It just occurred to me that what you said, Gray, basically means to take the "FilesAnalyzed" field into account when determining whether "PackageDownloadLocation" points to a source or binary artifact. Or phrased differently, if I intend "PackageDownloadLocation" to point to a binary artifact, I should set "FilesAnalyzed" explicitly to "false" (as its default is "true").
Does that make sense? -- Sebastian Schuberth On Wed, Mar 3, 2021 at 6:51 AM Sebastian Schuberth <[email protected]> wrote: > > Thanks Gary, that makes sense to me. It's a bit unfortunate that the > intended use of PackageDownloadLocation is (intentionally) kept a bit > vague in the spec. But I agree that for our use-case it makes more > sense to use it to refer to the source code location, so we'll simply > make that a convention. > > -- > Sebastian Schuberth > > On Tue, Mar 2, 2021 at 11:12 PM Gary O'Neall <[email protected]> wrote: > > > > Hi Sebastian, > > > > I don't recall discussing this specific aspect of the download location > > when we were drafting that part of the spec, so I don't have an answer that > > represents the community. > > > > In my use of the field, I have been using the download location to indicate > > where to get the artifact that were actually analyzed in producing the SPDX > > document. For example: If you generated license matches off of downloaded > > source code, the download location would point to the source. > > > > Gary > > > > > > > -----Original Message----- > > > From: [email protected] <[email protected]> On Behalf Of > > > Sebastian Schuberth > > > Sent: Tuesday, March 2, 2021 10:35 AM > > > To: Steve Winslow <[email protected]> > > > Cc: spdx-tech <[email protected]> > > > Subject: Re: [spdx-tech] Should PackageDownloadLocation point to source or > > > binary? > > > > > > Thanks for the answer, Steve. However, there are cases where it's really > > > hard > > > to tell what the intended representation is. For example, in the context > > > of ORT > > > [1] we're using SPDX documents to describe projects and their dependencies > > > where there are no other means (e.g. a package manager / build system like > > > Maven) available. > > > > > > So when using SPDX to describe a package that is a dependency of a > > > project, > > > you might actually be interested in both the binary artifacts (as that's > > > what's > > > used in the build) and the source code (as that's what you scan with a > > > license > > > scanner) for that package. This makes it quite unclear what the > > > PackageDownloadLocation should point to. > > > > > > Any recommendations for that particular use-case? > > > > > > [1] https://github.com/oss-review-toolkit/ort > > > > > > -- > > > Sebastian Schuberth > > > > > > On Tue, Mar 2, 2021 at 6:41 PM Steve Winslow > > > <[email protected]> wrote: > > > > > > > > Hi Sebastian, > > > > > > > > I think the answer would depend on what distribution of software the > > > Package is intended to represent. E.g., if the Package is representing / > > > describing a distribution of source code, then the PackageDownloadLocation > > > would likely point to the VCS syntax. Or if the Package is describing a > > > binary > > > artifact, then that's where the PackageDownloadLocation would point too. > > > > > > > > Best, > > > > Steve > > > > > > > > On Tue, Mar 2, 2021 at 11:04 AM Sebastian Schuberth > > > <[email protected]> wrote: > > > >> > > > >> Hi, > > > >> > > > >> just a quick question about the PackageDownloadLocation [1]: When it > > > >> does not contain a VCS URL, but to a plain URL, is the URL the > > > >> supposed to point to the *source* artifact for the package, or the > > > >> *binary* artifact for the package? > > > >> > > > >> Given that the alternative VCS syntax obviously points to the source > > > >> code, I would expect that also the plain URL syntax is supposed to > > > >> point to a source artifact, but I couldn't find it spelled out in the > > > >> spec. > > > >> > > > >> [1] > > > >> https://spdx.github.io/spdx-spec/3-package-information/#37-package-do > > > >> wnload-location > > > >> > > > >> -- > > > >> Sebastian Schuberth > > > >> > > > >> > > > >> > > > >> > > > >> > > > > > > > > > > > > -- > > > > Steve Winslow > > > > VP, Compliance and Legal > > > > The Linux Foundation > > > > [email protected] > > > > > > > > > > > > > -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#4003): https://lists.spdx.org/g/Spdx-tech/message/4003 Mute This Topic: https://lists.spdx.org/mt/81028683/21656 Group Owner: [email protected] Unsubscribe: https://lists.spdx.org/g/Spdx-tech/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
