*[William] *I'm really not sure where collections are coming into play here, maybe I'm missing something. SPDX has persistent element ids and we agree that elements are immutable, packages, collections, relationships, etc. are all elements therefore are all immutable. However, the graph isn't immutable, as you add new immutable nodes (just like container image layers) the end result is different. If I start with a set of elements in my graph and I add new elements to the graph that give me new facts about those elements, my understanding changes, the element itself doesn't change but the "aggregate" result of those elements is different.
I agree with all of that, but I don't understand how collections (the "elements" or "files" property of a Package element) cannot come into play. The graph isn't immutable, understanding changes, new facts can be added, and when all that happens, the question of "is the file with hash X a member of the package with hash Y" has to have a definitive answer. If the package artifact has Dick's "Product_Version_Timestamp" then the files in the package are semantically immutable regardless of how they are represented. If the package artifact isn't properly versioned, then when a hash is computed over the Package Element properties (including "files") it doesn't depend on all of the relationships that reference that package. If the Package Element just has a "Product" without a version that depends on the aggregate "files" result of the graph at a given timestamp, then isn't that a deficiency in how SPDX Elements describe artifacts? My main concern is satisfied: Elements are immutable, the graph changes over time. I just think that if a Package Element by itself doesn't capture the graph's aggregate view of the files in a package at a given point in time as asserted by a given actor (Microsoft should be more authoritative for the files in Microsoft's packages than Acme), something's missing. Without that, the ability to reason about packages is impaired. Dave -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#4334): https://lists.spdx.org/g/Spdx-tech/message/4334 Mute This Topic: https://lists.spdx.org/mt/88568831/21656 Group Owner: [email protected] Unsubscribe: https://lists.spdx.org/g/Spdx-tech/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
