I'm primarily interested in the use case where software developers *assert*
their license(s) in terms of a license expression, and the SPDX file (if any)
is *embedded* in the package as a *hand-created* file (created by the
developers).
In this use case, I think that many of the "mandatory" tags should actually
*NOT* be mandatory. In particular, these are the *only* tags I would use in
this use case (filled in with an example):
SPDXVersion: SPDX-2.0
DataLicense: CC0-1.0
PackageName: Foo
PackageOriginator: David A. Wheeler
PackageHomePage: https://github.com/david-a-wheeler/spdx-tutorial/
PackageLicenseDeclared: MIT
This means that many tags identified as mandatory should *NOT* be mandatory in
this use case (in my opinion). For example:
* the "Created" datetime stamp should NOT be used. Developers use version
control systems to manage that, and any value entered will be unmaintained (and
thus WRONG).
* "DocumentName" - you can see what it is, there's no need for it.
* "PackageDownloadLocation" - the specific URL for this particular version
changes all the time.
I'm not saying these tags are useless - when SPDX is used to exchange the
results of external analysis, these tags *are* important. But I think people
this is a different use case, and it should be unsurprising that what's needed
is different.
I only noticed this when I tried to write a tutorial trying to explain how to
use the SPDX file in this use case.
Anyway, my two cents.
--- David A. Wheeler
_______________________________________________
Spdx-tech mailing list
[email protected]
https://lists.spdx.org/mailman/listinfo/spdx-tech
