Technical Team/Ideas for After 1.0 of Spec

From SPDX Wiki
Jump to: navigation, search

This is a placeholder for tabling items that are not going to make it into first version but we want to discuss further for subsequent versions of the spec.

  • Create a version of the specification that can be included inside a package.   Note the problem is that the uniquie ID of the package (SHA1) field has to be taken over the entire package, and if the analysis is part of it, we can't include the SHA1 of the package. (requested by package creators, to carry forward with package, keep accurate).
  • Incorporate an optional MD5 checksum field at package level to permit correllation to other existing analysis of a package (requested for consideration by Bill S.)
  • Further simplification of RDF - make more human writable friendly.  (requested for consideration by Kate S.)
  • In detected licenses, consider adding counts per license (requested by Bill S.)
  • == Brought up during 7/22 meeting ==
  • How to detect licenses where synonyms are used in licenses; "package" instead of "software", for example. Can this be handled by templating? British vs. English spelling, too!
  • How do we want to deal with JAR files? They can contain dependency info, licenses, etc - and how do they relate to their source files?
  • How to deal with the case where the license is NOT part of the distribution, but is (for example) on the project web site.
  • Variations of licenses - BSD and MIT