Re: [ptxdist] creating a valid SPDX-SBOM

[Michael Olbrich <m.olbrich@pengutronix.de>]

On Tue, Jun 03, 2025 at 03:42:13PM +0000, Ralf Glaser wrote:
> My current goal is to use ptxdist to create a SPDX-SBOM that is
> recognized by https://tools.spdx.org/app/validate/ as valid.
> I have already sent patches to remedy the demands of spdx.org that go
> beyond the JSON schema. Now I'm trying to figure out  how to handle not
> SPDX recognized licenses:
> 
> public_domain
> ==========
> - no license file to copy from
> - set to NOASSERTION seems inaccurate
> option:  create a LicenseRef-PublicDomain which is added and referenced
> whenever a public_domain licenses package is included and add some clever
> text for it (proposals welcome)

Hmm, do you know how this is handled elsewhere?

> unknown
> ======
> This is uses ambiguously in the ptxdist rules and could mean:
> - "unknown": setting it to NOASSERTION seems accurate then
> - "for some reason i did not specify the correct license": setting it to
>   NOASSERTION would hide this
> option: set to NOASSERTION but issue a warning, possibly find a term that
> says 'NOASSERTION is what i really want' to get rid of the warnings

'unknown' means, nobody looked at the package. So the correct thing is
always to check the source and set the correct identifier or expression.

> other licenses
> =========
> This is the tricky one.
> option:  use an additional variable like <pkg>_LICENSE_FILES_NONSPDX
> which contains the usual file://SOMEFILE;md5=abcd syntax and is
> concatenated to <pkg>_LICENSE_FILES so nothing breaks and pick this up
> later to create a set of LicenseRef-<pkg>-# licenses that can be
> referenced by the package. Seems like an ugly hack though...

So something that I've been thinking about but would be quite a bit of work
is this:
For each file in _LICENSE_FILES, allow '...;license=something'. If that
'something' is not a valid spdx identifier we can create a LicenseRef-.
With that, we just need file that matches any unknown license.

That would help in other ways as well. e.g. we could validate, that we have
the text for each license specified in _LICENSE.
For some packages that would be trivial. For others with license files that
contain a long list of licenses, that would mean splitting the file with
startline=/endline=, so quite a bit more work.

Doing that for all packages would be a lot of work, but we could start with
the ones where it is needed and require it for new packages.

Michael

-- 
Pengutronix e.K.                           |                             |
Steuerwalder Str. 21                       | http://www.pengutronix.de/  |
31137 Hildesheim, Germany                  | Phone: +49-5121-206917-0    |
Amtsgericht Hildesheim, HRA 2686           | Fax:   +49-5121-206917-5555 |