Technical Team/Minutes/2015-07-21

From SPDX Wiki
Jump to: navigation, search

July 21, 2015

Attendees

  • Gary O'Neall
  • Kate Stewart
  • Hassib Khanafer
  • Bill Schineller
  • Scott Sterling
  • Yev Bronshteyn
  • Mark Gisi

Package External Identifiers

  • Motivation: allows easy reference to other package metadata by referring to other identifiers
  • Added CPE - Vulnerability information from NIST
  • Proposal Google docs at: https://docs.google.com/document/d/1j6LWnkh5GbMV9Xo5_zJ0wTNLROEIa4o1OU279YueI90/edit
  • Should this be a field at a file level as well?
    • Could be handled as a package relationship from the file and have the file contain the external identifier
    • Would be simpler to have the field at the file level
    • Discussion on the relationship between package external identifiers, artifactOf, and external packages
    • Agreed that we would have this be a package level definition for now - a file level external identifier would make sense, but would be a separate proposal
  • Discussion on whether we include CPE or include that in a separate?
    • Table the discussion until after the security proposal
    • There may be a separate security section
  • Should it be package identifier or something more generic (e.g. external identifier)?
  • Should it only refer to source code locations or should it be more general?
    • Agree to have general references (need to take into account security which will be discussed after the security proposal)
  • Should we replace the "/" with something more distinct (e.g. double colon "::")
  • Relationship to other fields need to be defined
    • download location - Example where both download location and external ID
    • home page
  • Bill will update the proposal based on today's discussion