THE SPDX WIKI IS NO LONGER ACTIVE. ALL CONTENT HAS BEEN MOVED TO https://github.com/spdx

Technical Team/Proposals/Rough proposal for provenance, hierarchy and aggregation, and supply chain friendliness in SPDX 2.0

From SPDX Wiki
< Technical Team‎ | Proposals
Revision as of 18:38, 5 December 2011 by Eaw (Talk | contribs)

Jump to: navigation, search

A desire has been expressed to be able to have SPDX be capable of expressing

 

  1. Hiearchy ( package A contains packages B, C, etc)
  2. Authentication ( we can know precisely who said what and when about a package)
  3. How software flows through a supply chain (upstream to packager, through several intermediate vendors to consumer)

A rough example of this thought is shown in the diagram below, showing how the coreutils package might be represented:

 <img src="http://spdx.org/system/files/spdxdoodle.jpg" alt="" width="586" height="372" />