On Sat, Aug 12, 2017 at 11:27:51AM -0700, g...@sourceauditor.com wrote:
> 3)      [packename].spdx where packagename is the name of the package
> Note that #3 is currently in use.

My concern with the current SPDXParser.spdx [1] is that it is not
immediately obvious that the file applies to the whole repository and
not just to some subset thereof.  I'd also be fine with
spdx-tools.spdx (or spdx-tools-spdx.rdf), since that's more clearly
scoped to cover the whole repository.

I'm fine with options one and two, although note that the spec
currnently has package.spdx examples [2] as well as an example with

  An SPDX document ‘WildFly.spdx’ describes package ‘WildFly’.  Note
  this is a logical relationship to help organize related items within
  an SPDX document that is mandatory if more than one package or set
  of files (not in a package) is present.

I'm also fine with different recommendations for different contexts
(e.g. project.spdx for a project-wide SPDX file in the project's
repository and ${PROJECT_NAME}.spdx for that same SPDX content in a
multi-project context).

And I agree that it would be good to update the spec to clearly
describe whatever convention we decide on and then consistently follow
that recommendation.

> We should also decide the suffixes for tag/value and RDF
> (e.g. LICENSE.rdf or LICENSE.spdx.rdf).

This is already covered in the spec [4]:

  Should be easy to recognize in a file system without opening the
  file.  A suggested naming convention is to use *.spdx (for tag-value
  format) and *-spdx.rdf for RDF format.

The spec seems to conflate “RDF” and “RDF/XML” (there are several
other RDF serialization formats [5]), and it would be good to start
making that distinction.  But, the recommended extention for RDF/XML
is .rdf [6], so we wouldn't have to change the recommended extention
for RDF/XML.


[2]: https://spdx.org/spdx-specification-21-web-version#h.2p2csry
[3]: https://spdx.org/spdx-specification-21-web-version#h.apg85dj5o8wx
[4]: https://spdx.org/spdx-specification-21-web-version#h.3dy6vkm
[6]: https://tools.ietf.org/html/rfc3870#section-2

This email may be signed or encrypted with GnuPG (http://www.gnupg.org).
For more information, see http://en.wikipedia.org/wiki/Pretty_Good_Privacy

Attachment: signature.asc
Description: OpenPGP digital signature

Spdx-tech mailing list

Reply via email to