On Sat, Aug 12, 2017 at 11:27:51AM -0700, g...@sourceauditor.com wrote: > 3) [packename].spdx where packagename is the name of the package > > Note that #3 is currently in use.
My concern with the current SPDXParser.spdx [1] is that it is not immediately obvious that the file applies to the whole repository and not just to some subset thereof. I'd also be fine with spdx-tools.spdx (or spdx-tools-spdx.rdf), since that's more clearly scoped to cover the whole repository. I'm fine with options one and two, although note that the spec currnently has package.spdx examples [2] as well as an example with [3]: An SPDX document ‘WildFly.spdx’ describes package ‘WildFly’. Note this is a logical relationship to help organize related items within an SPDX document that is mandatory if more than one package or set of files (not in a package) is present. I'm also fine with different recommendations for different contexts (e.g. project.spdx for a project-wide SPDX file in the project's repository and ${PROJECT_NAME}.spdx for that same SPDX content in a multi-project context). And I agree that it would be good to update the spec to clearly describe whatever convention we decide on and then consistently follow that recommendation. > We should also decide the suffixes for tag/value and RDF > (e.g. LICENSE.rdf or LICENSE.spdx.rdf). This is already covered in the spec [4]: Should be easy to recognize in a file system without opening the file. A suggested naming convention is to use *.spdx (for tag-value format) and *-spdx.rdf for RDF format. The spec seems to conflate “RDF” and “RDF/XML” (there are several other RDF serialization formats [5]), and it would be good to start making that distinction. But, the recommended extention for RDF/XML is .rdf [6], so we wouldn't have to change the recommended extention for RDF/XML. Cheers, Trevor [1]: https://github.com/spdx/tools/blob/0d020dbdd3fabe96b1e7bce88216de0f679e9dfb/SPDXParser.spdx [2]: https://spdx.org/spdx-specification-21-web-version#h.2p2csry [3]: https://spdx.org/spdx-specification-21-web-version#h.apg85dj5o8wx [4]: https://spdx.org/spdx-specification-21-web-version#h.3dy6vkm [5]: https://en.wikipedia.org/wiki/Resource_Description_Framework#Serialization_formats [6]: https://tools.ietf.org/html/rfc3870#section-2 -- This email may be signed or encrypted with GnuPG (http://www.gnupg.org). For more information, see http://en.wikipedia.org/wiki/Pretty_Good_Privacy
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Spdx-tech mailing list Spdx-tech@lists.spdx.org https://lists.spdx.org/mailman/listinfo/spdx-tech