Thomas Steenbergen
Thomas Steenbergen
Goal: Have ORT better support common contribution process checks Usage scenarios: - Check community file such as CONTRIBUTING.md, Code of Conduct, CODEOWNERS, pull request templates are present in your open...
GitHub's Dependency submission API allows you to submit dependencies for projects, such as the dependencies resolved when a project is built or compiled, see https://docs.github.com/en/rest/dependency-graph/dependency-submission As ORT generally detects dependencies...
[BitBucket](https://bitbucket.org/) seems to used by various governments and whether ORT can be run in BitBucket has come up in multiple conversations. Filling this ticket so we have one place to...
SPDX will soon release SPDX 2.3 which at a high level includes the following changes 1) Support for exchanging security information see https://github.com/spdx/spdx-spec/blob/development/v2.3/chapters/external-repository-identifiers.md and https://github.com/spdx/spdx-spec/blob/development/v2.3/chapters/how-to-use.md 2) Several fields have become...
Currently if ORT scan a source artifact then the name of extracted tar or zip will be in the file finding Example PyPI::Mako:1.1.3 https://files.pythonhosted.org/packages/72/89/402d2b4589e120ca76a6aed8fee906a0f5ae204b50e455edd36eda6e778d/Mako-1.1.3.tar.gz |LicenseRef-scancode-reportbug | Mako-1.1.3/doc/_static/underscore.js | 3 |...
We are implementing SPDX-2.2 in [OSS Review Toolkit](https://github.com/oss-review-toolkit/ort) and we would like some clarifications on how to correctly implement NONE and NOASSERTION in `licenseInfoInFiles` Question 1) Is it correct to...
[CONTRIBUTING.md](https://github.com/spdx/spdx-spec/blob/development/v2.2.2/CONTRIBUTING.md) does not mention the [SPDX Community Specification Contributor License Agreement 1.0](https://github.com/spdx/governance/blob/main/0._SPDX_Contributor_License_Agreement.md) or the DCO requirement. Propose to add section to CONTRIBUTING.md explaining that besides CC-BY-3.0 also SPDX Community Specification...
In SPDX 2.2 example [Snippet Byte Range](https://github.com/spdx/spdx-spec/blob/master/chapters/5-snippet-information.md#53-snippet-byte-range-) and [Snippet Line Range](https://github.com/spdx/spdx-spec/blob/master/chapters/5-snippet-information.md#54-snippet-line-range-) are currently encoded as RDF (see below code) but elswhere we consistently followed SPDX `tag:value`. Propose to align ranges...
Found `packages` used in spdx.xml example, why is it not `package` like RDF? https://github.com/spdx/spdx-spec/blob/development/v2.2.1/examples/SPDXXMLExample-v2.2.spdx.xml#L246-L256 vs. https://github.com/spdx/spdx-spec/blob/development/v2.2.1/examples/SPDXRdfExample-v2.2.spdx.rdf.xml#L1821-L1831
Currently the SPDX spec supports non-SPDX licenses using the "LicenseRef" prefix but such a thing does not exist for exception. Proposal is to introduce “ExceptionRef” prefix to allow SPDX users...