spdx-3-model icon indicating copy to clipboard operation
spdx-3-model copied to clipboard
verified publisher icon spdx

ExternalRefType entry for EU AI Act Union-wide unique single identification

Open bact opened this issue 1 year ago • 3 comments

Upon the registration of high-risk AI systems to the "EU database for high-risk AI systems listed in Annex III" in relation to testing in real world conditions, a "Union-wide unique single identification number of the testing in real world conditions" Article 60 (4)(c); Article 61 (e); Annex IX (1)) will be submitted.

We may consider to have it as a new type in ExternalRefType.

Possible names: eudb, euaidb, euDatabaseTestId, euDatabaseTest

It is possible that the EU AI Office may issue the schema/string pattern for the identification number in the future.

bact avatar Oct 12 '24 11:10 bact

Can Package URL serve this?

bact avatar Feb 13 '25 04:02 bact

Can Package URL serve this?

My preference would be to have a separate external ref type, so we wouldn't have to parse the package URL string to determine if it fits the requirements.

Although there is some controversy over this topic, many people, including myself, believe that Package URLs are not a good unique identifier. You can have more than one package URLs describing the same package and you can ambiguous package URLs that can point to more than one package. To solve this you would need to carefully specify all the package URL qualifiers needed to make it unique and those qualifiers vary depending on the package manager / repository system being referenced.

goneall avatar Feb 13 '25 19:02 goneall

Thank you @goneall for detailed comments and suggestions.

bact avatar Feb 14 '25 01:02 bact