-
Notifications
You must be signed in to change notification settings - Fork 41
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Potential punch list for issues regarding the SPDX2->3 conversion #74
Comments
My 2 cents on the punchlist - since I won't be able to join next Tuesday's tech call:
I don't think so. I recall a discussion where we could represent a "default namespace" that would be used. That being said, I don't see a way to represent the default namespace using the namespace map. Perhaps others on the call recall how this is done.
From the 2.3 spec: "File Type is intrinsic to the file, independent of how the file is being used." whereas SoftwarePurpose is more about the intent of how the file is used. So, FileType should be translated to contentType which uses the MIME standard.
Good point - I think we should change the cardinality in the spec to allow for more than one content type.
We were thinking of using a relationship. If it is a folder, then we would probably create a separate "package" definition to represent the folder? The folder scenario is one I have not thought through and probably deserves more discussion.
If that is the case, we can require the checksum in the Integrity profile
I wonder if the build profile would service this purpose?
The idea is we would have a separate verification implementation for packages that would include this information. The work for this hasn't been done.
I think that was the discussion, however, I still think a property would be easier to parse/follow. If I recall, I reluctantly agreed to it being a relationship. |
The build profile has some established relationships on the files themselves. So the information would be encodable by the build profile relationships. However, that is just the ability to express the relationship. I'd be curious to discuss what the integrity story would look like (as it ties into verification). I think that's probably something to discuss... since with the build profile the granularity of identities may be more granular and harder to manage. |
This is resolved by addition of Changes Annex to the 3.0 Specification (was migration guide) from Gary. Marking this as resolved. |
Since the only remaining item issue #84 is now targeted for 3.1 and all other items are documented in the diff's annex, I'm going to close this issue |
This is a punchlist of problems we are currently facing when converting SPDX2 to SPDX3. See also this spreadsheet for an overview of the current state.
Please feel free to comment on any of the points below. Small remarks can go right here in this issue, but if you want to start an in-depth discussion on any of the points, please open and link a new issue (edit this post) to keep this issue comprehensive.
CreationInformation properties:
File properties:
Package properties:
Relationship properties:
to
property of the SPDX3 relationship, which is anElement
. ButrelatedSpdxElement
can also take the valuesNONE
andNOASSERTION
. How should these be converted to anElement
?completeness
relationSnippet properties:
contains
relationship from the containing file to the contained snippet?The text was updated successfully, but these errors were encountered: