as you know, the FSFE is working on a project, REUSE, which has as one of
its recommendations to produce a SPDX conformant bill of materials, if one
can be generated automatically.
As part of this project, I'm putting together a few template/example
repositories which does exactly this. I will definitely make a lot of
assumptions in generating the SPDX file, and it won't scale well beyond
the example, but it's still an interesting practice.
In this, I've discovered what feels like an inconsistency in the
specification, or its implementation.
I would like to bring your attention to version 2.1, section 3[^1] which
deals with the package information. The description is given as
"One instance of the Package Information is required per package being described."
However, the cardinality is given as "Optional, one or many." I'm not sure
exactly how to interpret this, as I noticed the spdx-tools fails when
converting from tag format to RDF if I don't have a Package specified.
If I know where the bug is (specification, me, spdx-tools), I can file a
more appropriate bug report or fix my own code :-)
FSFE e.V. - keeping the power of technology in your hands. Your
support enables our work, please join us today http://fsfe.org/join