1. posterid:1160316
  2. Messages

Re: How to best handle modification notices and notices of origin in SPDX

J Lovejoy
 

better late, than never...

On Aug 22, 2019, at 8:34 AM, Matija ?uklje <matija@...> wrote:

On Sunday 28 July 2019 22:16:34 CEST
garysourceauditor@... wrote:
[G.O.] First a disclaimer - I have not implemented this specific
use case in an SPDX document, but here is one approach: For the
origin package, create a package definition (you can use
FilesAnalyzed=False to keep the required fields to a minimum).
Create a relationship between the modified file and the origin
with a relationship type FileModified and a comment indicating
what was changed.

I can see how this could work in the sense where we are using
packages. But it also seems like quite a tooling-heavy approach.

If I understand you correctly, this would imply you have an
inventory of all the packages used with corresponding SPDX files,
and then this inventory (or build system) could be used to track
the relationships and modification status.

BTW, if we’re talking about small single-file situations (e.g.
CSS, JS, fonts, images), it seems quite a hassle. Imagine doing
this for every single placeholder image.

In any case, there is still the attribution/provenance question
open.

The hack I currently have in mind is to misuse the SPDX-
FileCopyrightText tag in REUSE, but would very much like to depend
on something better.
https://github.com/fsfe/reuse-docs/issues/43


I really wouldn’t conflate attribution and copyright notices - that seems to lead to a lot of unnecessarily confusion and other energy

FWIW - this reminded me that there are some licenses that require a specific acknowledgment (I’m intentionally not using “attribution” :) in the form of specific text you need to reproduce, such as Apache-1.1, clause 3 - https://www.gnu.org/licenses/identify-licenses-clearly.en.html  

When we began to do the review and conversion for the XML format, we began to label licenses that have this. We didn’t necessarily catch all of them or implement a XML tag for this, but the idea was that it would be possible (if someone wanted to do the work, there was enough work at that point that we didn’t proceed down this path at the time).  Just thought I’d mention!

Jilayne
Join Spdx-legal@lists.spdx.org to automatically receive all group messages.