From SPDX Wiki
July 21, 2015
- Gary O'Neall
- Kate Stewart
- Hassib Khanafer
- Bill Schineller
- Scott Sterling
- Yev Bronshteyn
- Mark Gisi
Package External Identifiers
- Motivation: allows easy reference to other package metadata by referring to other identifiers
- Added CPE - Vulnerability information from NIST
- Proposal Google docs at: https://docs.google.com/document/d/1j6LWnkh5GbMV9Xo5_zJ0wTNLROEIa4o1OU279YueI90/edit
- Should this be a field at a file level as well?
- Could be handled as a package relationship from the file and have the file contain the external identifier
- Would be simpler to have the field at the file level
- Discussion on the relationship between package external identifiers, artifactOf, and external packages
- Agreed that we would have this be a package level definition for now - a file level external identifier would make sense, but would be a separate proposal
- Discussion on whether we include CPE or include that in a separate?
- Table the discussion until after the security proposal
- There may be a separate security section
- Should it be package identifier or something more generic (e.g. external identifier)?
- Should it only refer to source code locations or should it be more general?
- Agree to have general references (need to take into account security which will be discussed after the security proposal)
- Should we replace the "/" with something more distinct (e.g. double colon "::")
- Relationship to other fields need to be defined
- download location - Example where both download location and external ID
- home page
- Bill will update the proposal based on today's discussion