debian/copyright format and SPDX
tl;dr: How about considering updating debian/copyright format to have
more compatibility with SPDX format
SBOM is expected to be used widely and several tools support it as a trend
now, since US government asks to use it. There are two formats for it,
Software Package Data Exchange (SPDX) and CycloneDX.
SPDX is led by the Linux foundation project, OpenChain for license
compliance. And CycloneDX is developed by the Open Web Application Security
Project (OWASP), so it is intended to use track vulnerabilities, IMO.
Well, as I said above, several tools support SPDX and CycloneDX now and
continue to be expanded, so I consider it'd be better if debian/copyright
has more compatibilities with them, especially SPDX. It would be easier
to handle debian/copyright data with tools that are outside of Debian.
Making appropriate debian/copyright file is hard and boring task, IMHO,
but if non-Debian people also can help it, it would be easier to fix it.
Any ideas?
--
Hideki Yamane <henrich@iijmio-mail.jp>
Reply to: