Date   

Template and package namespaces

David Kemp
 

The Model Namespace Template markdown file Sean sent out on April 27 says:

# <Namespace Name> Namespace Specification
< This is a template to be used for creating documentation for each namespace within 3T-SBOM/SPDX model specification.  The text immediately following the heading is a summary of the naemspace itself.>

This is fine for defining parts of the specification.  But in the Core specification the SBOM Document has a namespace URI that identifies the device / application / container / service / software-distribution described by that SBOM.  When one SBOM refers to another SBOM using an external reference, with (or without) content validated with a signature or hash, the referenced SBOM has a namespace URI that distinguishes it from every other SBOM on the planet.

We should be clear that specification namespaces and SBOM Document namespaces are different animals.

Dave


Re: Diagrams and documents

David Kemp
 

Gary,

I've been working on an information modeling approach and an example information model for discussion. Rough notes are available at https://docs.google.com/document/d/1anzRAh8zExgDVAVbgk-5C73Iy7uf6aHEIglfr-32MU0.  The first section suggests some changes to William's ontology/class diagram; the second is an IM assuming those changes.

I'll look at the markdown template and see how an IM might be integrated with it.  We currently generate markdown tables from the IM, then incorporate the tables into (OpenC2) markdown documents. The format of the markdown output can easily be adjusted as needed, and going the other way (extracting an IM from markdown source) should be doable, particularly if the definitions are code-fenced.

Dave



On Wed, Jun 9, 2021 at 12:18 PM Gary O'Neall <gary@...> wrote:

Hi Dave,

 

I agree with your point on the challenge we are leaving up to implementers.  I am also concerned that if we don’t understand how the more general model could be implemented, we may end up finding fundamental flaws in the model late in the game.  In my experience, it is very common to change the model after discovering challenges during implementation.

 

Having an information model developed in parallel would be helpful in my opinion.

 

Would it be possible to generate the information model from the markdown template Alexios is working on?   If not, would it be feasible to add in enough information in markdown to make it possible to generate the information model?

 

Regards,

Gary

._,_


Re: Identity refactoring

David Kemp
 

Perhaps.  But wherever we fall on the spectrum of complexity, we should make a distinction between Identity and Artifact.  An identity should identify an actor, a person or non-person entity.  Artifact should refer to a passive data object that does not act on its own.  If a tool is acting autonomously it could have an identity credential / account of its own, but if it is a user agent it would invoke the user's identity credential / account.  A BOM or a software tarball would not have its own account.  I don't think there is a third category that is both active and passive - an executing bot process and the software for that process are distinct -- each executing bot would have its own identity despite being started from the same software package.

NIST uses "artifact" when defining non-person entity as "An entity with a digital identity that acts in cyberspace, but is not a human actor. This can include organizations, hardware devices, software applications, and information artifacts.".  But the artifacts in this definition are associated with active entities that can be credentialed, as described in Zero-Trust Architecture: "Enterprise-owned devices may have artifacts that enable authentication ..." and "This [request] may include information such as an internet protocol (IP) address, port information, session key, or similar security artifacts."

Dave


On Thu, Jun 10, 2021 at 3:52 AM Alexios Zavras <alexios.zavras@...> wrote:

OK, going to other extreme towards simplification…

Do we want to consider that our Core model will only have a simple “Identity” (a simple string, which might be an email or not) and everything else (Person, Organization, Tool, Agent, Address, etc.) are in an optional identity Area_of_Interest / Namespace? 😉

 

-- zvr


Re: Identity refactoring

Joshua Marpet
 

I like the simplicity model.  Allows for plug-in style model. Oh you want to do hardware? Here you go. Oh you want to design a model for medical devices? Here’s a template, knock yourself out!


From: Spdx-tech@... <Spdx-tech@...> on behalf of Alexios Zavras via lists.spdx.org <alexios.zavras=intel.com@...>
Sent: Thursday, June 10, 2021 3:52:15 AM
To: Gary O'Neall <gary@...>
Cc: 'Sean Barnum' <sbarnum@...>; Spdx-tech@... <Spdx-tech@...>
Subject: Re: [spdx-tech] Identity refactoring
 

OK, going to other extreme towards simplification…

Do we want to consider that our Core model will only have a simple “Identity” (a simple string, which might be an email or not) and everything else (Person, Organization, Tool, Agent, Address, etc.) are in an optional identity Area_of_Interest / Namespace? 😉

 

-- zvr

 

From: Gary O'Neall <gary@...>
Sent: Wednesday, 9 June, 2021 18:22
To: 'David Kemp' <dk190a@...>; Zavras, Alexios <alexios.zavras@...>
Cc: 'Sean Barnum' <sbarnum@...>; Spdx-tech@...
Subject: RE: [spdx-tech] Identity refactoring

 

I also agree on referencing other standards rather than (re)creating some of this challenging work.

 

Just one additional consideration – when we adopt these other standards, we also adopt any complexity that comes along with it.  For example, in SPDX 2.0 we incorporated W3C pointers for how we reference code snippets.  There is a proposal to replace this well-established albeit complex vocabulary with a simple positive integer property in SPDX 3.0. 

 

With the #1 complaint on SPDX being the complexity, we should be careful we don’t complicate the model in order to support use cases that are rarely used in practice.  To use an analogy from Physics, we don’t need a model that includes quantum effects, quarks and leptons if all we want to describe is the effect of air friction on a moving vehicle.

 

I would propose for any changes to the model where there would be an increase in complexity, we ask the following questions:

  • What use cases require the change?
  • Are these use cases important for SBOM consumers or suppliers?
  • Are there practical examples of these use cases being implemented today or planned to be implemented in the near future?
  • Is there a simpler approach to the model that satisfies the same use cases?
  • Is the increase in complexity worth supporting these additional use cases?  Or, to put it another way, would this change increase adoption by supporting more use cases or decrease adoption by increasing the complexity for implementation?

 

Gary

 

From: Spdx-tech@... <Spdx-tech@...> On Behalf Of David Kemp
Sent: Wednesday, June 9, 2021 7:39 AM
To: Alexios Zavras <alexios.zavras@...>
Cc: Sean Barnum <sbarnum@...>; Spdx-tech@...
Subject: Re: [spdx-tech] Identity refactoring

 

+1.  Our wheelhouse is to design a document data structure that integrates smoothly with systems that are based on an ontology, not to design the ontology itself.

Dave

 

On Wed, Jun 9, 2021 at 3:53 AM Alexios Zavras <alexios.zavras@...> wrote:

Thanks, Sean, for the very interesting discussion yesterday.

 

I’d very much like to get it correctly. On the other hand, I’ve started to think that this is definitely not our core work and I’d hate for us to spend countless amount of hours trying to solve the complicated issues of identity/email/agent/etc.

Therefore… instead of us defining classes for all (many) of this stuff, can we point to some other ontology and use their classes? We are planning to do so in a number of other cases, anyway – what is “URL”, what is “String”, etc.

 

You did mention another comprehensive ontology that already deals with “Account”, “EmailAddress”, etc. Shouldn’t we simply point to that?

 

-- zvr

 

Intel Deutschland GmbH
Registered Address: Am Campeon 10, 85579 Neubiberg, Germany
Tel: +49 89 99 8853-0, www.intel.de
Managing Directors: Christin Eisenschmid, Sharon Heck, Tiffany Doon Silva  
Chairperson of the Supervisory Board: Nicole Lau
Registered Office: Munich
Commercial Register: Amtsgericht Muenchen HRB 186928


Re: Identity refactoring

Alexios Zavras
 

OK, going to other extreme towards simplification…

Do we want to consider that our Core model will only have a simple “Identity” (a simple string, which might be an email or not) and everything else (Person, Organization, Tool, Agent, Address, etc.) are in an optional identity Area_of_Interest / Namespace? 😉

 

-- zvr

 

From: Gary O'Neall <gary@...>
Sent: Wednesday, 9 June, 2021 18:22
To: 'David Kemp' <dk190a@...>; Zavras, Alexios <alexios.zavras@...>
Cc: 'Sean Barnum' <sbarnum@...>; Spdx-tech@...
Subject: RE: [spdx-tech] Identity refactoring

 

I also agree on referencing other standards rather than (re)creating some of this challenging work.

 

Just one additional consideration – when we adopt these other standards, we also adopt any complexity that comes along with it.  For example, in SPDX 2.0 we incorporated W3C pointers for how we reference code snippets.  There is a proposal to replace this well-established albeit complex vocabulary with a simple positive integer property in SPDX 3.0. 

 

With the #1 complaint on SPDX being the complexity, we should be careful we don’t complicate the model in order to support use cases that are rarely used in practice.  To use an analogy from Physics, we don’t need a model that includes quantum effects, quarks and leptons if all we want to describe is the effect of air friction on a moving vehicle.

 

I would propose for any changes to the model where there would be an increase in complexity, we ask the following questions:

  • What use cases require the change?
  • Are these use cases important for SBOM consumers or suppliers?
  • Are there practical examples of these use cases being implemented today or planned to be implemented in the near future?
  • Is there a simpler approach to the model that satisfies the same use cases?
  • Is the increase in complexity worth supporting these additional use cases?  Or, to put it another way, would this change increase adoption by supporting more use cases or decrease adoption by increasing the complexity for implementation?

 

Gary

 

From: Spdx-tech@... <Spdx-tech@...> On Behalf Of David Kemp
Sent: Wednesday, June 9, 2021 7:39 AM
To: Alexios Zavras <alexios.zavras@...>
Cc: Sean Barnum <sbarnum@...>; Spdx-tech@...
Subject: Re: [spdx-tech] Identity refactoring

 

+1.  Our wheelhouse is to design a document data structure that integrates smoothly with systems that are based on an ontology, not to design the ontology itself.

Dave

 

On Wed, Jun 9, 2021 at 3:53 AM Alexios Zavras <alexios.zavras@...> wrote:

Thanks, Sean, for the very interesting discussion yesterday.

 

I’d very much like to get it correctly. On the other hand, I’ve started to think that this is definitely not our core work and I’d hate for us to spend countless amount of hours trying to solve the complicated issues of identity/email/agent/etc.

Therefore… instead of us defining classes for all (many) of this stuff, can we point to some other ontology and use their classes? We are planning to do so in a number of other cases, anyway – what is “URL”, what is “String”, etc.

 

You did mention another comprehensive ontology that already deals with “Account”, “EmailAddress”, etc. Shouldn’t we simply point to that?

 

-- zvr

 

Intel Deutschland GmbH
Registered Address: Am Campeon 10, 85579 Neubiberg, Germany
Tel: +49 89 99 8853-0, www.intel.de
Managing Directors: Christin Eisenschmid, Sharon Heck, Tiffany Doon Silva  
Chairperson of the Supervisory Board: Nicole Lau
Registered Office: Munich
Commercial Register: Amtsgericht Muenchen HRB 186928


Re: Identity refactoring

Gary O'Neall
 

I also agree on referencing other standards rather than (re)creating some of this challenging work.

 

Just one additional consideration – when we adopt these other standards, we also adopt any complexity that comes along with it.  For example, in SPDX 2.0 we incorporated W3C pointers for how we reference code snippets.  There is a proposal to replace this well-established albeit complex vocabulary with a simple positive integer property in SPDX 3.0. 

 

With the #1 complaint on SPDX being the complexity, we should be careful we don’t complicate the model in order to support use cases that are rarely used in practice.  To use an analogy from Physics, we don’t need a model that includes quantum effects, quarks and leptons if all we want to describe is the effect of air friction on a moving vehicle.

 

I would propose for any changes to the model where there would be an increase in complexity, we ask the following questions:

  • What use cases require the change?
  • Are these use cases important for SBOM consumers or suppliers?
  • Are there practical examples of these use cases being implemented today or planned to be implemented in the near future?
  • Is there a simpler approach to the model that satisfies the same use cases?
  • Is the increase in complexity worth supporting these additional use cases?  Or, to put it another way, would this change increase adoption by supporting more use cases or decrease adoption by increasing the complexity for implementation?

 

Gary

 

From: Spdx-tech@... <Spdx-tech@...> On Behalf Of David Kemp
Sent: Wednesday, June 9, 2021 7:39 AM
To: Alexios Zavras <alexios.zavras@...>
Cc: Sean Barnum <sbarnum@...>; Spdx-tech@...
Subject: Re: [spdx-tech] Identity refactoring

 

+1.  Our wheelhouse is to design a document data structure that integrates smoothly with systems that are based on an ontology, not to design the ontology itself.

Dave

 

On Wed, Jun 9, 2021 at 3:53 AM Alexios Zavras <alexios.zavras@...> wrote:

Thanks, Sean, for the very interesting discussion yesterday.

 

I’d very much like to get it correctly. On the other hand, I’ve started to think that this is definitely not our core work and I’d hate for us to spend countless amount of hours trying to solve the complicated issues of identity/email/agent/etc.

Therefore… instead of us defining classes for all (many) of this stuff, can we point to some other ontology and use their classes? We are planning to do so in a number of other cases, anyway – what is “URL”, what is “String”, etc.

 

You did mention another comprehensive ontology that already deals with “Account”, “EmailAddress”, etc. Shouldn’t we simply point to that?

 

-- zvr

 


Re: Diagrams and documents

Gary O'Neall
 

Hi Dave,

 

I agree with your point on the challenge we are leaving up to implementers.  I am also concerned that if we don’t understand how the more general model could be implemented, we may end up finding fundamental flaws in the model late in the game.  In my experience, it is very common to change the model after discovering challenges during implementation.

 

Having an information model developed in parallel would be helpful in my opinion.

 

Would it be possible to generate the information model from the markdown template Alexios is working on?   If not, would it be feasible to add in enough information in markdown to make it possible to generate the information model?

 

Regards,

Gary

 

From: Spdx-tech@... <Spdx-tech@...> On Behalf Of David Kemp
Sent: Tuesday, June 8, 2021 12:52 PM
To: SPDX-list <Spdx-tech@...>
Subject: [spdx-tech] Diagrams and documents

 

All,

On the call Sean mentioned, almost as an afterthought, a distinction between UML class diagrams and the notation used in the spdx3 diagram.  That has been bothering me for a while, as described in the attached note.

We have discussed things like optimization (types don't necessarily have to contain their properties if those properties could be inferred from elsewhere), but understanding, documenting, and coding how to infer or inherit missing values is a big ask of software developers.

I played a bit with information modeling at the April NTIA plugfest, but I believe it could play a role in specifying an implementable structure for SPDX3 documents.  More information on the relationship between class (or knowledge) models and information models is available in the introduction section of the JADN spec https://www.oasis-open.org/committees/document.php?document_id=68701.  The SPDX 3 diagram and its accompanying information model could evolve in parallel, making developers' lives easier.

 

Regards,
Dave


Re: Identity refactoring

David Kemp
 

+1.  Our wheelhouse is to design a document data structure that integrates smoothly with systems that are based on an ontology, not to design the ontology itself.

Dave


On Wed, Jun 9, 2021 at 3:53 AM Alexios Zavras <alexios.zavras@...> wrote:

Thanks, Sean, for the very interesting discussion yesterday.

 

I’d very much like to get it correctly. On the other hand, I’ve started to think that this is definitely not our core work and I’d hate for us to spend countless amount of hours trying to solve the complicated issues of identity/email/agent/etc.

Therefore… instead of us defining classes for all (many) of this stuff, can we point to some other ontology and use their classes? We are planning to do so in a number of other cases, anyway – what is “URL”, what is “String”, etc.

 

You did mention another comprehensive ontology that already deals with “Account”, “EmailAddress”, etc. Shouldn’t we simply point to that?

 

-- zvr

 


Re: Identity refactoring

Henk Birkholz
 

Hi Sean,

would it make sense to align the terminology used here with the terms used in this W3C Recommendation?

https://www.w3.org/TR/prov-o/

Viele Grüße,

Henk

On 08.06.21 19:31, Sean Barnum wrote:
All,
Here is the diagram I showed on the call with the proposed refactoring of Identity within the model.
Sean
Sean Barnum
C – 703-473-8262
sbarnum@... <mailto:sbarnum@...>
/We are here to change the world!/
signature_1388200754 <https://www.facebook.com/MITREcorp>signature_1442303485 <https://www.linkedin.com/company/mitre>signature_245889441 <https://twitter.com/MITREcorp>signature_984325223 <https://www.youtube.com/user/mitrecorp>signature_929545762 <https://plus.google.com/+MitreOrgFFRDCs/posts>
signature_1845422085 <http://www.mitre.org/>


Re: Identity refactoring

Alexios Zavras
 

Thanks, Sean, for the very interesting discussion yesterday.

 

I’d very much like to get it correctly. On the other hand, I’ve started to think that this is definitely not our core work and I’d hate for us to spend countless amount of hours trying to solve the complicated issues of identity/email/agent/etc.

Therefore… instead of us defining classes for all (many) of this stuff, can we point to some other ontology and use their classes? We are planning to do so in a number of other cases, anyway – what is “URL”, what is “String”, etc.

 

You did mention another comprehensive ontology that already deals with “Account”, “EmailAddress”, etc. Shouldn’t we simply point to that?

 

-- zvr

 

From: Spdx-tech@... <Spdx-tech@...> On Behalf Of Sean Barnum
Sent: Tuesday, 8 June, 2021 19:32
To: Spdx-tech@...
Subject: [spdx-tech] Identity refactoring

 

All,

 

Here is the diagram I showed on the call with the proposed refactoring of Identity within the model.

 

Sean

 

Sean Barnum

C – 703-473-8262

sbarnum@...

We are here to change the world!

signature_1388200754signature_1442303485signature_245889441signature_984325223signature_929545762

signature_1845422085

 

Intel Deutschland GmbH
Registered Address: Am Campeon 10, 85579 Neubiberg, Germany
Tel: +49 89 99 8853-0, www.intel.de
Managing Directors: Christin Eisenschmid, Sharon Heck, Tiffany Doon Silva  
Chairperson of the Supervisory Board: Nicole Lau
Registered Office: Munich
Commercial Register: Amtsgericht Muenchen HRB 186928


Diagrams and documents

David Kemp
 

All,

On the call Sean mentioned, almost as an afterthought, a distinction between UML class diagrams and the notation used in the spdx3 diagram.  That has been bothering me for a while, as described in the attached note.

We have discussed things like optimization (types don't necessarily have to contain their properties if those properties could be inferred from elsewhere), but understanding, documenting, and coding how to infer or inherit missing values is a big ask of software developers.

I played a bit with information modeling at the April NTIA plugfest, but I believe it could play a role in specifying an implementable structure for SPDX3 documents.  More information on the relationship between class (or knowledge) models and information models is available in the introduction section of the JADN spec https://www.oasis-open.org/committees/document.php?document_id=68701.  The SPDX 3 diagram and its accompanying information model could evolve in parallel, making developers' lives easier.

Regards,
Dave


Identity refactoring

Sean Barnum
 

All,

 

Here is the diagram I showed on the call with the proposed refactoring of Identity within the model.

 

Sean

 

Sean Barnum

C – 703-473-8262

sbarnum@...

We are here to change the world!

signature_1388200754signature_1442303485signature_245889441signature_984325223signature_929545762

signature_1845422085

 


Outreach 7 June 2021 quick call summary and invitation

Manbeck, Jack
 

All,

 

This will be the last email cross posted to the technical list. All future emails for outreach will be on the outreach mailing list. So if you haven’t joined that list, and are interested, you should.

 

Thanks to everyone who attended the call today. Going forward we will keep the minutes in https://github.com/spdx/meetings and any new material the team creates in https://github.com/spdx/outreach .

 

Attached is a new calendar invite for people interested in participating on the outreach team. The invite is  for a weekly call until 8//2/2021 by which time we will set a regular call cadence that makes sense.

 

Best Regards,

 

Jack Manbeck

 

Call Details

 

In the attached ICS or here:

 

Date: Every Monday starting 7 June 2021  to 2 August 2021   10:00am Eastern Standard Time US or 2pm GMT.

 
https://meet.jit.si/SPDXGeneralMeeting

 

To join by phone instead, tap this: +1.512.647.1431,,1310118349#

Looking for a different dial-in number?
See meeting dial-in numbers:
https://meet.jit.si/static/dialInInfo.html?room=SPDXGeneralMeeting


If also dialing-in through a room phone, join without connecting to audio:
https://meet.jit.si/SPDXGeneralMeeting#config.startSilent=true

 

 

 

 


Re: Call for participation on the outreach team

Joshua Marpet
 

I’ll do it. I podcast every week and would love to do outreach on behalf of SPDX and SBOM’s. 


Call for participation on the outreach team

Manbeck, Jack
 

All,

 

We are looking to give our outreach team a reboot after a bit of a hiatus. Anyone with an interest in outreach for SPDX or even possibly helping to chair the outreach team going forward is encouraged to attend.

 

Best Regards,

 

Jack Manbeck

 

Call Details

 

In the attached ICS or here:

 

Date: 7 June 2021  at 10:00am Eastern Standard Time US or 2pm GMT.

 
https://meet.jit.si/SPDXGeneralMeeting

 

To join by phone instead, tap this: +1.512.647.1431,,1310118349#

Looking for a different dial-in number?
See meeting dial-in numbers:
https://meet.jit.si/static/dialInInfo.html?room=SPDXGeneralMeeting


If also dialing-in through a room phone, join without connecting to audio:
https://meet.jit.si/SPDXGeneralMeeting#config.startSilent=true

 


Re: Need Guidance for Contribution in your project

Sebastian Crane
 

I received this email that was sent to the SPDX Legal mailing list ...
Oops, I meant to say SPDX *Tech* list! Sorry for any confusion.


Re: Need Guidance for Contribution in your project

Sebastian Crane
 

Dear all,

I received this email that was sent to the SPDX Legal mailing list, but
unfortunately my email service provider identified it as spam.

The message is quoted below in case others here missed it for the same
reason:

On Tue, May 04, 2021 at 03:08:04PM +0530, yash hira wrote:
Dear Sir,

I am anmol currently studying in BTECH CSE IN Guru Gobind Singh
Inderprastha University,Delhi.Can I contribute to your Project. If so
how can I. If you can guide me I will try my best.



Thanks

From anmol hira

Delhi,India


Re: SPDX in Wikipedia

Vargenau, Marc-Etienne (Nokia - FR/Paris-Saclay)
 

Thank you Gary.

 

I have updated the Wikipedia page (in English and French).

 

Marc-Etienne

 

From: Gary O'Neall <gary@...>
Sent: Wednesday, May 5, 2021 2:15 AM
To: Vargenau, Marc-Etienne (Nokia - FR/Paris-Saclay) <marc-etienne.vargenau@...>; Spdx-tech@...
Subject: RE: [spdx-tech] SPDX in Wikipedia

 

Hi Marc-Etienne,

 

You are correct – the “+” operator is still valid.

 

Gary

 

From: Spdx-tech@... <Spdx-tech@...> On Behalf Of Vargenau, Marc-Etienne (Nokia - FR/Paris-Saclay)
Sent: Tuesday, May 4, 2021 11:01 AM
To: Spdx-tech@...
Cc: Vargenau, Marc-Etienne (Nokia - FR/Paris-Saclay) <marc-etienne.vargenau@...>
Subject: [spdx-tech] SPDX in Wikipedia

 

Hello,

 

In the SPDX page on the English Wikipedia:

https://en.wikipedia.org/wiki/Software_Package_Data_Exchange

 

You can read the following:

 

Deprecated syntax[edit]

Starting version 2.0, it is no longer valid to use the + operator in a license identifier.[10] By removing this syntax, it left an undefined state for licenses accepting the current version and those after it, such as the GPL.[11] It was valid to use GPL-3.0-or-later, but it wasn't explicitly written in the specifications. This was fixed later with version 2.2.[12]

 

From my reading of the current SPDX 2.2, I consider this is wrong. It is only identifiers like GPL-2.0+ that are deprecated, but the “+” operator can still be applied to licences.

 

Can you please confirm so that I can update the Wikipedia page?

 

Best regards,

 

Marc-Etienne Vargenau

 

--
Marc-Etienne Vargenau marc-etienne.vargenau@...
Nokia, Route de Villejust, 91620 NOZAY, FRANCE

 


Re: SPDX in Wikipedia

Gary O'Neall
 

Hi Marc-Etienne,

 

You are correct – the “+” operator is still valid.

 

Gary

 

From: Spdx-tech@... <Spdx-tech@...> On Behalf Of Vargenau, Marc-Etienne (Nokia - FR/Paris-Saclay)
Sent: Tuesday, May 4, 2021 11:01 AM
To: Spdx-tech@...
Cc: Vargenau, Marc-Etienne (Nokia - FR/Paris-Saclay) <marc-etienne.vargenau@...>
Subject: [spdx-tech] SPDX in Wikipedia

 

Hello,

 

In the SPDX page on the English Wikipedia:

https://en.wikipedia.org/wiki/Software_Package_Data_Exchange

 

You can read the following:

 

Deprecated syntax[edit]

Starting version 2.0, it is no longer valid to use the + operator in a license identifier.[10] By removing this syntax, it left an undefined state for licenses accepting the current version and those after it, such as the GPL.[11] It was valid to use GPL-3.0-or-later, but it wasn't explicitly written in the specifications. This was fixed later with version 2.2.[12]

 

From my reading of the current SPDX 2.2, I consider this is wrong. It is only identifiers like GPL-2.0+ that are deprecated, but the “+” operator can still be applied to licences.

 

Can you please confirm so that I can update the Wikipedia page?

 

Best regards,

 

Marc-Etienne Vargenau

 

--
Marc-Etienne Vargenau marc-etienne.vargenau@...
Nokia, Route de Villejust, 91620 NOZAY, FRANCE

 


SPDX in Wikipedia

Vargenau, Marc-Etienne (Nokia - FR/Paris-Saclay)
 

Hello,

 

In the SPDX page on the English Wikipedia:

https://en.wikipedia.org/wiki/Software_Package_Data_Exchange

 

You can read the following:

 

Deprecated syntax[edit]

Starting version 2.0, it is no longer valid to use the + operator in a license identifier.[10] By removing this syntax, it left an undefined state for licenses accepting the current version and those after it, such as the GPL.[11] It was valid to use GPL-3.0-or-later, but it wasn't explicitly written in the specifications. This was fixed later with version 2.2.[12]

 

From my reading of the current SPDX 2.2, I consider this is wrong. It is only identifiers like GPL-2.0+ that are deprecated, but the “+” operator can still be applied to licences.

 

Can you please confirm so that I can update the Wikipedia page?

 

Best regards,

 

Marc-Etienne Vargenau

 

--
Marc-Etienne Vargenau marc-etienne.vargenau@...
Nokia, Route de Villejust, 91620 NOZAY, FRANCE

 

781 - 800 of 4853