The challenge is that SPDX doesn't require you to describe the contents of the package unless it's needed for your use cases. I've worked in several scenarios where the package-level information is sufficient and calculating, knowing, and transporting around package content information would be unnecessary. When you have broad and deep dependency trees (*cough* npm *cough*) forcing the package contents to be part of the package element pulls in an immense amount of information which may be completely unnecessary, the NTIA's minimum SBOM elements does not even require file level information, only package level information.
Additionally, we need to separate the metadata about the package from the package itself in this discussion. Yes, if a package's contents change it is a new package, if we learn new metadata about a package's contents does that require a new package (not package contents) metadata? I could make arguments either way but given the amount of information that we expect will be attached to element ids I lean towards them not being versioned if relationship metadata (including contains) change. Your comment about dependencies focuses on incoming dependencies, outgoing dependencies are very similar to files, they are just "delayed" resolution files. Regards, William Bartholomew (he/him) - Let's chat<https://outlook.office.com/findtime/[email protected]&anonymous&ep=plink> Principal Security Strategist Global Cybersecurity Policy - Microsoft My working day may not be your working day. Please don't feel obliged to reply to this e-mail outside of your normal working hours. From: [email protected] <[email protected]> On Behalf Of David Kemp via lists.spdx.org Sent: Tuesday, January 25, 2022 3:31 AM To: SPDX-list <[email protected]> Subject: [EXTERNAL] [spdx-tech] Is "contains" special? The difference between "contains" and every other type of relationship is that it is the minimum essential requirement for some types to exist. A package cannot be a package without having contents. It's "packageness" is defined by the fact that it has contents. The same cannot be said for all of the other relationship types - a Package and a BOM can exist without patches, variants, ancestors, dependencies, examples, etc. If any of those other relationship types were essential for a Package or BOM to exist, then the model would include "dependency_element", "patch_element" properties in addition to the contents ("element") property, and the version of the Package would change whenever the properties change. The reason dependency is not a property is because a Package and its version don't change every time some other Package references / uses / becomes dependent on it. Contains is special and different from all other relationships because if the content of a Package changes, it is a different version of the Package. Dave -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#4336): https://lists.spdx.org/g/Spdx-tech/message/4336 Mute This Topic: https://lists.spdx.org/mt/88673938/21656 Group Owner: [email protected] Unsubscribe: https://lists.spdx.org/g/Spdx-tech/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
