Thanks for the answer, Steve. However, there are cases where it's really hard to tell what the intended representation is. For example, in the context of ORT [1] we're using SPDX documents to describe projects and their dependencies where there are no other means (e.g. a package manager / build system like Maven) available.
So when using SPDX to describe a package that is a dependency of a project, you might actually be interested in both the binary artifacts (as that's what's used in the build) and the source code (as that's what you scan with a license scanner) for that package. This makes it quite unclear what the PackageDownloadLocation should point to. Any recommendations for that particular use-case? [1] https://github.com/oss-review-toolkit/ort -- Sebastian Schuberth On Tue, Mar 2, 2021 at 6:41 PM Steve Winslow <[email protected]> wrote: > > Hi Sebastian, > > I think the answer would depend on what distribution of software the Package > is intended to represent. E.g., if the Package is representing / describing a > distribution of source code, then the PackageDownloadLocation would likely > point to the VCS syntax. Or if the Package is describing a binary artifact, > then that's where the PackageDownloadLocation would point too. > > Best, > Steve > > On Tue, Mar 2, 2021 at 11:04 AM Sebastian Schuberth <[email protected]> > wrote: >> >> Hi, >> >> just a quick question about the PackageDownloadLocation [1]: When it >> does not contain a VCS URL, but to a plain URL, is the URL the >> supposed to point to the *source* artifact for the package, or the >> *binary* artifact for the package? >> >> Given that the alternative VCS syntax obviously points to the source >> code, I would expect that also the plain URL syntax is supposed to >> point to a source artifact, but I couldn't find it spelled out in the >> spec. >> >> [1] >> https://spdx.github.io/spdx-spec/3-package-information/#37-package-download-location >> >> -- >> Sebastian Schuberth >> >> >> >> >> > > > -- > Steve Winslow > VP, Compliance and Legal > The Linux Foundation > [email protected] -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#3997): https://lists.spdx.org/g/Spdx-tech/message/3997 Mute This Topic: https://lists.spdx.org/mt/81028683/21656 Group Owner: [email protected] Unsubscribe: https://lists.spdx.org/g/Spdx-tech/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
