Re: How to best handle modification notices and notices of origin in SPDX


Matija Šuklje
 

On Sunday 28 July 2019 22:16:34 CEST
garysourceauditor@... wrote:
[G.O.] First a disclaimer - I have not implemented this specific
use case in an SPDX document, but here is one approach: For the
origin package, create a package definition (you can use
FilesAnalyzed=False to keep the required fields to a minimum).
Create a relationship between the modified file and the origin
with a relationship type FileModified and a comment indicating
what was changed.
I can see how this could work in the sense where we are using
packages. But it also seems like quite a tooling-heavy approach.

If I understand you correctly, this would imply you have an
inventory of all the packages used with corresponding SPDX files,
and then this inventory (or build system) could be used to track
the relationships and modification status.

BTW, if we’re talking about small single-file situations (e.g.
CSS, JS, fonts, images), it seems quite a hassle. Imagine doing
this for every single placeholder image.

In any case, there is still the attribution/provenance question
open.

The hack I currently have in mind is to misuse the SPDX-
FileCopyrightText tag in REUSE, but would very much like to depend
on something better.
https://github.com/fsfe/reuse-docs/issues/43


cheers,
Matija Šuklje
--
gsm: +386 41 849 552
www: http://matija.suklje.name
xmpp: matija.suklje@...
sip: matija_suklje@...

Join Spdx-legal@lists.spdx.org to automatically receive all group messages.