Add a specific readme for SPDX3 with open questions and other notes related to the PoC.
Signed-off-by: Marta Rybczynska <marta.rybczyn...@syslinbit.com> --- README.SPDX3 | 42 ++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 42 insertions(+) create mode 100644 README.SPDX3 diff --git a/README.SPDX3 b/README.SPDX3 new file mode 100644 index 0000000000..57f98756ab --- /dev/null +++ b/README.SPDX3 @@ -0,0 +1,42 @@ +This repository contains the Proof-of-Concept code for SPDX3 support +in the Yocto Project. + +What does the code include: +* The SPDX3 generation with JSON-LD serialization, still using .json extension +* Implementations of the core, and software profiles + +Here are the known limitations: +* At the time of writing this code, the SPDX3 specification is still undergoing + changes. Especially, the root element has not been yet decided. Because of + that, the code might require changes when the final specification is + released. + +* Some parts of the SPDX3 require clarifications. Current issues: + - Software.Package.homepage is sometiemes also called homePage: need to + confirm spelling + - Core.Relationship.from needs special care in Python as it conflicts + with a built-in + - should suppliedBy be serialized by an array or as a single string? + - In examples, SpdxDocument has an attribute namespace. It does not in the + documentation + - what is the equivalent of the documentNamespace that was in 2.2? + +* SPDX3 introduces modular model, where content depends on the profile used. + The configuration of profiles to generate needs to be reworked. Today, + generation is gated by variables shared with SPDX2.2 code like + SPDX_INCLUDE_SOURCES. In SPDX3 it could be done by enabling specific + profiles and variables like SPDX3_ENABLE_LICENSING or SPDX3_ENABLE_SECURITY. + +* The implementation includes data similar to the YP SPDX 2.2 content. SPDX 3.0 + has additional profiles and fields that did not exist in the earier version. + The project needs a discussion on what is useful to include in the YP SPDX. + Additional profiles and classes might be implemented to carry that data. + +* The security profile implementation has been prototyped. However, some part + of the needed data is necessary from the cve-check database (for example: + CVSS). Obtaining the information is possible, but will require dependency on + the cve-check to download the database, then refactoring of the cve-check + database accesses so that they can be done from other classes while keeping + correct locks. Also, VulnAssessmentRelationship requires classification + of fixes as "Fixed", "NotAffected", while YP cve-check has only one category + for both. At the moment of writing this, there is a patch on the ML. -- 2.42.0
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#189717): https://lists.openembedded.org/g/openembedded-core/message/189717 Mute This Topic: https://lists.openembedded.org/mt/102197347/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
