Re: Package, mandatory?


Kate Stewart
 

Hi Jonas

On Tue, Sep 26, 2017 at 7:11 AM, Jonas Oberg <jonas@...> wrote:
Hi everyone,

as you know, the FSFE is working on a project, REUSE, which has as one of
its recommendations to produce a SPDX conformant bill of materials, if one
can be generated automatically.

As part of this project, I'm putting together a few template/example
repositories which does exactly this. I will definitely make a lot of
assumptions in generating the SPDX file, and it won't scale well beyond
the example, but it's still an interesting practice.

In this, I've discovered what feels like an inconsistency in the
specification, or its implementation.

I would like to bring your attention to version 2.1, section 3[^1] which
deals with the package information. The description is given as

  "One instance of the Package Information is required per package being described."

However, the cardinality is given as "Optional, one or many." I'm not sure
exactly how to interpret this, as I noticed the spdx-tools fails when
converting from tag format to RDF if I don't have a Package specified.

Prior to 2.0,  the expectation was that there would only be a single package
with a set of files in each SPDX document.    

When we introduced relationships/identifiers, in 2.0, we were able to extend the specification 
to handle multiple packages could be present in the same SPDX document (cardinality (Many)).   
Similarily it was recognized that an SPDX document could be just a grouping of files 
(ie. a set of binary files and an artificial package to encompass them all was not needed). (hence
Optional).    I can see though that we should have been clearer. 

The tools should be able to handle the translation,  so yes,  go ahead and log a bug there too.
 

If I know where the bug is (specification, me, spdx-tools), I can file a
more appropriate bug report or fix my own code :-)

Bug in the spdx-tools,   improvement in wording needed in the specification - so
please go ahead and log issues against both. 

Thanks, Kate
 


[^1]: https://spdx.org/spdx-specification-21-web-version#h.4i7ojhp


Best regards,

--
Jonas Öberg
Executive Director

FSFE e.V. - keeping the power of technology in your hands. Your
support enables our work, please join us today http://fsfe.org/join
_______________________________________________
Spdx mailing list
Spdx@...
https://lists.spdx.org/mailman/listinfo/spdx

Join spdx@lists.spdx.org to automatically receive all group messages.