Date
1 - 3 of 3
Package, mandatory?
Gary O'Neall
Hi Jonas,
However, the cardinality is given as "Optional, one or many." I'm notI would call this a bug in the SPDX tools. If you could log an issue in the git repo and upload a tag/value file which reproduces the error, I'll take a look at it (https://github.com/spdx/tools/issues). Thanks for reporting the issues. Gary |
|
Kate Stewart
Hi Jonas On Tue, Sep 26, 2017 at 7:11 AM, Jonas Oberg <jonas@...> wrote: Hi everyone, Prior to 2.0, the expectation was that there would only be a single package with a set of files in each SPDX document. When we introduced relationships/identifiers, in 2.0, we were able to extend the specification to handle multiple packages could be present in the same SPDX document (cardinality (Many)). Similarily it was recognized that an SPDX document could be just a grouping of files (ie. a set of binary files and an artificial package to encompass them all was not needed). (hence Optional). I can see though that we should have been clearer. The tools should be able to handle the translation, so yes, go ahead and log a bug there too.
Bug in the spdx-tools, improvement in wording needed in the specification - so please go ahead and log issues against both. Thanks, Kate
|
|
Jonas Oberg
Hi everyone,
as you know, the FSFE is working on a project, REUSE, which has as one of its recommendations to produce a SPDX conformant bill of materials, if one can be generated automatically. As part of this project, I'm putting together a few template/example repositories which does exactly this. I will definitely make a lot of assumptions in generating the SPDX file, and it won't scale well beyond the example, but it's still an interesting practice. In this, I've discovered what feels like an inconsistency in the specification, or its implementation. I would like to bring your attention to version 2.1, section 3[^1] which deals with the package information. The description is given as "One instance of the Package Information is required per package being described." However, the cardinality is given as "Optional, one or many." I'm not sure exactly how to interpret this, as I noticed the spdx-tools fails when converting from tag format to RDF if I don't have a Package specified. If I know where the bug is (specification, me, spdx-tools), I can file a more appropriate bug report or fix my own code :-) [^1]: https://spdx.org/spdx-specification-21-web-version#h.4i7ojhp Best regards, -- Jonas Öberg Executive Director FSFE e.V. - keeping the power of technology in your hands. Your support enables our work, please join us today http://fsfe.org/join |
|