Re: [spdx-tech] SPDX file naming

Mon, 14 Aug 2017 17:29:52 -0700 

On Mon, Aug 14, 2017 at 09:59:27PM +0000, Gisi, Mark wrote:
> We use <package-name>.spdx (e.g., busybox.1.22.1.spdx) for the
> following reasons:
>
> 1. We typically ship tens (if not hundreds) of SPDX files for a
>    single product release. We consolidate all the SPDX files in a
>    single archive. They can't all be called LICENSE.spdx

I agree that this is a good reason to recommend {package-name}.spdx
(or {package-name}-spdx.rdf, etc.) when a single directory collects
multiple SPDX files.  But that doesn't mean you can't make a different
recommendation for a single SPDX file that attempts to completely
cover its directory and descendants.

> 2. A package may contain multiple sub packages and having multiple
>    LICENSE.spdx files (albeit in different directories). This can be
>    confusing.

If the recommendation is that LICENSE.spdx (and LICENSE-spdx.rdf.  Or
package{extention}, or whatever) attempts to cover its directory and
all descendants, then it is clear what a project is implying when it
has multiple sub-directories with their own LICENSE.spdx.

> 3. It is more immediate clear (self-descriptive) what the following
>    file represents busybox.1.22.1.spdx as opposed to LICENSE.spdx
>    (even within the package).

But it's harder to write tooling for scraping unknown repositories.
For example, tooling that iterates through all the *.spdx and
*-spdx.rdf files in a repository and looks at the content to see which
covers the repository is hard to write, but tooling that just tries to
open LICENSE{extention} (or whatever) and pulls out the concluded
license is pretty easy.

Of course, maybe assuming LICENSE{extention} covers the whole
directory and descendants is not reliable enough.  In that case, any
tooling will have to be smart enough to look inside and determine what
is covered.  But I don't think we want to rush into deciding what is
“reliable enough” for all tools when recommending a fixed filename for
that idea is so easy.

Cheers,
Trevor

-- 
This email may be signed or encrypted with GnuPG (http://www.gnupg.org).
For more information, see http://en.wikipedia.org/wiki/Pretty_Good_Privacy

Attachment: signature.asc
Description: OpenPGP digital signature

_______________________________________________
Spdx-tech mailing list
[email protected]
https://lists.spdx.org/mailman/listinfo/spdx-tech

Reply via email to