Date
1 - 3 of 3
Package, mandatory?
Jonas Oberg
Hi everyone,
as you know, the FSFE is working on a project, REUSE, which has as one of
its recommendations to produce a SPDX conformant bill of materials, if one
can be generated automatically.
As part of this project, I'm putting together a few template/example
repositories which does exactly this. I will definitely make a lot of
assumptions in generating the SPDX file, and it won't scale well beyond
the example, but it's still an interesting practice.
In this, I've discovered what feels like an inconsistency in the
specification, or its implementation.
I would like to bring your attention to version 2.1, section 3[^1] which
deals with the package information. The description is given as
"One instance of the Package Information is required per package being described."
However, the cardinality is given as "Optional, one or many." I'm not sure
exactly how to interpret this, as I noticed the spdx-tools fails when
converting from tag format to RDF if I don't have a Package specified.
If I know where the bug is (specification, me, spdx-tools), I can file a
more appropriate bug report or fix my own code :-)
[^1]: https://spdx.org/spdx-specification-21-web-version#h.4i7ojhp
Best regards,
--
Jonas Öberg
Executive Director
FSFE e.V. - keeping the power of technology in your hands. Your
support enables our work, please join us today http://fsfe.org/join
as you know, the FSFE is working on a project, REUSE, which has as one of
its recommendations to produce a SPDX conformant bill of materials, if one
can be generated automatically.
As part of this project, I'm putting together a few template/example
repositories which does exactly this. I will definitely make a lot of
assumptions in generating the SPDX file, and it won't scale well beyond
the example, but it's still an interesting practice.
In this, I've discovered what feels like an inconsistency in the
specification, or its implementation.
I would like to bring your attention to version 2.1, section 3[^1] which
deals with the package information. The description is given as
"One instance of the Package Information is required per package being described."
However, the cardinality is given as "Optional, one or many." I'm not sure
exactly how to interpret this, as I noticed the spdx-tools fails when
converting from tag format to RDF if I don't have a Package specified.
If I know where the bug is (specification, me, spdx-tools), I can file a
more appropriate bug report or fix my own code :-)
[^1]: https://spdx.org/spdx-specification-21-web-version#h.4i7ojhp
Best regards,
--
Jonas Öberg
Executive Director
FSFE e.V. - keeping the power of technology in your hands. Your
support enables our work, please join us today http://fsfe.org/join
Kate Stewart
Hi Jonas
On Tue, Sep 26, 2017 at 7:11 AM, Jonas Oberg <jonas@...> wrote:
Hi everyone,
as you know, the FSFE is working on a project, REUSE, which has as one of
its recommendations to produce a SPDX conformant bill of materials, if one
can be generated automatically.
As part of this project, I'm putting together a few template/example
repositories which does exactly this. I will definitely make a lot of
assumptions in generating the SPDX file, and it won't scale well beyond
the example, but it's still an interesting practice.
In this, I've discovered what feels like an inconsistency in the
specification, or its implementation.
I would like to bring your attention to version 2.1, section 3[^1] which
deals with the package information. The description is given as
"One instance of the Package Information is required per package being described."
However, the cardinality is given as "Optional, one or many." I'm not sure
exactly how to interpret this, as I noticed the spdx-tools fails when
converting from tag format to RDF if I don't have a Package specified.
Prior to 2.0, the expectation was that there would only be a single package
with a set of files in each SPDX document.
When we introduced relationships/identifiers, in 2.0, we were able to extend the specification
to handle multiple packages could be present in the same SPDX document (cardinality (Many)).
Similarily it was recognized that an SPDX document could be just a grouping of files
(ie. a set of binary files and an artificial package to encompass them all was not needed). (hence
Optional). I can see though that we should have been clearer.
The tools should be able to handle the translation, so yes, go ahead and log a bug there too.
If I know where the bug is (specification, me, spdx-tools), I can file a
more appropriate bug report or fix my own code :-)
Bug in the spdx-tools, improvement in wording needed in the specification - so
please go ahead and log issues against both.
Thanks, Kate
[^1]: https://spdx.org/spdx-specification-21-web-version#h.4i7ojhp
Best regards,
--
Jonas Öberg
Executive Director
FSFE e.V. - keeping the power of technology in your hands. Your
support enables our work, please join us today http://fsfe.org/join
_______________________________________________
Spdx mailing list
Spdx@...
https://lists.spdx.org/mailman/listinfo/spdx
Gary O'Neall
Hi Jonas,
git repo and upload a tag/value file which reproduces the error, I'll take a
look at it (https://github.com/spdx/tools/issues).
Thanks for reporting the issues.
Gary
However, the cardinality is given as "Optional, one or many." I'm notI would call this a bug in the SPDX tools. If you could log an issue in the
sure exactly how to interpret this, as I noticed the spdx-tools fails
when converting from tag format to RDF if I don't have a Package
specified.
git repo and upload a tag/value file which reproduces the error, I'll take a
look at it (https://github.com/spdx/tools/issues).
Thanks for reporting the issues.
Gary