* [ptxdist] creating a valid SPDX-SBOM
@ 2025-06-03 15:42 Ralf Glaser
0 siblings, 0 replies; only message in thread
From: Ralf Glaser @ 2025-06-03 15:42 UTC (permalink / raw)
To: ptxdist
My current goal is to use ptxdist to create a SPDX-SBOM that is recognized by https://tools.spdx.org/app/validate/ as valid.
I have already sent patches to remedy the demands of spdx.org that go beyond the JSON schema. Now I'm trying to figure out how to handle not SPDX recognized licenses:
public_domain
==========
- no license file to copy from
- set to NOASSERTION seems inaccurate
option: create a LicenseRef-PublicDomain which is added and referenced whenever a public_domain licenses package is included and add some clever text for it (proposals welcome)
unknown
======
This is uses ambiguously in the ptxdist rules and could mean:
- "unknown": setting it to NOASSERTION seems accurate then
- "for some reason i did not specify the correct license": setting it to NOASSERTION would hide this
option: set to NOASSERTION but issue a warning, possibly find a term that says 'NOASSERTION is what i really want' to get rid of the warnings
other licenses
=========
This is the tricky one.
option: use an additional variable like <pkg>_LICENSE_FILES_NONSPDX which contains the usual file://SOMEFILE;md5=abcd syntax and is concatenated to <pkg>_LICENSE_FILES so nothing breaks and pick this up later to create a set of LicenseRef-<pkg>-# licenses that can be referenced by the package. Seems like an ugly hack though...
Best regards,
Ralf
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2025-06-03 15:42 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2025-06-03 15:42 [ptxdist] creating a valid SPDX-SBOM Ralf Glaser
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox