David's correct. The actor is a lightweight data type that can capture the name and identifiers observed performing an action in the supply chain. If you want to capture additional information about the actor, then you can link it to a subclass of identity that is then a full element. This helps avoid a circular dependency with the creator.
If we wanted to, we could go a step further and: 1. Create an Actor interface (that has name, externalIdentifiers, ...) 2. Have the Actor class implement the Actor interface 3. Have the Identity class also implement the Actor interface This would allow you to use SimpleActor if you want the lightweight representation, it still allows you to use an Identity where an Actor is expected, and tools can just code against the Actor interface if they don't need any of the extra information from the identity. Regards, William Bartholomew (he/him) – Let’s chat<https://aka.ms/book-willbar> Principal Security Strategist Global Cybersecurity Policy – Microsoft My working day may not be your working day. Please don’t feel obliged to reply to this e-mail outside of your normal working hours. ________________________________ From: [email protected] <[email protected]> on behalf of David Kemp via lists.spdx.org <[email protected]> Sent: Wednesday, November 9, 2022 8:44 AM To: SPDX-list <[email protected]> Subject: [EXTERNAL] Re: [spdx-tech] Actor datatype William can confirm, but I believe his rationale was that subelements of Identity (Person, Organization, Tool) would be used in conjunction with relationships to capture complex concepts (such as giving names to a group of identifiers, mapping identifiers to identities over specified time periods, etc.) for use cases needing that information to be captured in BOMs. For simple v2 use cases and backwards compatibility, the actor identifiers are sufficient. Identity elements can optionally enrich each identifier either within BOMs where they appear or be created at a later date. David On Tue, Nov 8, 2022 at 12:05 PM Robert A Martin <[email protected]<mailto:[email protected]>> wrote: David, That isn’t my recollection of the conversation. Making it a data type breaks huge functionality that is key to linking SBOMs to other enterprise activities. Bob Get Outlook for iOS<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Faka.ms%2Fo0ukef&data=05%7C01%7Cwillbar%40microsoft.com%7C2d06ae0270c14f32e2ad08dac271bfb5%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638036091055428224%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=8f%2F2rFuIg9Re%2BMtX%2BBnRPlmrAW%2Bg%2BTZNGTvi%2BpsIJYY%3D&reserved=0> ________________________________ From: [email protected]<mailto:[email protected]> <[email protected]<mailto:[email protected]>> on behalf of David Kemp <[email protected]<mailto:[email protected]>> Sent: Tuesday, November 8, 2022 10:31:42 AM To: SPDX-list <[email protected]<mailto:[email protected]>> Subject: [EXT] [spdx-tech] Actor datatype Punchlist item: Last week we decided that Actor should have always been a datatype rather than an Element as previously shown on the model diagram. The Actor datatype should label its identifiers without requiring any association with Identity elements. This example File element shows how "creator" looks with "Identifier" having a specified syntax (name, email, uri, ...) and Actor being an Identifier having a specified subject type (person, organization, tool, any): { "id": "urn:acme.dev:artifacts:gnu-coreutils/v9.1/src/du.c", "type": { "file": { "filePurpose": ["APPLICATION", "SOURCE"] } }, "creator": [ {"person": {"email": "[email protected]<mailto:[email protected]>"}} ], "created": "2022-04-05T22:00:00Z", "specVersion": "3.0", "profiles": ["Core", "Software"], "dataLicense": "CC0-1.0" } -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#4838): https://lists.spdx.org/g/Spdx-tech/message/4838 Mute This Topic: https://lists.spdx.org/mt/94892579/21656 Group Owner: [email protected] Unsubscribe: https://lists.spdx.org/g/Spdx-tech/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
