SPDX Tech, At UNO, we are currently working on things that have to do with RELATIONSHIPS. Specifically, we are thinking about how SPDX can be used against packages with dependencies. I think that RELATIONSHIPS are the way to go here but this is no easy task. Here are a few of the questions/comments that have been raised by the team:
1) What RELATIONSHIP keyword should be used to describe a dependency (For example, if package *httpserver* depends on package *openssl*) from one SPDX document (or package) to another SPDX document (or package)? It seems that the closest keyword I can see would be *PACKAGE_OF*, but that seems to be the backwards relationship (child to parent) of what we want (that would only tell us that *openssl* is a package of *httpserver*). I think we might want more of a *PACKAGE* relationship, but sadly, this doesn't exist in the current SPDX spec. 2) Contains and Contained_BY seem to appropriate for showing package and sub package relationship. Can we create relationships between dependencies document by creating a list of Contains and Describes relationships? Thoughts on this are most welcome. Regards, Matt -- Mutual of Omaha Associate Professor College of Information Science & Technology University of Nebraska Omaha
_______________________________________________ Spdx-tech mailing list [email protected] https://lists.spdx.org/mailman/listinfo/spdx-tech
