[specs/SBOMQS-2.0-SPEC.md] Minor fixes and suggestions #498
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Just some minor fixes after a quick review (i.e. not at all thorough). -------- IMO, a few other flaws exist or may exist: - https://github.com/interlynk-io/sbomqs/blob/main/specs/SBOMQS-2.0-SPEC.md#important-differences , bullet point 3: "BSI v2.0 requires signature files" Really as a hard requirement, i.e. the whole check / evaluation fails, when no signature file is provided? IMO this would raise this requirement above all other requirements, instead of simply lowering the score if it is missing or the signature check fails. - Licences https://github.com/interlynk-io/sbomqs/blob/main/specs/SBOMQS-2.0-SPEC.md#deprecated-licenses-examples Out of these, **only** GPL-1.0, LGPL-2.0 and AGPL-1.0 have become obsolete (i.e, are really deprecated), because not only GPL, LGPL and AGPL are significantly different licences, also the v2.x and v3.0 versions contain fundamental differences which practically renders them as "different licenses", too. Consequently some projects have switched to `GPL-v2-only` (from `GPL-v2-or-later`), the Linux kernel was always licensed `GPL-v2`, and the `LGPL-2.1` still is widely adopted; furthermore, all three points seeem gain followers who see to have realised the drawbacks of `*PLv3*`. Lastly the v3.0 versions of the `*GPL` licences are the most recent verions of `*GPL*`-licenses documents availablöe - Licences, again https://github.com/interlynk-io/sbomqs/blob/main/specs/SBOMQS-2.0-SPEC.md#permissive-licenses-examples CC0-1.0 is **not** a permissive licence, **`CC0`** puts the so licensed good into the public domain. Signed-off-by: Florian von Samson <167841080+fvsamson@users.noreply.github.com>
riteshnoronha
approved these changes
Oct 1, 2025
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Just some minor fixes after a quick review (i.e. not at all thorough).
IMO, a few other flaws exist or may exist:
https://github.com/interlynk-io/sbomqs/blob/main/specs/SBOMQS-2.0-SPEC.md#important-differences , bullet point 3: "BSI v2.0 requires signature files"
Really as a hard requirement, i.e. the whole check / evaluation fails, when no signature file is provided? IMO this would raise this requirement above all other requirements, instead of simply lowering the score if it is missing or the signature check fails.
Licences https://github.com/interlynk-io/sbomqs/blob/main/specs/SBOMQS-2.0-SPEC.md#deprecated-licenses-examples
Out of these, only GPL-1.0, LGPL-2.0 and AGPL-1.0 have become obsolete (i.e, are really deprecated), because not only GPL, LGPL and AGPL are significantly different licences, also the v2.x and v3.0 versions contain fundamental differences which practically renders them as "different licenses", too. Consequently some projects have switched to
GPL-v2-only(fromGPL-v2-or-later), the Linux kernel was always licensedGPL-v2, and theLGPL-2.1still is widely adopted; furthermore, all three points seeem gain followers who see to have realised the drawbacks of*PLv3*. Lastly the v3.0 versions of the*GPLlicences are the most recent verions of*GPL*-licenses documents availablöeLicences, again https://github.com/interlynk-io/sbomqs/blob/main/specs/SBOMQS-2.0-SPEC.md#permissive-licenses-examples
CC0-1.0 is not a permissive licence,
CC0puts the so licensed good into the public domain.