-
Notifications
You must be signed in to change notification settings - Fork 140
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
How to use SPDX as a package manifest #439
Comments
+1 from me on the general approach! I haven't held it up yet against the SPDX 2.2 example file for YAML (which I suspect is the closest we currently have to specifying how this should look) but I like this approach. A couple of minor comments from a first glance:
And an example / question:
Really I'm asking if |
@swinslow Thank you for your feedback I fixed |
Noticed I am forgot to add the required the package verification code. I am correct that to simply add the SHA1 sum for https://github.com/curl/curl/releases/download/curl-7_70_0/curl-7.70.0.tar.gz? e.g.
What should be the package verification code value if the package is a specific SHA1 taken from a GitHub repo? |
@tsteenbe I don't think package verification code is required when filesAnalyzed is false... |
https://spdx.github.io/spdx-spec/v2-draft/package-information/#79-package-verification-code-field Cardinality | 0..1 if FilesAnalyzed (7.8) is true or omitted, 0..0 (must be omitted) if FilesAnalyzed is false. |
@swinslow You're right forgot about that .. still interested if filesAnalyzed were to be true what would the value be? |
@tsteenbe that's a good question and I don't know the answer :) If I understand the question, I'd assume the process is:
Let me know if there's something I'm missing in your hypo... (but I assume that for this manifest format, the presumption should be that people will want to use |
One other simplification to consider: If the document will have only one package in it, then I don't think you need a |
That's true for tag/value but not true for RDF/XML and undefined for YAML/JSON/XML. I personally would like to make documentDescribes required even if it is only one package. This makes it easier for tooling and humans alike and avoid possible human error when creating or readin the files. |
On the tech call today, it was suggested that any of the serialization formats be allowed. I don't know if all formats need to be supported - we could restrict it to more human readable versions. Since tag/value also has some structural issues in representing nested objects, we could start with YAML, JSON. Once XML is solid, we may want to add that since many of the current package managers use XML (e.g. Maven). |
@goneall My idea was to start with a |
@goneall @zvr What do you think would be a good recommendation to use as I know the spec says http://[CreatorWebsite]/[pathToSpdx]/[DocumentName]-[UUID] so my recommendation to use would be to use URL from which the spdx file can be directory downloaded. For SPDX 2.2 example it would be https://raw.githubusercontent.com/spdx/spdx-spec/development/v2.2.1/examples/SPDXYAMLExample-2.2.spdx.yaml. Or alternatively if one doe snot have a website use http://spdx.org/spdxdocs/[DocumentName]. |
I like having the URL where the SPDX file is located. The only thing that may be an issue is if the SPDX file is ever modified at the same URL, it really should have a different namespace. I was thinking if we could have the commit hash in the namespace, but that wouldn't work since you could only get the commit hash after you committed the file containing the namespace - a bit of a recursive problem. Adding a generated UUID at the end of the URL would help make sure it is unique. Not easy to generate by hand, but there are websites that can generate UUID (e.g. https://www.uuidgenerator.net/version4). |
Have I ever mentioned SWHIDs? ;-) Well, it turns out that these marvelous SWHIDs can be used not only for values of external reference fields, but also incorporated into strings like document names and namespaces... (e.g. http://corp.com/spdx/swh:1:dir:7a6bcf6db04fd1984f15750b9317d505c9d476d2). |
Nit: Shouldn't the file be called |
+1 from my side, sounds like the best approach I heard in this regard so far. |
@tsteenbe , would you mind updating your original post accordingly so we have one place which contains the latest / complete example? |
@sschuberth Example updated, note that package verification code is not needed as |
@swinslow Yes, that how we always interpreted Used "NOASSERTION" as the value
However, creator of |
I don't think we can prescribe how a package-level concluded license is constructed by the (concluded) licenses of the different contents. It might be License-1, or License-2, or License-1 AND License-2, or ... In the specific case that @tsteenbe describes, where the package |
See spdx/spdx-spec#439 for details. Signed-off-by: Sebastian Schuberth <sebastian.schuberth@bosch.io>
See spdx/spdx-spec#439 for details. Signed-off-by: Sebastian Schuberth <sebastian.schuberth@bosch.io>
See spdx/spdx-spec#439 for details. Signed-off-by: Sebastian Schuberth <sebastian.schuberth@bosch.io>
See spdx/spdx-spec#439 for details. Signed-off-by: Sebastian Schuberth <sebastian.schuberth@bosch.io>
@tsteenbe, shouldn't this bit
rather say
I.e. use Edit: More findings:
|
See spdx/spdx-spec#439 for details. Signed-off-by: Sebastian Schuberth <sebastian.schuberth@bosch.io>
See spdx/spdx-spec#439 for details. Signed-off-by: Sebastian Schuberth <sebastian.schuberth@bosch.io>
See spdx/spdx-spec#439 for details. Signed-off-by: Sebastian Schuberth <sebastian.schuberth@bosch.io>
@sschuberth Fixed DEPENDS_ON is "Package A depends on the presence of package B in order to build and run" - whilst in the example I assume openssl and curl to be part of package XYZ. You would use DEPENDS_ON for example if package XYZ depends on system library curl on say Android. |
Hmm. And what relation would you use for a dependency on a dynamic library that is not a system library, |
See spdx/spdx-spec#439 for details. Signed-off-by: Sebastian Schuberth <sebastian.schuberth@bosch.io>
See spdx/spdx-spec#439 for details. Signed-off-by: Sebastian Schuberth <sebastian.schuberth@bosch.io>
See the discussion at spdx/spdx-spec#439 for details. Signed-off-by: Sebastian Schuberth <sebastian.schuberth@bosch.io>
See the discussion at spdx/spdx-spec#439 for details. Signed-off-by: Sebastian Schuberth <sebastian.schuberth@bosch.io>
See the discussion at spdx/spdx-spec#439 for details. Signed-off-by: Sebastian Schuberth <sebastian.schuberth@bosch.io>
@sschuberth The differences between To make things even more complex there is also a See also #154 in which
|
See the discussion at spdx/spdx-spec#439 for details. Signed-off-by: Sebastian Schuberth <sebastian.schuberth@bosch.io>
👍 on that one, as having both |
See the discussion at spdx/spdx-spec#439 for details. Signed-off-by: Sebastian Schuberth <sebastian.schuberth@bosch.io>
See the discussion at spdx/spdx-spec#439 for details. Signed-off-by: Sebastian Schuberth <sebastian.schuberth@bosch.io>
See the discussion at spdx/spdx-spec#439 for details. Signed-off-by: Sebastian Schuberth <sebastian.schuberth@bosch.io>
See the discussion at spdx/spdx-spec#439 for details. Signed-off-by: Sebastian Schuberth <sebastian.schuberth@bosch.io>
See the discussion at spdx/spdx-spec#439 for details. Signed-off-by: Sebastian Schuberth <sebastian.schuberth@bosch.io>
example taken from spdx/spdx-spec#439 coming from ART people Signed-off-by: Pierre Tardy <pierre.tardy@renault.com>
Closing this, as I believe the original point has been answered. Please reopen if you disagree. |
In several use case OSS is copied into a code repository instead of included via a package manager. As OSS Review Toolkit we would like to offer users a way to define package metadata as SPDX for example a C/C++ package that was copied into a project .
We prefer to use SPDX over say DOAP or AboutCode. We came up with below minimal SPDX file - is this file correct/valid or is there a better way to do it?
Note: This ticket 's description has been updated multiple times based on people's feedback and when from a simple question to a mini specification/cookbook.
Specification
The SPDX package manifest file must:
.spdx.yml
,.spdx.yaml
or.spdx.json
.We recommend to use:
package
or the name of package for the name of the manifest file e.g.package.spdx.yml
or[name of package].spdx.yml
if you are describing a single root package, orproject
or the name of the project for the name of the manifest file e.g.project.spdx.yml
or[name of project].spdx.yml
if you are describing a project that holds multiple other packages.Examples
A) Project is a private fork of curl 7.70.0 in its own repository
B) Project is a private fork of curl 7.70.0 in directory
libs/curl
within project's repository.Idea: For A) and B) add a file name
package.spdx.yml
orcurl.spdx.yml
to either the root of the repository for A) or to the root of thelibs/curl
directory for B).Directory lay-out for scenario B):
package.spdx.yml
:Project XYZ code repository contains two subdirectories with private forks of curl 7.70.0 in directory
./libs/curl
and openssl 1.1.1g in directory./libs/openssl
Idea: Add a file named
project.spdx.yml
orxyz.spdx.yml
in the root of the code repository containing project xyz e.g.project.spdx.yml
:The text was updated successfully, but these errors were encountered: