[prev in list] [next in list] [prev in thread] [next in thread] 

List:       debian-devel
Subject:    debian/copyright format and SPDX
From:       Hideki Yamane <henrich () iijmio-mail ! jp>
Date:       2023-09-08 6:51:09
Message-ID: 20230908120909.27919773e0a19de7a62194db () iijmio-mail ! jp
[Download RAW message or body]


 tl;dr: How about considering updating debian/copyright format to have
        more compatibility with SPDX format


 SBOM is expected to be used widely and several tools support it as a trend
 now, since US government asks to use it. There are two formats for it,
 Software Package Data Exchange (SPDX) and CycloneDX.

 SPDX is led by the Linux foundation project, OpenChain for license
 compliance. And CycloneDX is developed by the Open Web Application Security
 Project (OWASP), so it is intended to use track vulnerabilities, IMO.


 Well, as I said above, several tools support SPDX and CycloneDX now and
 continue to be expanded, so I consider it'd be better if debian/copyright
 has more compatibilities with them, especially SPDX. It would be easier
 to handle debian/copyright data with tools that are outside of Debian.


 Making appropriate debian/copyright file is hard and boring task, IMHO,
 but if non-Debian people also can help it, it would be easier to fix it.


 Any ideas?


-- 
Hideki Yamane <henrich@iijmio-mail.jp>

[prev in list] [next in list] [prev in thread] [next in thread]