https://bugs.linuxfoundation.org/show_bug.cgi?id=1298
Bug #: 1298
Summary: Proposal for specifying external package relationships
Product: SPDX
Version: 2.0
Platform: All
OS/Version: All
Status: NEW
Severity: enhancement
Priority: P2
Component: Spec
AssignedTo: [email protected]
ReportedBy: [email protected]
Classification: Unclassified
Problem/story:
As a component developer, I am looking to describe the dependencies of my
component on external projects. There are three methods available in the
current SPDX specification.
* The artifactOf property on a File. However, this property is file-specific
and does not effectively communicate the dependency on a package level. It also
does not communicate the exact relationship of a file to the external entity.
Is a file a part of the target project? Generated by/from the target project?
Something else?
* A relationship to the SPDX document describing the target entity. This is the
suggested alternative to artifactOf property where the target project has an
available SPDX document. However, as most open-source components available
today do not have published SPDX document, I appear forced to create and
publish my own document for each component my project depends on. This does not
appear to be appropriate.
* The current package entity seems best suited for describing a dependency,
offering supplier, download location, homepage, license information, etc.
Additionally, the package can already have an optional âdescribed byâ
relationship to an external SPDX document if such document exists, while still
providing meaningful information when it doesnât. The problem with this
approach is that a package requires a âpackage verification codeâ. If each
component developer creates his own verification code for each external
package, his choice of excluded or included files may not agree with that of
another developer(source vs. built artifacts, including vs. not including
dependencies, etc).
Proposal:
I would like to add an ExternalPackage entity. An ExternalPackage contains only
the subset of the Package attributes that describe the source and origin of the
package.
Specifically:
*description
*downloadLocation
*homepage
*licenseDeclared
*originator
*packageFilename
*checksum (of the downloaded package file)
*supplier
*versinInfo
*external system identifiers (if implemented per Bill Schinellerâs suggestion
at
http://wiki.spdx.org/view/Technical_Team/Minutes/2015-05-15#External_.2F_Package_Management_systems_identifiers)
If an SPDX document describing the package is available, it can be referenced
via the âdescribed byâ relationship.
--
Configure bugmail: https://bugs.linuxfoundation.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug._______________________________________________
Spdx-tech mailing list
[email protected]
https://lists.spdx.org/mailman/listinfo/spdx-tech
