From mboxrd@z Thu Jan 1 00:00:00 1970 Delivery-date: Tue, 03 Jun 2025 17:42:26 +0200 Received: from metis.whiteo.stw.pengutronix.de ([2a0a:edc0:2:b01:1d::104]) by lore.white.stw.pengutronix.de with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1uMTmU-003Ln2-1e for lore@lore.pengutronix.de; Tue, 03 Jun 2025 17:42:26 +0200 Received: from localhost ([127.0.0.1] helo=metis.whiteo.stw.pengutronix.de) by metis.whiteo.stw.pengutronix.de with esmtp (Exim 4.92) (envelope-from ) id 1uMTmU-0003hC-AF; Tue, 03 Jun 2025 17:42:26 +0200 Received: from mail-germanywestcentralazlp170100001.outbound.protection.outlook.com ([2a01:111:f403:c20c::1] helo=FR6P281CU001.outbound.protection.outlook.com) by metis.whiteo.stw.pengutronix.de with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1uMTmJ-0003cg-8n for ptxdist@pengutronix.de; Tue, 03 Jun 2025 17:42:15 +0200 ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=KfVb6+qsymUyZwhjq7ob3+/l/b1T9116aqJMX6y8dNpi3yGKn9ECAAMCl0RWVaqgivHlkm91s7Oix/1Wxj33uljENwGz2pKlitHeTFgoD0oToa8C07RmxyFVAYAg6PXtHYKb93I9XMZJYQ5RhBP0SfQIK3hP6ooXOxzFiYRLEzdrh+sQ+FkCOVmXU1tyo/R+3is6Ob2Mez/kfN2zQQpiXNPAJYfJr+mMk/uHI0bCe1jhobTmGuAnH7hD0xQsNeHtouv+fJ3oewfQ/2FgkYG4FSCPHe/OGrHQaogjgHgb9fEFM4C5lESWu9s3c+JswBvV6di2Kk9GAdjztwnRR5LSaA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=uADSk/YEH0bKRtFSXGyBDh/MNSMMn77ep2D7Q5g/XgQ=; b=jKdHOrqMOoYqDq3EF24I+CzoFDWzjyHD0VddRVzZABge+5lcbopCK7JtWIpgZpBTm+0ZSpHzAfGqr94l59yMWm6TNDwlVRoXSBzNExKYryFex7JKFonN497PQLiVvfl8P83IWl8mpuKhMQkRgEwwYQc0TCgjAbqTid4ntbt9rPEkBTR+ienMl+OYEe1uE0W2B7cmEy7KXZ8IxAINUzCD8UYL59bNCeTuoBiOEL8VxfB52GNdIVWLmIdeQ7TXsi6umFuqKqZN7VOvWV3RRlwrUmt9SdKIUF4fYIBhf3h8ZnJLVqNPhsXf3xSMgJxTHCE50U9hwKufSDd/yNzMn7CKRA== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=iotmaxx.de; dmarc=pass action=none header.from=iotmaxx.de; dkim=pass header.d=iotmaxx.de; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=iotmaxx.onmicrosoft.com; s=selector1-iotmaxx-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=uADSk/YEH0bKRtFSXGyBDh/MNSMMn77ep2D7Q5g/XgQ=; b=ecuycgfUVy+kk6bMRNfrHy5nOtifeR2hc3c64HdVJXQlTDqFCRmGEOsHzZa/OjE7YQWZdBbWCngfqUawBOh6JdZWuY9Fth72L9Ri7hFKJpuHUIxTh1BA9Bb9hDiAvZdTsIFN1vmmkPo6VIK0Z7FeCAwZ6TYJ2MgFaOT7qE+JBIJLmYa5OfZM85kZTqzMXiJZ60vf+UmUFy5gWPMNNIM/vCAnNfi8iltMpWAA/byURsrNy6p5AVVQU9pFLbCy5mGQ/dnJuN1lnzjBGy6tUNlJqgll2nwUU6DoUXtqpPAcSdgm8XTIC8hd2it4lR6k38gnogHh+HnoRfu90UkQCjJGsg== Received: from BEZP281MB3361.DEUP281.PROD.OUTLOOK.COM (2603:10a6:b10:64::12) by FRYP281MB0285.DEUP281.PROD.OUTLOOK.COM (2603:10a6:d10:4::14) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.8792.34; Tue, 3 Jun 2025 15:42:13 +0000 Received: from BEZP281MB3361.DEUP281.PROD.OUTLOOK.COM ([fe80::9ab0:1ca2:379f:bde9]) by BEZP281MB3361.DEUP281.PROD.OUTLOOK.COM ([fe80::9ab0:1ca2:379f:bde9%5]) with mapi id 15.20.8792.033; Tue, 3 Jun 2025 15:42:13 +0000 From: Ralf Glaser To: "ptxdist@pengutronix.de" Thread-Topic: creating a valid SPDX-SBOM Thread-Index: AQHb1JaSRnc8hd7iI0OKSTJb/b/lPQ== Date: Tue, 3 Jun 2025 15:42:13 +0000 Message-ID: Accept-Language: de-DE, en-US Content-Language: de-DE X-MS-Has-Attach: X-MS-TNEF-Correlator: msip_labels: authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=iotmaxx.de; x-ms-publictraffictype: Email x-ms-traffictypediagnostic: BEZP281MB3361:EE_|FRYP281MB0285:EE_ x-ms-office365-filtering-correlation-id: 5f179e2d-6e95-48d0-70f5-08dda2b535e4 x-ms-exchange-senderadcheck: 1 x-ms-exchange-antispam-relay: 0 x-microsoft-antispam: BCL:0; ARA:13230040|366016|376014|1800799024|38070700018; x-microsoft-antispam-message-info: =?iso-8859-1?Q?ZGqZDoIIFhhHD/tQ1uyLK8KiQF9xaWB33BNmOMxzQ0Xo8/eDXGga/SqgIr?= =?iso-8859-1?Q?Yeym873jRBeRRgSII4MsmfDcil04JL20V63meSxOOIPqGkECBwhdZHN1+g?= =?iso-8859-1?Q?4Ch05eK5Ezic8MTKKnvEoeC4U30zrU2J1tYpml3PTkLEV+gnXYXJnGIIHj?= =?iso-8859-1?Q?22Jadj1T7T1D73eSznrxWZnVkhuqKhSEl2Og/6ixZ/0Lu1d9viQeiZhYL2?= =?iso-8859-1?Q?p0VW7jld7prdfljiJvvvx20L2tSAZJuQxeTpYAdTuhkFQrENlauyyGLwTG?= =?iso-8859-1?Q?9FakLPHcrGX3wGdEq4lt5QqLeG5gmwgYR9+KlPmrrZN+4DMFnbYqMTKPua?= =?iso-8859-1?Q?y+oRqpa4N7MlQznK0qQvzgvs4ypxon0cTUdN5Bbx2A7JRA9pfKj9Orpq2E?= =?iso-8859-1?Q?FlGMafc7+1XOOZXOaNejbDgUZ4+slViwcIyjmoPRPanvQZ68yJK4gC2hNo?= =?iso-8859-1?Q?htqIW3kqQOqtf4WWQiXlmef1FmB35gEVPNRuGBaS1AcLz29sFxRrJ1N1sm?= =?iso-8859-1?Q?mPteiV64fO/6Ih+Yb4OQsA8+/QiMqQqnpYviCQXNPK+we2wCUlF5nIbBB0?= =?iso-8859-1?Q?ca8FmqNc2bUs7zbXzN/nemzl4QNaurlaG8YfiZBW8w0O5pHq5MKiG9NPDY?= =?iso-8859-1?Q?GwykvlvYF20yIXn/vOTJtS0DB0+nDkjnAHcjsIurHILGG4MhyefXlrDWCw?= =?iso-8859-1?Q?jmRCCZD42KXycl5O9wcuDRGZpJeqM5u9HUYKZ8oqZ5nB8R24n17MRy4VTT?= =?iso-8859-1?Q?uE0q2BoUlvll3veDmYsd2els4FV9KCmKpUqf2oLf8mCGcyjRPSfn2PcXcV?= =?iso-8859-1?Q?t4tyq3WCP2IK5eth64H/sWOB0VwHjZrberx9aEREbrmnuJBE0YG8lJ9rHF?= =?iso-8859-1?Q?FrToaJTl5AH+JbUwLwsql1KmBn/MswaaVM2Eo9F8iMOmFmuL3Uoszdek16?= =?iso-8859-1?Q?mXRKPAylEKrL0PZDeQ/6qlnOH9EL92KBXHBg3DkYqbNrcHNF62P/Oyg50J?= =?iso-8859-1?Q?jpJX6Sg6HuE/ukfkBnK2xK9KvGt8zJ7jBY/p71NvBXsBnn20OhGmJrSPxW?= =?iso-8859-1?Q?V4+hPSQEpHITenx9kEyAdYVuQ9YqxBaCE+s7P9PvqcgbfwNQeURd1QHh8/?= =?iso-8859-1?Q?1AHSouQ9ms3CttTYSff80kTTJLoQVgVCPeI17hE4byRSsWAtjj4KM/TZzY?= =?iso-8859-1?Q?ZpvOhWRc8eWytbSFxZszCkLfCI9dx7DQfAIpDNeWDqf82YYR4BLoTt5Q4d?= =?iso-8859-1?Q?Vu9N4Vrf1a2zC72uZOwsCat4atbJZDvzBPMqiNU47OrLoIIhd73K97+arj?= =?iso-8859-1?Q?RfoGB0UZ78afLgI1VZTd+JTFWHngPTYh5izbA6DXwvaEQB5qdKP4n7tGua?= =?iso-8859-1?Q?BdhJ8CIa/kS3HW5kbtKELr7r0qBo/EnN4dkPuK4TjdOOK5e9E1G+P7k6mL?= =?iso-8859-1?Q?+wPtu7zb7q59PcFPcP9ezpVplSGfwFb1MIbvacXyGJNoSk40DfmgUHof3D?= =?iso-8859-1?Q?Q=3D?= x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BEZP281MB3361.DEUP281.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(13230040)(366016)(376014)(1800799024)(38070700018); DIR:OUT; SFP:1102; x-ms-exchange-antispam-messagedata-chunkcount: 1 x-ms-exchange-antispam-messagedata-0: =?iso-8859-1?Q?68tCn2KkhJBkQjerc+wxUIssW3GBKR9f0Zb1bnIO7hTJZ9JEYNsU4CscCn?= =?iso-8859-1?Q?O3kZ33rVHGG9HvdOqbvX5ZIo2USTnPd/Yty6Nnxi+ufGHs66X43brNlNQZ?= =?iso-8859-1?Q?ALZGUEshkSVs/T46C1oWa/jsBFDFBuTsDOygstiB288fRWrkxQcvizLIxU?= =?iso-8859-1?Q?wwN7olIbcr03rZ6q9mViYiIlx7MNFPzdHL9yf5Bx4yZ7InkIJEh1YbQ2j1?= =?iso-8859-1?Q?WXkyk/RQJuK/+qKuh4Smdgc2noQhBN4tqSuGyWFspfWto/q0SFD2JREpSB?= =?iso-8859-1?Q?yuQxoD88nhdE6kJu1i3GqhisKJSj0qcgzR+fXBgzH6AKZZTKu5kFMjRaii?= =?iso-8859-1?Q?3kdzzDUnqFpCScyTy/2ExJLbksiZ4CkzNyaP19cB+YJTff69R1HdUnC1PL?= =?iso-8859-1?Q?GzO7UqWAbFfB/2POBb/AdZFzifzB2sYpf97Z/1IkCeA1je5ckbByHt+mt4?= =?iso-8859-1?Q?4vROJP3ruJWMHR2gfr12Sri6XKq3NJ3k0R83p/iPkS2jFIZEE9VgUUVp+O?= =?iso-8859-1?Q?6T3bc/eE+DT9f2X1zqw5DDMTySl0IT6BTOecCXZTZk3kOoODiaUAgUKHn2?= =?iso-8859-1?Q?AAbLrGfIaQJZ0lo+yFdA03A2UjYH/UMteTOkTIJMutGdEI+sxIblc9Q6Fl?= =?iso-8859-1?Q?NuUqXO7kRSqARzTeaXPJrTKpggKic+kMn+AT9twiLY7t7U4EQ9Ts2lcKpg?= =?iso-8859-1?Q?HwNYoi1zX26ea8KL9gaIQOoH064aBqdvmG7jZE7FEVRKjFO6AD+AAmqabg?= =?iso-8859-1?Q?3JJEX26XJR7g6lw0IgIZzbR/gu8+zn46M8bqvxkdShYMEJdprNtYMTuTao?= =?iso-8859-1?Q?6F8aocIeF1cbJd+ONZUXMHwOnJc2Bltpcj8MLq6+JNwUB3ljWhMpKnqq8y?= =?iso-8859-1?Q?m2MSgunSiSZdvCFl8uOQYxhy+yJ3DY3icMUuW0q4A6ohxKfcuWC62mVlz3?= =?iso-8859-1?Q?E9xc2dZOc4A4Rj4Oux43yEvTXJa6wNXD9kESvLgicFQ7XodE8m3aQLmZ/N?= =?iso-8859-1?Q?EEKc6+DTz0wxTZY0Q95Q21qRE2kYgCRcLpwq1eKuHfIV3AfBxQlB8DujmN?= =?iso-8859-1?Q?3yq3OufEj0smrIHwg6N5LspEUf1ROnewxx4JkymzYST0ifXI/V6CsWXdY6?= =?iso-8859-1?Q?Zvm7evN+TTuL5qQPkzZmbb9wZ/Qzo+RYT3GEP9cLiaZbPbc514CmZcS5nw?= =?iso-8859-1?Q?hOSh08m1sJyXHjIDjMlbohzDYcKfGNltnffKBSaw7a32PRoDzYxDC0q+SZ?= =?iso-8859-1?Q?8USs7I1t3MwIGdp7JMCusNGqnhLtFCvZq/cA4YRjPfZnwOUn/BCGEXH7vX?= =?iso-8859-1?Q?W6W/4/4PQivy4FYQalPHKInY6C7OG8+m6XS4qQlWaSptv3rdgtKoZ9rYe8?= =?iso-8859-1?Q?lBy6aKejS3pHoGlXUWSI++jFQi55yzw6VHlHfi0Hc6ytnn7Vi1aVdLf4fO?= =?iso-8859-1?Q?uqzC2BTRcHuthpxknjoOZllu8ZjoWbGS17h5nOfgffz+WVobS5x5LEHtEl?= =?iso-8859-1?Q?rqCOR/PTnkfvyMwUlVwebb0aOMMFyrXQMaB8IoekmHxdx9VNneXL8xy7OA?= =?iso-8859-1?Q?qFGPVeB1o3PwUKwRG3gt/MdYAxpYD43LJg8f1VWhGfM8uGtCGdSKGvcELK?= =?iso-8859-1?Q?sepBtyK642hHQ=3D?= Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-OriginatorOrg: iotmaxx.de X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-AuthSource: BEZP281MB3361.DEUP281.PROD.OUTLOOK.COM X-MS-Exchange-CrossTenant-Network-Message-Id: 5f179e2d-6e95-48d0-70f5-08dda2b535e4 X-MS-Exchange-CrossTenant-originalarrivaltime: 03 Jun 2025 15:42:13.2833 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: a87713f9-2dd4-4b97-bace-ad3bca53b833 X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-userprincipalname: qX5d3XqPb1VAgTOktCJGhNlFG1W7dmtrMuLrqJiHAWKHx9ZiOBdZxsePnhxxmXyNR8f1aDhKBdQML373y7o/Rw== X-MS-Exchange-Transport-CrossTenantHeadersStamped: FRYP281MB0285 X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on metis.whiteo.stw.pengutronix.de X-Spam-Level: X-Spam-Status: No, score=-101.9 required=4.0 tests=AWL,BAYES_00,DKIM_SIGNED, DKIM_VALID,RCVD_IN_DNSWL_NONE,SPF_HELO_PASS,SPF_PASS, USER_IN_WELCOMELIST,USER_IN_WHITELIST autolearn=ham autolearn_force=no version=3.4.2 Subject: [ptxdist] creating a valid SPDX-SBOM X-BeenThere: ptxdist@pengutronix.de X-Mailman-Version: 2.1.29 Precedence: list List-Id: PTXdist Development Mailing List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: ptxdist@pengutronix.de Sender: "ptxdist" X-SA-Exim-Connect-IP: 127.0.0.1 X-SA-Exim-Mail-From: ptxdist-bounces@pengutronix.de X-SA-Exim-Scanned: No (on metis.whiteo.stw.pengutronix.de); SAEximRunCond expanded to false My current goal is to use ptxdist to create a SPDX-SBOM that is recognized = by https://tools.spdx.org/app/validate/=A0as valid.=0A= I have already sent patches to remedy the demands of spdx.org that go beyon= d the JSON schema. Now I'm trying to figure out =A0how to handle not SPDX r= ecognized licenses:=0A= =0A= public_domain=0A= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=0A= - no license file to copy from=0A= - set to NOASSERTION seems inaccurate=0A= option: create a LicenseRef-PublicDomain which is added and referenced whe= never a public_domain licenses package is included and add some clever text= for it (proposals welcome)=0A= =0A= unknown=0A= =3D=3D=3D=3D=3D=3D=0A= This is uses ambiguously in the ptxdist rules and could mean:=0A= - "unknown": setting it to NOASSERTION seems accurate then=0A= - "for some reason i did not specify the correct license": setting it to NO= ASSERTION would hide this=0A= option: set to NOASSERTION but issue a warning, possibly find a term that s= ays 'NOASSERTION is what i really want' to get rid of the warnings=0A= =0A= other licenses=0A= =3D=3D=3D=3D=3D=3D=3D=3D=3D=0A= This is the tricky one.=0A= option: use an additional variable like _LICENSE_FILES_NONSPDX which = contains the usual file://SOMEFILE;md5=3Dabcd syntax and is concatenated to= _LICENSE_FILES so nothing breaks and pick this up later to create a s= et of LicenseRef--# licenses that can be referenced by the package. Se= ems like an ugly hack though...=0A= =0A= Best regards,=0A= Ralf=0A= =0A= =0A=