I would like to bring an issue that was raised on the SPDX tools github repo regarding the name of the SPDX file to the larger mailing list: https://github.com/spdx/tools/issues/107#issuecomment-321548533
Background: Although an SPDX file was present in the repo, it was not easily found. There are some references in the spec as to how to name the SPDX file, however, it isn't specific to source code repositories. Proposal: Add a "best practice" and/or FAQ on how to name SPDX files in the source code repository. There are a couple of proposals made in the issue by various contributors - 1) LICENSE.spdx 2) PACKAGE.spdx 3) [packename].spdx where packagename is the name of the package Note that #3 is currently in use. We should also decide the suffixes for tag/value and RDF (e.g. LICENSE.rdf or LICENSE.spdx.rdf). Below are a few snippets from the issues list - please refer to the actual issue for more detail. <https://github.com/wking> wking commented 4 days ago <https://github.com/spdx/tools/issues/107#issuecomment-321168376> On Tue, Aug 08, 2017 at 10:51:17PM -0700, stcroppe wrote: Need an SPDX file (files?) unless you think the SPDXParser.spdx file covers this. In <https://github.com/benbalter/licensee/issues/85> benbalter/licensee#85, <https://github.com/david-a-wheeler> @david-a-wheeler suggested LICENSE.spdx, and that seems like a good choice to me. Would think an SPDX folder might work or standard naming (project.spdx, package.spdx). The spec also uses package.spdx in an example [1], so I think that would be a good choice as well. [1]: <https://spdx.org/spdx-specification-21-web-version#h.2p2csry> https://spdx.org/spdx-specification-21-web-version#h.2p2csry <https://github.com/david-a-wheeler> david-a-wheeler commented 2 days ago <https://github.com/spdx/tools/issues/107#issuecomment-321548533> I think LICENSE.spdx is the better name. Many tools and documents already say that files named LICENSE are special. <https://github.com/silverhook> silverhook commented 2 days ago <https://github.com/spdx/tools/issues/107#issuecomment-321653038> I very much like the LICENSE.spdx option as well - it pops out, is more descriptive than other suggestions, and as <https://github.com/david-a-wheeler> @david-a-wheeler mentions, it looks like something both a human (or a tool) would be looking for. The only downside I can see is that SPDX contains also technical info and maybe in the future those will be as interesting as the legal info stored in the same file. Please let me know any thoughts. We can also add this to one of the upcoming tech call. Thanks, Gary ------------------------------------------------- Gary O'Neall Principal Consultant Source Auditor Inc. Mobile: 408.805.0586 Email: <mailto:[email protected]> [email protected]
_______________________________________________ Spdx-tech mailing list [email protected] https://lists.spdx.org/mailman/listinfo/spdx-tech
