On 6 June 2011 11:45, James Westby <james.wes...@canonical.com> wrote:
> Hi,
>
> Apologies for asking you directly what could probably be looked up, but
> the spec isn't very easy to digest.
>
> On Thu, 2 Jun 2011 16:59:46 -0500, Zach Pfeffer <zach.pfef...@linaro.org> 
> wrote:
>> PackageName: linux-linaro-omap 2.6.38-1002.3
>> #https://launchpad.net/ubuntu/+source/linux-linaro-omap
>> PackageDownloadLocation:
>> https://launchpad.net/ubuntu/+archive/primary/+files/linux-linaro-omap_2.6.38.orig.tar.gz
>
> This isn't the full source that was built. The source package has three
> parts. Can we link to three things here? If we can only link to one it
> should probably be the .dsc which is the description for the whole
> thing.

For reference:

http://www.spdx.org/system/files/spdx-draft20110516_0.pdf

Right now the spec has this as:

4.3.3Cardinality: Mandatory, one.

Kate would have to comment if this could change to:

4.3.3Cardinality: Mandatory, one or more.



>> SourceInfo: uses Linux v2.6.38.1
>> SourceInfo: uses linaro-linux-2.6.38-upstream-29Mar2011
>> SourceInfo: uses (fill in patch1)
>> SourceInfo: uses (fill in patch2)
>> SourceInfo: uses (fill in patch3)
>
> What's the constraints on what we put here? What's the use for it?

The spec says:

4.6Source Information
4.6.1Purpose: This is a free form text field that contains additional
comments about the origin of the package. For instance, this field
might include comments indicating whether the package been pulled from
a source code management system or has been repackaged.
4.6.2Intent: Here, by providing a freeform field, reviewers can
provide any additional information to describe any anomalies, or
discoveries, in the determination of the origin of the package.
4.6.3Cardinality: Optional, one
4.6.4Data Format: single line of free form text
4.6.5Tag: SourceInfo
Example:
SourceInfo: uses glibc-2_11-branch from git://sourceware.org/git/glibc.git.

>
> What's listed here seems fairly tricky to produce automatically.

What part do you think would be tricky?

>
>> FileName: file1
>> FileName: file2
>> FileName: file3
>> FileChecksum: SHA1: calculated
>
> This is all the files in the source?

Yeah.

>
>> Creator: Person: Zach Pfeffer (zach.pfef...@linaro.org)
>
> What option do we have here? Given this is going to be produced
> automatically I'm not sure we should blame you for all of the mistakes

Ha! This is just the Creator of the SPDX file. It will probably become
the PoC. Kate is there a specific field for, ask this person questions
about the package? Perhaps we need

SpdxCreator:  Person: Zach Pfeffer (zach.pfef...@linaro.org)
PackageCreator: Person: Not Zach Pfeffer :)

> ;-)
>
>> PackageLicenseDeclared: GPL-2.0
>
> Is this is single choice field? Does it cover source or binary?

You link all the licenses together with ANDs and ORs. Looks like it
covers both, Kate?

>
>> PackageVerificationCode: (fill in SHA1 of all souyrce files)
>
> SHA1 of all source calculated how?

4.5.4Algorithm:
verificationcode = 0
filelist = “”
for all files in package {
if file is an “excludes” file, skip it /* exclude SPDX analysis file itself */
appended filelist with “SHA1(file) || string(file)”
}
sort filelist in ascending order by SHA1 value
verificationcode = SHA1(filelist)

>
>> LicenseConcluded: GPL-2.0

>From the spec:

The licensing that the preparer of this SPDX document has concluded,
based on the evidence, actual applies to the package.

I think this is where the lawyer would say, this is the license.

>> LicenseInfoFromFiles: GPL-2.0

This is a field that has all the license found in the package.

>
> What do these mean?
>
> Thanks,
>
> James
>

_______________________________________________
linaro-dev mailing list
linaro-dev@lists.linaro.org
http://lists.linaro.org/mailman/listinfo/linaro-dev

Reply via email to