Technical advisory board
Technical advisory board
Posted Sep 12, 2021 9:25 UTC (Sun) by mfuzzey (subscriber, #57966)In reply to: Technical advisory board by corbet
Parent article: SPDX Becomes Internationally Recognized Standard for Software Bill of Materials
Does the TAB get involved in decisions like the one to submit SPDX to ISO (which has policies concerning the availability of their standards that are questionable at best and open source hostile at worst).
I suspect not, though I may be wrong, as it's hardly a "technical" decision (nor a CoC related thing where the TAB also seems to be involved).
Seeing as ISO apparently can set standard specific rules (someone mentionned the ISO ADA standard bring free) I think the LF should have at least made free availability a precondition for submitting SPDX.
Posted Sep 18, 2021 14:29 UTC (Sat)
by jschrod (subscriber, #1646)
[Link] (4 responses)
The SPDX standard text is freely available, just like the Ada one - what is your qualm?
The real issue with SPDX is the demand on non-corporate developers to maintain such declarations for the sake of large companies who want to exploit their work without paying for it. Publication as an ISO standard has nothing to do with it.
Posted Sep 18, 2021 22:04 UTC (Sat)
by anselm (subscriber, #2796)
[Link] (3 responses)
Presumably if a large company wants to use the work of a non-corporate developer without paying and the only thing in their way is the lack of SPDX information, the least they could do is contribute a set of accurate SPDX headers to that project.
Posted Sep 18, 2021 22:59 UTC (Sat)
by jschrod (subscriber, #1646)
[Link] (2 responses)
Posted Sep 19, 2021 13:27 UTC (Sun)
by madscientist (subscriber, #16861)
[Link] (1 responses)
There is some minimal amount of effort for the project to verify the SPDX patch is correct and apply it but I don't think projects should spend any more time on it than that bare minimum, unless they WANT to do so... in which case it's by definition not a waste of time, for them.
Posted Sep 19, 2021 14:22 UTC (Sun)
by pizza (subscriber, #46)
[Link]
SPDX is a pretty poor example, honestly. It's nearly entirely a one-off cost, and even that's not likely to be all that large. It took under an hour for me to add SPDX headers to a modest 30KLOC (across ~30 files) project that I maintain, and that's mainly because I wrote a script to do it instead of editing each file manually. Going forward, it's zero additional effort to maintain -- Adding it to a new file is trivial when you consider that I already need to ensure the new file has a proper copyright header in it, which in turn is just cut-n-pasted from another file.
Now the other stuff that corporate types want, such as certifications, security processes, testing frameworks, CI systems, maintained "stable" branches, documentation, and unliminted hand-holding represents both upfront and ongoing effort. But SPDX isn't one of those.
Technical advisory board
Technical advisory board
The real issue with SPDX is the demand on non-corporate developers to maintain such declarations for the sake of large companies who want to exploit their work without paying for it.
Technical advisory board
Technical advisory board
Technical advisory board