Sebastian Schuberth

> We would like to exclude some dependencies as we trust them. Then this is pretty much the use-case of https://github.com/oss-review-toolkit/ort/issues/5105, and really *excluding* such dependencies is *not* the way...

My goal would be to accept any strings that from the pure grammar syntax represents a valid SPDX expression. I.e. "my random string" should not be valid, but "foo AND...

Just a note on the implementation: The validation happens in the SPDX model, not in the reporter. So exposing the validation level as an SPDX reporter specific option requires some...

Apparently, the NPM registry's metadata for `NPM::unload:2.2.0` says that version 2.2.0 was built from Git revision `db31c2772cda956c1a53fcc95cd40d7825077ec4`, but there is no such revision in https://github.com/pubkey/unload.git. Unfortunately, this is a rather...

> However, it seems like `big-interger` fails, although `3892895546890db1c71b1e629fae58f0eb52d815` does exist, see [peterolson/BigInteger.js@3892895](https://github.com/peterolson/BigInteger.js/commit/3892895546890db1c71b1e629fae58f0eb52d815) For `NPM::big-integer:1.6.52` the root cause is a differnet kind of metadata error: See how the Git repository...

> As a joint community effort, this is feasible to do. To lead with good example, I've started to address this in the Open Source way by contributing both [a...

> ORT deliberately fails hard here to ensure these issues are being dealt with via ORT configuration means. Though we could discuss to make these issues (of `ERROR` severity) instead...

> Is this setting not applied for the scanner? Let's phrase it like this: I'm not whether also JGit picks it up correctly, and whether you have configured at the...

Some more thoughts on the topic of "generating" project IDs: Running e.g. `GoDepFunTest` via Travis CI on a fork of ORT currently fails as [the expected result hard-codes the upstream...

The situation has improved since https://github.com/oss-review-toolkit/ort/pull/6544, but it is not used consistently yet.