Re: [spdx-tech] SPDX file naming

2017-08-12 Thread W. Trevor King 
On Sat, Aug 12, 2017 at 11:27:51AM -0700, g...@sourceauditor.com wrote:
> 3)  [packename].spdx where packagename is the name of the package
> 
> Note that #3 is currently in use.

My concern with the current SPDXParser.spdx [1] is that it is not
immediately obvious that the file applies to the whole repository and
not just to some subset thereof.  I'd also be fine with
spdx-tools.spdx (or spdx-tools-spdx.rdf), since that's more clearly
scoped to cover the whole repository.

I'm fine with options one and two, although note that the spec
currnently has package.spdx examples [2] as well as an example with
[3]:

  An SPDX document ‘WildFly.spdx’ describes package ‘WildFly’.  Note
  this is a logical relationship to help organize related items within
  an SPDX document that is mandatory if more than one package or set
  of files (not in a package) is present.

I'm also fine with different recommendations for different contexts
(e.g. project.spdx for a project-wide SPDX file in the project's
repository and ${PROJECT_NAME}.spdx for that same SPDX content in a
multi-project context).

And I agree that it would be good to update the spec to clearly
describe whatever convention we decide on and then consistently follow
that recommendation.

> We should also decide the suffixes for tag/value and RDF
> (e.g. LICENSE.rdf or LICENSE.spdx.rdf).

This is already covered in the spec [4]:

  Should be easy to recognize in a file system without opening the
  file.  A suggested naming convention is to use *.spdx (for tag-value
  format) and *-spdx.rdf for RDF format.

The spec seems to conflate “RDF” and “RDF/XML” (there are several
other RDF serialization formats [5]), and it would be good to start
making that distinction.  But, the recommended extention for RDF/XML
is .rdf [6], so we wouldn't have to change the recommended extention
for RDF/XML.

Cheers,
Trevor

[1]: 
https://github.com/spdx/tools/blob/0d020dbdd3fabe96b1e7bce88216de0f679e9dfb/SPDXParser.spdx
[2]: https://spdx.org/spdx-specification-21-web-version#h.2p2csry
[3]: https://spdx.org/spdx-specification-21-web-version#h.apg85dj5o8wx
[4]: https://spdx.org/spdx-specification-21-web-version#h.3dy6vkm
[5]: 
https://en.wikipedia.org/wiki/Resource_Description_Framework#Serialization_formats
[6]: https://tools.ietf.org/html/rfc3870#section-2

-- 
This email may be signed or encrypted with GnuPG (http://www.gnupg.org).
For more information, see http://en.wikipedia.org/wiki/Pretty_Good_Privacy


signature.asc
Description: OpenPGP digital signature
___
Spdx-tech mailing list
Spdx-tech@lists.spdx.org
https://lists.spdx.org/mailman/listinfo/spdx-tech

[spdx-tech] SPDX file naming

2017-08-12 Thread gary 
I would like to bring an issue that was raised on the SPDX tools github repo
regarding the name of the SPDX file to the larger mailing list:
https://github.com/spdx/tools/issues/107#issuecomment-321548533

 

Background: Although an SPDX file was present in the repo, it was not easily
found.  There are some references in the spec as to how to name the SPDX
file, however, it isn't specific to source code repositories.

 

Proposal: Add a "best practice" and/or FAQ on how to name SPDX files in the
source code repository.  There are a couple of proposals made in the issue
by various contributors - 

1)  LICENSE.spdx

2)  PACKAGE.spdx

3)  [packename].spdx where packagename is the name of the package

 

Note that #3 is currently in use.

 

We should also decide the suffixes for tag/value and RDF (e.g. LICENSE.rdf
or LICENSE.spdx.rdf).

 

Below are a few snippets from the issues list - please refer to the actual
issue for more detail.

 


   wking commented 4 days ago
 


On Tue, Aug 08, 2017 at 10:51:17PM -0700, stcroppe wrote: Need an SPDX file
(files?) unless you think the SPDXParser.spdx file covers this.

In   benbalter/licensee#85,
 @david-a-wheeler suggested
LICENSE.spdx, and that seems like a good choice to me.

Would think an SPDX folder might work or standard naming (project.spdx,
package.spdx).

The spec also uses package.spdx in an example [1], so I think that would be
a good choice as well. [1]:

https://spdx.org/spdx-specification-21-web-version#h.2p2csry


  david-a-wheeler commented 2 days ago
 


I think LICENSE.spdx is the better name. Many tools and documents already
say that files named LICENSE are special.


  silverhook commented 2 days ago
 


I very much like the LICENSE.spdx option as well - it pops out, is more
descriptive than other suggestions, and as
 @david-a-wheeler mentions, it looks
like something both a human (or a tool) would be looking for.

The only downside I can see is that SPDX contains also technical info and
maybe in the future those will be as interesting as the legal info stored in
the same file.

Please let me know any thoughts.  We can also add this to one of the
upcoming tech call.

 

Thanks,
Gary

 

-

Gary O'Neall

Principal Consultant

Source Auditor Inc.

Mobile: 408.805.0586

Email:   g...@sourceauditor.com

 

___
Spdx-tech mailing list
Spdx-tech@lists.spdx.org
https://lists.spdx.org/mailman/listinfo/spdx-tech