Hi Sebastian, I don't recall discussing this specific aspect of the download location when we were drafting that part of the spec, so I don't have an answer that represents the community.
In my use of the field, I have been using the download location to indicate where to get the artifact that were actually analyzed in producing the SPDX document. For example: If you generated license matches off of downloaded source code, the download location would point to the source. Gary > -----Original Message----- > From: [email protected] <[email protected]> On Behalf Of > Sebastian Schuberth > Sent: Tuesday, March 2, 2021 10:35 AM > To: Steve Winslow <[email protected]> > Cc: spdx-tech <[email protected]> > Subject: Re: [spdx-tech] Should PackageDownloadLocation point to source or > binary? > > Thanks for the answer, Steve. However, there are cases where it's really hard > to tell what the intended representation is. For example, in the context of > ORT > [1] we're using SPDX documents to describe projects and their dependencies > where there are no other means (e.g. a package manager / build system like > Maven) available. > > So when using SPDX to describe a package that is a dependency of a project, > you might actually be interested in both the binary artifacts (as that's > what's > used in the build) and the source code (as that's what you scan with a license > scanner) for that package. This makes it quite unclear what the > PackageDownloadLocation should point to. > > Any recommendations for that particular use-case? > > [1] https://github.com/oss-review-toolkit/ort > > -- > Sebastian Schuberth > > On Tue, Mar 2, 2021 at 6:41 PM Steve Winslow > <[email protected]> wrote: > > > > Hi Sebastian, > > > > I think the answer would depend on what distribution of software the > Package is intended to represent. E.g., if the Package is representing / > describing a distribution of source code, then the PackageDownloadLocation > would likely point to the VCS syntax. Or if the Package is describing a binary > artifact, then that's where the PackageDownloadLocation would point too. > > > > Best, > > Steve > > > > On Tue, Mar 2, 2021 at 11:04 AM Sebastian Schuberth > <[email protected]> wrote: > >> > >> Hi, > >> > >> just a quick question about the PackageDownloadLocation [1]: When it > >> does not contain a VCS URL, but to a plain URL, is the URL the > >> supposed to point to the *source* artifact for the package, or the > >> *binary* artifact for the package? > >> > >> Given that the alternative VCS syntax obviously points to the source > >> code, I would expect that also the plain URL syntax is supposed to > >> point to a source artifact, but I couldn't find it spelled out in the > >> spec. > >> > >> [1] > >> https://spdx.github.io/spdx-spec/3-package-information/#37-package-do > >> wnload-location > >> > >> -- > >> Sebastian Schuberth > >> > >> > >> > >> > >> > > > > > > -- > > Steve Winslow > > VP, Compliance and Legal > > The Linux Foundation > > [email protected] > > > -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#4001): https://lists.spdx.org/g/Spdx-tech/message/4001 Mute This Topic: https://lists.spdx.org/mt/81028683/21656 Group Owner: [email protected] Unsubscribe: https://lists.spdx.org/g/Spdx-tech/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
