On Mon, Nov 27, 2017 at 8:37 PM, Richard Fontana <rfont...@redhat.com> wrote: > On Mon, Nov 27, 2017 at 11:04:15AM -0800, Bradley M. Kuhn wrote: >> As I understand Richard's reasons, they relate to license documents that >> *don't* appear in a source code repository, which is the case for the Google >> and Red Hat statements today. > > Right. I can't really see a justification for creating SPDX > identifiers to represent purely external statements.
Richard, say I am a user of 5,000 packages. Some of which come with this L/GPL rider, some not: I could see some value there. But then again, it may be a point minor enough that this may not be worth tracking in SPDX. And of course very few reuse 5,000 packages, right? Yet in fact several small to mid-size container-based deployment reach this number very quickly. Add a few npm/node-based apps in the mix and you top that number even faster in practice. -- Cordially Philippe Ombredanne _______________________________________________ Spdx-legal mailing list Spdx-legal@lists.spdx.org https://lists.spdx.org/mailman/listinfo/spdx-legal
