I would like to bring an issue that was raised on the SPDX tools github repo
regarding the name of the SPDX file to the larger mailing list:
https://github.com/spdx/tools/issues/107#issuecomment-321548533

 

Background: Although an SPDX file was present in the repo, it was not easily
found.  There are some references in the spec as to how to name the SPDX
file, however, it isn't specific to source code repositories.

 

Proposal: Add a "best practice" and/or FAQ on how to name SPDX files in the
source code repository.  There are a couple of proposals made in the issue
by various contributors - 

1)      LICENSE.spdx

2)      PACKAGE.spdx

3)      [packename].spdx where packagename is the name of the package

 

Note that #3 is currently in use.

 

We should also decide the suffixes for tag/value and RDF (e.g. LICENSE.rdf
or LICENSE.spdx.rdf).

 

Below are a few snippets from the issues list - please refer to the actual
issue for more detail.

 


  <https://github.com/wking> wking commented 4 days ago
<https://github.com/spdx/tools/issues/107#issuecomment-321168376> 


On Tue, Aug 08, 2017 at 10:51:17PM -0700, stcroppe wrote: Need an SPDX file
(files?) unless you think the SPDXParser.spdx file covers this.

In  <https://github.com/benbalter/licensee/issues/85> benbalter/licensee#85,
<https://github.com/david-a-wheeler> @david-a-wheeler suggested
LICENSE.spdx, and that seems like a good choice to me.

Would think an SPDX folder might work or standard naming (project.spdx,
package.spdx).

The spec also uses package.spdx in an example [1], so I think that would be
a good choice as well. [1]:
<https://spdx.org/spdx-specification-21-web-version#h.2p2csry>
https://spdx.org/spdx-specification-21-web-version#h.2p2csry


 <https://github.com/david-a-wheeler> david-a-wheeler commented 2 days ago
<https://github.com/spdx/tools/issues/107#issuecomment-321548533> 


I think LICENSE.spdx is the better name. Many tools and documents already
say that files named LICENSE are special.


 <https://github.com/silverhook> silverhook commented 2 days ago
<https://github.com/spdx/tools/issues/107#issuecomment-321653038> 


I very much like the LICENSE.spdx option as well - it pops out, is more
descriptive than other suggestions, and as
<https://github.com/david-a-wheeler> @david-a-wheeler mentions, it looks
like something both a human (or a tool) would be looking for.

The only downside I can see is that SPDX contains also technical info and
maybe in the future those will be as interesting as the legal info stored in
the same file.

Please let me know any thoughts.  We can also add this to one of the
upcoming tech call.

 

Thanks,
Gary

 

-------------------------------------------------

Gary O'Neall

Principal Consultant

Source Auditor Inc.

Mobile: 408.805.0586

Email:  <mailto:g...@sourceauditor.com> g...@sourceauditor.com

 

_______________________________________________
Spdx-tech mailing list
Spdx-tech@lists.spdx.org
https://lists.spdx.org/mailman/listinfo/spdx-tech

Reply via email to