Hi Sean and SPDX Tech Team,
Following up on our call today, I think we uncovered an important issue on how to handle classes like ExternalReference, VerificationMethod and the recently discussed CreationInfo (which I would term "non-Element classes") when viewed across different serialization units or documents. I would like to make some progress on this issue and I can participate asynchronously through email. I'll be fully back online and re-joining the tech calls on the April 12th call. I agree with Sean's assertion on the call that references to these classes should be considered local to the serialization unit of the SBOM (a.k.a. Document). For JSON, YAML, XML and Tag/Value this is pretty straight forward since (I believe) the only way to reference SPDX objects outside the document is using the ExternalMap which is restricted to Element classes. For RDF, it gets a bit complicated since a Subject or Object can be a URI or Anonymous/Blank. A URI can reference things external to the serialization unit. I can think of 3 ways to handle this: 1. Disallow use of URI's types for references to these non-Element classes 2. Allow for URI's in addition to blank nodes but restrict the URI's to being within the serialization unit / Document namespace 3. Allow for any type of URI, but document that from an SPDX specification perspective they are only valid within the scope of the serialization unit My current preference is #2 above. There may be other options. Let me know what you think. Best regards, Gary ------------------------------------------------- Gary O'Neall Principal Consultant Source Auditor Inc. Mobile: 408.805.0586 Email: <mailto:[email protected]> [email protected] CONFIDENTIALITY NOTE: The information transmitted, including attachments, is intended only for the person(s) or entity to which it is addressed and may contain confidential and/or privileged material. Any review, re-transmission, dissemination or other use of, or taking of any action in reliance upon this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and destroy any copies of this information. -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#4398): https://lists.spdx.org/g/Spdx-tech/message/4398 Mute This Topic: https://lists.spdx.org/mt/89725940/21656 Group Owner: [email protected] Unsubscribe: https://lists.spdx.org/g/Spdx-tech/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
