* Richard Fontana: >> I think we should definitely try to get a downstream view on this, if >> there is one. > > I assume you primarily mean the view of engineers working on packaging > for CentOS Stream/RHEL, No, not engineering actually. [requests for SBOMs] > Anyway, the approach that has always been taken in responding to these > requests for RPMs, at least those coming from RHEL specifically, has > been to use the License: field contents (ignoring any varying > information for subpackages). So basically there is one list item > corresponding to each SRPM. This is justified partly by the quality we > associate with the Fedora-based approach, i.e. we feel we can report > the contents of the License: field in most cases rather than scan or > otherwise review the package anew. Yes, but doesn't need SPDX, as you point out below. Some people on the development side (not those who drive SPDX adoption in Fedora as far as I know) have started to talk about compliance in this context, and this makes me nervous because they don't say where these alleged compliance requirements come from. Thanks, Florian _______________________________________________ legal mailing list -- legal@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to legal-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/legal@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
