On 6 June 2011 11:45, James Westby james.westby@canonical.com wrote:
Hi,
Apologies for asking you directly what could probably be looked up, but the spec isn't very easy to digest.
On Thu, 2 Jun 2011 16:59:46 -0500, Zach Pfeffer zach.pfeffer@linaro.org wrote:
PackageName: linux-linaro-omap 2.6.38-1002.3 #https://launchpad.net/ubuntu/+source/linux-linaro-omap PackageDownloadLocation: https://launchpad.net/ubuntu/+archive/primary/+files/linux-linaro-omap_2.6.3...
This isn't the full source that was built. The source package has three parts. Can we link to three things here? If we can only link to one it should probably be the .dsc which is the description for the whole thing.
For reference:
http://www.spdx.org/system/files/spdx-draft20110516_0.pdf
Right now the spec has this as:
4.3.3Cardinality: Mandatory, one.
Kate would have to comment if this could change to:
4.3.3Cardinality: Mandatory, one or more.
SourceInfo: uses Linux v2.6.38.1 SourceInfo: uses linaro-linux-2.6.38-upstream-29Mar2011 SourceInfo: uses (fill in patch1) SourceInfo: uses (fill in patch2) SourceInfo: uses (fill in patch3)
What's the constraints on what we put here? What's the use for it?
The spec says:
4.6Source Information 4.6.1Purpose: This is a free form text field that contains additional comments about the origin of the package. For instance, this field might include comments indicating whether the package been pulled from a source code management system or has been repackaged. 4.6.2Intent: Here, by providing a freeform field, reviewers can provide any additional information to describe any anomalies, or discoveries, in the determination of the origin of the package. 4.6.3Cardinality: Optional, one 4.6.4Data Format: single line of free form text 4.6.5Tag: SourceInfo Example: SourceInfo: uses glibc-2_11-branch from git://sourceware.org/git/glibc.git.
What's listed here seems fairly tricky to produce automatically.
What part do you think would be tricky?
FileName: file1 FileName: file2 FileName: file3 FileChecksum: SHA1: calculated
This is all the files in the source?
Yeah.
Creator: Person: Zach Pfeffer (zach.pfeffer@linaro.org)
What option do we have here? Given this is going to be produced automatically I'm not sure we should blame you for all of the mistakes
Ha! This is just the Creator of the SPDX file. It will probably become the PoC. Kate is there a specific field for, ask this person questions about the package? Perhaps we need
SpdxCreator: Person: Zach Pfeffer (zach.pfeffer@linaro.org) PackageCreator: Person: Not Zach Pfeffer :)
;-)
PackageLicenseDeclared: GPL-2.0
Is this is single choice field? Does it cover source or binary?
You link all the licenses together with ANDs and ORs. Looks like it covers both, Kate?
PackageVerificationCode: (fill in SHA1 of all souyrce files)
SHA1 of all source calculated how?
4.5.4Algorithm: verificationcode = 0 filelist = “” for all files in package { if file is an “excludes” file, skip it /* exclude SPDX analysis file itself */ appended filelist with “SHA1(file) || string(file)” } sort filelist in ascending order by SHA1 value verificationcode = SHA1(filelist)
LicenseConcluded: GPL-2.0
From the spec:
The licensing that the preparer of this SPDX document has concluded, based on the evidence, actual applies to the package.
I think this is where the lawyer would say, this is the license.
LicenseInfoFromFiles: GPL-2.0
This is a field that has all the license found in the package.
What do these mean?
Thanks,
James