Hey William,
Initial reactions:
* I like the simplicity this introduces wrt consolidating various types of
identifiers in the model.
* I don’t like that this continues to co-mingle identifiers and locators,
and perpetuates some of the confusion caused by the way ExternalReferences are
defined in v2.x.
Two observations of previous SPDX decisions made:
1. The 3.0 model uses “ArtifactURI” rather than the subset of “ArtifactURL”
2. In the Defects WG we accepted this identifier/locator co-mingling as part
of the patch to v2.3 with the expectation that we would resolve it by ensuring
identifiers and locators are separate entities in v3.0.
How would you suggest accommodating this separation in the proposal?
One option would be to have “identifiedBy” and “locatedBy” both be on “Element”.
{
"SPDXID": "urn:spdx.dev:spdx-tools-3.0.0",
"name": "spdx-tools-3.0.0",
"locatedBy": [
{"type": "PURL", "locator": "pkg:..."}
],
"identifiedBy": [
{"type": "cpe22", "identifier": "..."},
{"type": "SWHID", "identifier": "..."}
]
}
- Jeff
From: <[email protected]> on behalf of "William Bartholomew (CELA) via
lists.spdx.org" <[email protected]>
Reply-To: "[email protected]" <[email protected]>
Date: Monday, May 9, 2022 at 8:00 PM
To: spdx-tech <[email protected]>
Subject: [spdx-tech] Simplifying Identities
I experimented with something around identities and I'm really liking the
simplicity, so I wanted to run it by you to get your thoughts:
* We keep "Identity" element with subclasses of "Person" and "Organization"
(I'm ignoring "Tool" for right now).
* Introduce a new data type "Identifier" which could have subtypes like
"EmailAddress" and "Login".
* Add a property to "Element" called "identifiedBy" which is a list of zero
or more "Identifier".
This means we can have a Person that looks like this:
{
"SPDXID": "urn:github.com:users:iamwillbar",
"type": "Person",
"name": "William Bartholomew",
"identifiedBy": [
{"type": "EmailAddress", "email": "[email protected]"},
{"type": "Account", "authority": "github.com", "username": "iamwillbar"}
]
}
This then got me thinking that "artifactUrl" on "Artifact" is just another form
of "Identifier", which means we could remove that property and so a "Package"
could look like this:
{
"SPDXID": "urn:spdx.dev:spdx-tools-3.0.0",
"name": "spdx-tools-3.0.0",
"identifiedBy": [
{"type": "PURL", "locator": "pkg:..."}
]
}
What does that remind you of? "ExternalReferences", so we can then remove those
and merge that concept into identifiers:
{
"SPDXID": "urn:spdx.dev:spdx-tools-3.0.0",
"name": "spdx-tools-3.0.0",
"identifiedBy": [
{"type": "PURL", "locator": "pkg:..."},
{"type": "cpe22", "locator": "..."},
{"type": "SWHID", "locator": "..."}
]
}
And because "identifiedBy" is on "Element" any new types we add in the future
can also have identifiers attached to them:
{
"SPDXID": "urn:cve:12345",
"name": "tkvideo has a memory issue in playing videos",
"identifiedBy": [
{"type": "CVE", "locator": "CVE-2022-24902"}
]
}
What do you all think?
Sent from Outlook<http://aka.ms/weboutlook>
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#4496): https://lists.spdx.org/g/Spdx-tech/message/4496
Mute This Topic: https://lists.spdx.org/mt/91005596/21656
Group Owner: [email protected]
Unsubscribe: https://lists.spdx.org/g/Spdx-tech/unsub [[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-
