Dear all,
Thanks to everyone who cast a vote and participated in the discussion
around this data type. Here are the results of the vote:
'Object' option-------- 0 votes
'Array' option--------- 2 votes (Alexios and David)
'String' option-------- 1 vote (Karsten)
As such, we'll use the 'Array' option for representing CPE values in
the Canonical Serialisation going forward.
Looking forward to seeing you at the meeting today to continue the
discussion on other aspects!
Best wishes,
Sebastian
On Sat, Aug 06, 2022 at 12:21:23AM +0100, Sebastian Crane wrote:
> Dear all,
>
> We had a very productive Canonicalisation Committee meeting today, in which we
> explored the many aspects of CPEs and discussed their representation in the
> SPDX
> Canonical Serialisation. There are two forms of CPE which we support as
> External
> Reference Types in SPDX: CPE version 2.2 from 2009, and CPE version 2.3
> from 2011. They differ a little from each other in terms of their usual string
> representation, but share the same basic constructs.
>
> During the meeting, we came up with three different JSON representations that
> would be suitable for encoding CPE information unambiguously. As all three
> could
> be used in the Canonical Serialisation, we decided to call a vote as to which
> was preferred by the SPDX community, including tooling developers intending to
> support the Canonical Serialisation for SPDX 3.0. Please feel free to vote,
> and
> make sure to cast it by means of a reply on this mailing list! :)
>
>
> --------------------------------------------------------------------------------
>
> 'Object' option:
>
> {"part":"a","product":"php5-common","vendor":"debian","version":"5.3.2-1"}
>
> 'Array' option:
>
> ["a","debian","php5-common","5.3.2-1"]
>
> 'String' option:
>
> "cpe:2.3:a:debian:php5-common:5.3.2-1:*:*:*:*:*:*:*"
>
>
> --------------------------------------------------------------------------------
>
> Please note that the Object option has key-value pairs sorted alphabetically
> by
> their key's name, as will be the case for all objects in the SPDX 3.0
> Canonical
> Serialisation.
>
> Versions 2.2 and 2.3 of the CPE specification are similar enough that we'll
> use
> the same format for both of them in the Canonical Serialisation.
>
> An important factor that we will discuss later (and which we're not voting on
> here) is how null (wildcard) attributes are represented. In these examples,
> I've
> omitted the null attributes for the Object and Array options, leaving out the
> entire key-value pair (for Object) and the null array elements (Array). We
> could
> just as easily define that the String option must also have trailing null
> attributes removed, and conversely we could specify that all attributes are
> present for the Object and Array options, requiring a special value (such as
> NULL or the empty string) as its value.
>
> I'll count the votes on Thursday the 11th of August. Feel free to discuss the
> relative merits of the options here on the mailing list, and I look forward to
> seeing which option wins! :)
>
> Best wishes,
>
> Sebastian
>
>
>
>
>
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#4738): https://lists.spdx.org/g/Spdx-tech/message/4738
Mute This Topic: https://lists.spdx.org/mt/92846339/21656
Group Owner: [email protected]
Unsubscribe: https://lists.spdx.org/g/Spdx-tech/unsub [[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-
