Thanks Gary, that makes sense to me. It's a bit unfortunate that the intended use of PackageDownloadLocation is (intentionally) kept a bit vague in the spec. But I agree that for our use-case it makes more sense to use it to refer to the source code location, so we'll simply make that a convention.
-- Sebastian Schuberth On Tue, Mar 2, 2021 at 11:12 PM Gary O'Neall <[email protected]> wrote: > > Hi Sebastian, > > I don't recall discussing this specific aspect of the download location when > we were drafting that part of the spec, so I don't have an answer that > represents the community. > > In my use of the field, I have been using the download location to indicate > where to get the artifact that were actually analyzed in producing the SPDX > document. For example: If you generated license matches off of downloaded > source code, the download location would point to the source. > > Gary > > > > -----Original Message----- > > From: [email protected] <[email protected]> On Behalf Of > > Sebastian Schuberth > > Sent: Tuesday, March 2, 2021 10:35 AM > > To: Steve Winslow <[email protected]> > > Cc: spdx-tech <[email protected]> > > Subject: Re: [spdx-tech] Should PackageDownloadLocation point to source or > > binary? > > > > Thanks for the answer, Steve. However, there are cases where it's really > > hard > > to tell what the intended representation is. For example, in the context of > > ORT > > [1] we're using SPDX documents to describe projects and their dependencies > > where there are no other means (e.g. a package manager / build system like > > Maven) available. > > > > So when using SPDX to describe a package that is a dependency of a project, > > you might actually be interested in both the binary artifacts (as that's > > what's > > used in the build) and the source code (as that's what you scan with a > > license > > scanner) for that package. This makes it quite unclear what the > > PackageDownloadLocation should point to. > > > > Any recommendations for that particular use-case? > > > > [1] https://github.com/oss-review-toolkit/ort > > > > -- > > Sebastian Schuberth > > > > On Tue, Mar 2, 2021 at 6:41 PM Steve Winslow > > <[email protected]> wrote: > > > > > > Hi Sebastian, > > > > > > I think the answer would depend on what distribution of software the > > Package is intended to represent. E.g., if the Package is representing / > > describing a distribution of source code, then the PackageDownloadLocation > > would likely point to the VCS syntax. Or if the Package is describing a > > binary > > artifact, then that's where the PackageDownloadLocation would point too. > > > > > > Best, > > > Steve > > > > > > On Tue, Mar 2, 2021 at 11:04 AM Sebastian Schuberth > > <[email protected]> wrote: > > >> > > >> Hi, > > >> > > >> just a quick question about the PackageDownloadLocation [1]: When it > > >> does not contain a VCS URL, but to a plain URL, is the URL the > > >> supposed to point to the *source* artifact for the package, or the > > >> *binary* artifact for the package? > > >> > > >> Given that the alternative VCS syntax obviously points to the source > > >> code, I would expect that also the plain URL syntax is supposed to > > >> point to a source artifact, but I couldn't find it spelled out in the > > >> spec. > > >> > > >> [1] > > >> https://spdx.github.io/spdx-spec/3-package-information/#37-package-do > > >> wnload-location > > >> > > >> -- > > >> Sebastian Schuberth > > >> > > >> > > >> > > >> > > >> > > > > > > > > > -- > > > Steve Winslow > > > VP, Compliance and Legal > > > The Linux Foundation > > > [email protected] > > > > > > > > -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#4002): https://lists.spdx.org/g/Spdx-tech/message/4002 Mute This Topic: https://lists.spdx.org/mt/81028683/21656 Group Owner: [email protected] Unsubscribe: https://lists.spdx.org/g/Spdx-tech/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
