Technical advisory board [LWN.net]

Technical advisory board

Posted Sep 19, 2021 13:27 UTC (Sun) by madscientist (subscriber, #16861)
In reply to: Technical advisory board by jschrod
Parent article: SPDX Becomes Internationally Recognized Standard for Software Bill of Materials

I don't see why it should be the responsibility of the project. If something is wrong about the SPDX do users of the project see bugs? Do regression tests fail? If someone who cares about SPDX sees that something is not right, then can supply a patch to fix it. If users of the project are relying on the SPDX content without verifying it themselves and it's wrong, that's a problem for those users who need SPDX.

There is some minimal amount of effort for the project to verify the SPDX patch is correct and apply it but I don't think projects should spend any more time on it than that bare minimum, unless they WANT to do so... in which case it's by definition not a waste of time, for them.

to post comments

Technical advisory board

Posted Sep 19, 2021 14:22 UTC (Sun) by pizza (subscriber, #46) [Link]

> There is some minimal amount of effort for the project to verify the SPDX patch is correct and apply it but I don't think projects should spend any more time on it than that bare minimum, unless they WANT to do so... in which case it's by definition not a waste of time, for them.

SPDX is a pretty poor example, honestly. It's nearly entirely a one-off cost, and even that's not likely to be all that large. It took under an hour for me to add SPDX headers to a modest 30KLOC (across ~30 files) project that I maintain, and that's mainly because I wrote a script to do it instead of editing each file manually. Going forward, it's zero additional effort to maintain -- Adding it to a new file is trivial when you consider that I already need to ensure the new file has a proper copyright header in it, which in turn is just cut-n-pasted from another file.

Now the other stuff that corporate types want, such as certifications, security processes, testing frameworks, CI systems, maintained "stable" branches, documentation, and unliminted hand-holding represents both upfront and ongoing effort. But SPDX isn't one of those.