads:[~2025-06-03 15:42 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-06-03 15:42 Ralf Glaser [this message]
2025-06-27 6:56 ` Michael Olbrich
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=BEZP281MB33612D7F1BD7C9B60A9B1DF9A56DA@BEZP281MB3361.DEUP281.PROD.OUTLOOK.COM \
--to=glaser@iotmaxx.de \
--cc=ptxdist@pengutronix.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox