On Tue, Jul 19, 2022 at 2:00 PM William Bartholomew (CELA) via lists.spdx.org <[email protected]> wrote:
> *Individual serializations may have constraints that require them to > select a certain option or wrap an option in another option, for example, > XML always has a single root, JSON-JD is always a list.* > This is proof that serialization must be independent of the logical graph. An XML structure with a single root MUST represent the identical.set of Element values as a JSON-LD structure with a list. *When the root is an array, consumers lose any ability to “address” the > root (e.g. if they wanted to attach annotations or other information to the > root), it requires the producer to intend the consumer to be able to do > this and to make the decision to wrap a collection around the elements, > while the consumer could do this post facto there would be no shared > identity with the producer. This was one of the reasons that SPDXID was > required on all SPDX elements in 2.x, because it gave the consumer options > to attach information even if that was not the intent of the producer, > because the producer does not know all of the consumers use cases for the > information or future use cases they may want to apply.* > This is not true. Regardless of what you call the element that describes the serialized data file (call it "SpdxFile" or "TransferUnit" to avoid confusion from using the name "Document"), it can be included in the array, and can be annotated and have relationships inbound and outbound just like every other element. Yes the producer can choose to include or not include that element in the array, but there isn't any complicated set of rules to decide what the serialized data looks like, it's always a group of one or more elements serialized as an array (or map). The SpdxFile element is either present or not in the array, depending on the producer's intention that the particular grouping of elements means something worth preserving in the graph. A producer that serializes 6 license elements into a file, or 4 licenses in one file plus two licenses in another file, just wants to insert 6 licenses into the graph. If the combination of file(s) that were used to convey them has no meaning to the producer, then he doesn't include SpdxFile elements that can be annotated. If a consumer later decides that a group of 5 of those licenses has meaning as a group, the consumer can create an SpdxFile element that references the one or two files created (and signed, if end-to-end integrity is desired) by the producer. That group of 5 can then be annotated by the consumer or anyone else. Regards, David -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#4669): https://lists.spdx.org/g/Spdx-tech/message/4669 Mute This Topic: https://lists.spdx.org/mt/92488223/21656 Group Owner: [email protected] Unsubscribe: https://lists.spdx.org/g/Spdx-tech/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
