* Richard Fontana:
> I think we should definitely try to get a downstream view on
this, if
> there is one.
I assume you primarily mean the view of engineers working on packaging
for CentOS Stream/RHEL,
No, not engineering actually.
[requests for SBOMs]
Anyway, the approach that has always been taken in responding to
these
requests for RPMs, at least those coming from RHEL specifically, has
been to use the License: field contents (ignoring any varying
information for subpackages). So basically there is one list item
corresponding to each SRPM. This is justified partly by the quality we
associate with the Fedora-based approach, i.e. we feel we can report
the contents of the License: field in most cases rather than scan or
otherwise review the package anew.
Yes, but doesn't need SPDX, as you point out below.
Some people on the development side (not those who drive SPDX adoption
in Fedora as far as I know) have started to talk about compliance in
this context, and this makes me nervous because they don't say where
these alleged compliance requirements come from.
Thanks,
Florian