-----Original Message-----
From: Spdx-legal@... <Spdx-legal@...> On Behalf Of
Matija ?uklje
Sent: Wednesday, July 24, 2019 11:14 AM
To: SPDX-legal <spdx-legal@...>
Subject: How to best handle modification notices and notices of origin in SPDX

Hi all,

recently I’ve been thinking about how to store¹ additional notices that are
required by some licenses on the SPDX license list. Specifically reference to the
origin of the work, and notice of modification of original work.

I’m sure people on this list are very well aware of the notice of modification as
e.g. in §5.a of GPL-3.0:

“The work must carry prominent notices stating that you modified it, and giving
a relevant date.”

As an example of where the requirement (of attribution) is to provide a notice of
where the original work came from, I can offer CC-BY-4.0 and its
§3.a.1.A.v:

“a URI or hyperlink to the Licensed Material to the extent reasonably
practicable;”

…which BTW also includes a notice of modification requirement in §3.a.1.B:

“indicate if You modified the Licensed Material and retain an indication of any
previous modifications;”

This “BY” clause is inherent to all CC-* licenses (apart from CC0-1.0 and CC-
PDDC), and similar clauses exist already in its 1.0 version, so I think it is safe to
assume that all CC licenses have this requirement.

So, I was wondering if there was a way to express this information in SPDX
(other than the generic comment).

I thought of some ugly workarounds, but would first like to hear if there is
already a proper way, before I soil this mailing list with that.

[G.O.] First a disclaimer - I have not implemented this specific use case in an SPDX document, but here is one approach:
For the origin package, create a package definition (you can use FilesAnalyzed=False to keep the required fields to a minimum). Create a relationship between the modified file and the origin with a relationship type FileModified and a comment indicating what was changed.
Gary