[sr-dev] SPDX identifiers in source code
Olle E. Johansson
oej at edvina.net
Tue Aug 16 10:42:56 CEST 2022
Hi!
SBOM - Software Bill of Materials - often comes up in discussions in my projects. There’s a new working group in the IETF working on it and several other standardization bodies.
A starting point is identification of the license in each source code file with a parseable SPDX identifier.
- Is anyone against adding that to our source code?
- Would it be beneficial for packaging in any way?
I think at some point in the future, a SBOM list in <pick format> will be included in packages, in order to be able to produce a SBOM for the container or the machine.
As we have multiple licenses in the source code it’s important to mark every file correctly.
I can start experimenting with http_client, then work myself around, if the dev community doesn’t scream and argue that it’s a bad thing (TM).
Read more here
- SPDX - a linux foundation project ans ISO standard - https://spdx.dev
- Tags in source code - https://spdx.dev/ids/
Cheers,
/O
More information about the sr-dev
mailing list