Sebastian Schuberth

> The most interesting part would be transitive dependencies, but we don't get these until [#1534](https://github.com/oss-review-toolkit/ort/issues/1534) is implemented. @cgi-ricardo, do you agree to close this as a duplicate of #1534?

> in particular also with Yocto related efforts. Ping @mmurto here, FYI.

BTW, usually it would have been rather straight-forward to just add the provider name to `PackageCurationData`, but unfortunately that class is yet another example for a model class that is...

> [@sschuberth](https://github.com/sschuberth) have you had a look at `ResolvedConfiguration`? Yes, that's what [we are currently trying to use](https://github.com/eclipse-apoapsis/ort-server/pull/3740/files#diff-2dc4355ce8d5a55a3cfb14610efde98f4a38f47e5b1280104d3f08e78d1e9c09R112-R121), but it turned out to be rather cumbersome. Thus the idea for...

@willebra, please have a look at this draft. Does this match your specification?

> Why do we add the `_VULNERABILITY` suffix to all reasons? It seems redundant. The only exception is maybe `NOT_A_VULNERABILITY`. I agree, but I was just aligning to existing code.

I feel that @MarcelBochtler (and maybe @mnonnenmacher) should chime into the review as the primary users of this feature.

I've split out some stuff to https://github.com/oss-review-toolkit/ort/pull/6061.

> Should this be moved back to "draft" state, as it introduces copyright statements without holder into e.g. the notices? @fviernau, I finally found the time to continue working on...

> I fear I won't find the time to do a review prior to my X-mas holidays. Is this urgent? It's not super urgent. But it's also not a lot...