Gary O'Neall: > I agree with the need to document a simple tutorial for including SPDX files > for original code. I also agree it would be good to maintain the same tag > names and definitions as used in the SPDX document standard. We might as > well leverage the work done as long as it is appropriate for the use case. > It would also make it easier and more accurate for downstream consumers and > suppliers of open source to produce SPDX documents. > I would also propose we re-open the discussion on a "light" version that > could be used for original code developers with less required fields. > We ended up supported a very large number of use cases in the 2.0 spec, which > unfortunately had the side effect of having a lot of additional fields that > may not be applicable for some of the specific use cases such as documenting > license information for originating open source projects.
I suggest creating a relatively short spec for the specific use case of recording key source data from originating developers. The spec could be short - a page or two - since it's really just a profile of an existing specification (per <https://en.wikipedia.org/wiki/Profile_%28engineering%29>). I suggest that it just use tag/value (it's simpler), and that it list just 2-6 'required' tags (while permitting the use of the rest if you need it). In my use case I want a file that doesn't need changing unless you change the license, in which case checksums, download locations for specific version numbers, and even the version number are unwelcome. I'm sure other people have other use cases (e.g., additional information generated during a build to record information for a particular version), but that's the point - it's important to identify different profiles for different purposes. I did discover some areas that are important in this use case, even if they're irrelevant elsewhere. E.G., there's no recommended filename nor file extension, and I see no evidence that a MIME type has been reserved. --- David A. Wheeler _______________________________________________ Spdx-tech mailing list [email protected] https://lists.spdx.org/mailman/listinfo/spdx-tech
