New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add new relationship DEPENDENCY_MANIFEST_OF #174
Comments
I'm trying to make sure I understand this, so here's a concrete example and some questions :) Let's say I'm preparing an SPDX file for https://github.com/swinslow/containerapp. That repo has two main directories:
So we're talking a mix of Golang, NPM/JavaScript and Docker containers (as well as a smattering of other things, but ignore those) I think the idea you're proposing is that there would be one "top-level" package, say
and then subdependencies would also use DEPENDENCY_ROOT_OF to point up to their parent:
and (this is the part I'm particularly unclear on) that it would be semantically invalid for any dependency to be in the tree for more than one component, because that would create a cycle and/or a node with multiple parents:
Is that the idea? I might be way off-base here from what you're picturing... just trying to put some concrete terms around what the proposal is, because I'm having trouble articulating the intended difference between it and existing Relationships for dependencies. |
Discussion on call, name may need to be revisited. This is the file that defines all the dependencies is useful. Metadata file was sort of intended for this, but Gary sees the value. |
Example as requested based on https://github.com/heremaps/oss-review-toolkit/blob/master/reporter-web-app/package.json
|
From call preference instead of DEPENDENCY_ROOT_OF, use DEPENDENCY_MANIFEST_OF. |
Example wording: "Is to be used when SPDXRef-A is a manifest file that lists a set of dependencies for SPDXRef-B" |
For the example: "A file package.json is the dependency manifest of a package NPMApp" |
In the case of the NPM example, we expect that the package.json file will be the dependency manifest of, and the package-lock.json will be generated from. Lock files should not be considered as dependency-manifests. Key here is we need a root for dependency tree, and if we're using dependency_manifest, we want to make sure its considered root implicitly. From call, we'll go with a PR for dependency_manifest, and document that there is only one so it can be considered as root. |
@tsteenbe - an estimate on PR? |
Relates-to: #174. Signed-off-by: Thomas Steenbergen <thomas.steenbergen@here.com>
Relates-to: #174. Signed-off-by: Thomas Steenbergen <thomas.steenbergen@here.com>
Relates-to: #174. Signed-off-by: Thomas Steenbergen <thomas.steenbergen@here.com>
Relates-to: #174. Signed-off-by: Thomas Steenbergen <thomas.steenbergen@here.com>
Relates-to: #174. Signed-off-by: Thomas Steenbergen <thomas.steenbergen@here.com>
DEPENDENCY_ROOT_OF to describe the relationship from package to package to describe the root of the dependency tree. Motivation: This relationship allows SPDX creator to tell which package is the root of a dependency tree for a specific package without any SPDX render will not now how to render a SPDX as a tree.
This issue is continuation of #168
The text was updated successfully, but these errors were encountered: