Hi David, Gary and I were talking about this at lunch - yes, your use case, which is an important one for lowering the barrier for upstream projects to declare licenses in a standardized way - represents an 'SPDX Lite' requirement/use case that has often come up.
Let's chat about it while we are all here at Collab. Bill Schineller VP Engineering - KnowledgeBase Black Duck Software 781-425-4405 508-308-5921 (cell) [email protected] On 3/30/16, 2:18 PM, "[email protected] on behalf of Wheeler, David A" <[email protected] on behalf of [email protected]> wrote: >I'm primarily interested in the use case where software developers *assert* >their license(s) in terms of a license expression, and the SPDX file (if any) >is *embedded* in the package as a *hand-created* file (created by the >developers). > >In this use case, I think that many of the "mandatory" tags should actually >*NOT* be mandatory. In particular, these are the *only* tags I would use in >this use case (filled in with an example): > SPDXVersion: SPDX-2.0 > DataLicense: CC0-1.0 > PackageName: Foo > PackageOriginator: David A. Wheeler > PackageHomePage: https://github.com/david-a-wheeler/spdx-tutorial/ > PackageLicenseDeclared: MIT > >This means that many tags identified as mandatory should *NOT* be mandatory in >this use case (in my opinion). For example: >* the "Created" datetime stamp should NOT be used. Developers use version >control systems to manage that, and any value entered will be unmaintained >(and thus WRONG). >* "DocumentName" - you can see what it is, there's no need for it. >* "PackageDownloadLocation" - the specific URL for this particular version >changes all the time. > >I'm not saying these tags are useless - when SPDX is used to exchange the >results of external analysis, these tags *are* important. But I think people >this is a different use case, and it should be unsurprising that what's needed >is different. > >I only noticed this when I tried to write a tutorial trying to explain how to >use the SPDX file in this use case. > >Anyway, my two cents. > >--- David A. Wheeler > >_______________________________________________ >Spdx-tech mailing list >[email protected] >https://lists.spdx.org/mailman/listinfo/spdx-tech _______________________________________________ Spdx-tech mailing list [email protected] https://lists.spdx.org/mailman/listinfo/spdx-tech
