Hi Sebastian, I think the answer would depend on what distribution of software the Package is intended to represent. E.g., if the Package is representing / describing a distribution of source code, then the PackageDownloadLocation would likely point to the VCS syntax. Or if the Package is describing a binary artifact, then that's where the PackageDownloadLocation would point too.
Best, Steve On Tue, Mar 2, 2021 at 11:04 AM Sebastian Schuberth <[email protected]> wrote: > Hi, > > just a quick question about the PackageDownloadLocation [1]: When it > does not contain a VCS URL, but to a plain URL, is the URL the > supposed to point to the *source* artifact for the package, or the > *binary* artifact for the package? > > Given that the alternative VCS syntax obviously points to the source > code, I would expect that also the plain URL syntax is supposed to > point to a source artifact, but I couldn't find it spelled out in the > spec. > > [1] > https://spdx.github.io/spdx-spec/3-package-information/#37-package-download-location > > -- > Sebastian Schuberth > > > > > > -- Steve Winslow VP, Compliance and Legal The Linux Foundation [email protected] -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#3996): https://lists.spdx.org/g/Spdx-tech/message/3996 Mute This Topic: https://lists.spdx.org/mt/81028683/21656 Group Owner: [email protected] Unsubscribe: https://lists.spdx.org/g/Spdx-tech/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
