My current goal is to use ptxdist to create a SPDX-SBOM that is recognized by https://tools.spdx.org/app/validate/ as valid. I have already sent patches to remedy the demands of spdx.org that go beyond the JSON schema. Now I'm trying to figure out how to handle not SPDX recognized licenses:
public_domain ========== - no license file to copy from - set to NOASSERTION seems inaccurate option: create a LicenseRef-PublicDomain which is added and referenced whenever a public_domain licenses package is included and add some clever text for it (proposals welcome) unknown ====== This is uses ambiguously in the ptxdist rules and could mean: - "unknown": setting it to NOASSERTION seems accurate then - "for some reason i did not specify the correct license": setting it to NOASSERTION would hide this option: set to NOASSERTION but issue a warning, possibly find a term that says 'NOASSERTION is what i really want' to get rid of the warnings other licenses ========= This is the tricky one. option: use an additional variable like <pkg>_LICENSE_FILES_NONSPDX which contains the usual file://SOMEFILE;md5=abcd syntax and is concatenated to <pkg>_LICENSE_FILES so nothing breaks and pick this up later to create a set of LicenseRef-<pkg>-# licenses that can be referenced by the package. Seems like an ugly hack though... Best regards, Ralf
