My "ah ha" moment was internalizing the fact that "Elements are independent". Grouping of Elements is done for the purpose of serializing them into bytes of data, and must not affect the values of those Elements themselves. Grouping in the "real world" is modeled using Relationships (as you say) and using Composition (as the model has said until now).
Composition (Collection) is the correct relationship between a package and its files. CONTAINS is incorrect because it implies that File A cannot be a member of both Package 1 and Package 2 - if it is contained in one then it can't be contained in the other (without the outer package containing the inner package which contains the file). CONTAINS applies to bytes of data. Yes it can be true that: - PackageA (artifact) CONTAINS (relationship) FileA (artifact) and FileB (artifact) - PackageB (artifact) CONTAINS (relationship) FileA (artifact) and FileC (artifact) and if the bytes of FileA contained in PackageA are the same as the bytes of FileA contained in PackageB then all is cool. But that is a complex and unnecessary layering violation. At the model level Packages are COMPOSED of Files, leaving the details of guaranteeing integrity of FileA up to the implementation. There can be a single set of bytes or multiple copies of those bytes contained in multiple places - the only thing the model should care about is that if copies of FileA are CONTAINED in multiple places, then all of those copies must hash to the same value. Dave On Tue, Nov 23, 2021 at 11:56 AM William Bartholomew (CELA) via lists.spdx.org <[email protected]> wrote: > The “ah ha” moment for me out of the last meeting was that > ContextualCollection and Package were trying to do double duty, > representing both a grouping of elements (metadata about artifacts) and > describing the artifacts contained within another artifact. This also > overlapped with the purpose of the CONTAINS relationship which is used to > describe the artifacts contained within another artifact. > > > > If we split these purposes and say that: > > 1. ContextualCollection is a grouping of elements > 2. Package is a grouping of artifacts > 3. CONTAINS relationship is the only method to describe the artifacts > contained within another artifact > > > > Then you get the benefits of grouping of elements (being able to refer to > a set of elements so you can re-use them) but you avoid the multiple > methods of describing artifacts contained within another artifact. > > > > A couple of examples: > > > > - These are logically equivalent: > - PackageA (artifact) CONTAINS (relationship) FileA (artifact) and > FileB (artifact) > - PackageA (artifact) CONTAINS (relationship) PackageAContents > (contextualcollection) which includes FileA (artifact) and FileB > (artifact) > - So are these: > - PackageA (artifact) DEPENDS_ON (relationship) PackageB (artifact) > and PackageC (artifact) > - PackageA (artifact) DEPENDS_ON (relationship) > PackageADependencies (contextualcollection) which includes PackageB > (artifact) and PackageC (artifact) > > > > Another way of thinking about it is that ContextualCollection has meaning > inside the SPDX realm whereas Relationships have meaning in the “real > world”. > > > > Regards, > > > > William Bartholomew (he/him) – Let’s chat > <https://outlook.office.com/findtime/[email protected]&anonymous&ep=plink> > > Principal Security Strategist > > Cybersecurity Policy – Digital Diplomacy > > -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#4264): https://lists.spdx.org/g/Spdx-tech/message/4264 Mute This Topic: https://lists.spdx.org/mt/87262902/21656 Group Owner: [email protected] Unsubscribe: https://lists.spdx.org/g/Spdx-tech/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
