Re: [spdx-tech] Question about FileName syntaxe

Tue, 05 Sep 2023 08:43:35 -0700 

I would recommend against requiring the "./" prefix, but still require that the 
path be relative (and clarifying that is relative to the location of the 
package that the file is contained in). We may also want to clarify whether you 
can use Windows-style path separators ("\") or only Linux-style ones ("/"), and 
we should say that a relative path can't backtrack (i.e. no "..").

William
________________________________
From: [email protected] <[email protected]> on behalf of Dick 
Brooks via lists.spdx.org <[email protected]>
Sent: Tuesday, September 5, 2023 4:12 AM
To: 'Vargenau, Marc-Etienne (Nokia - FR/Paris-Saclay)' 
<[email protected]>; 'spdx-tech' <[email protected]>
Subject: [EXTERNAL] Re: [spdx-tech] Question about FileName syntaxe


Many of the implementations that participated in the DocFest did not include 
the “relative path” (/) syntax. The online validation tool will pass an SBOM 
that does not contain the relative path filename syntax.



Thanks,



Dick Brooks

[cid:[email protected]]  [cid:[email protected]]

Active Member of the CISA Critical Manufacturing Sector,

Sector Coordinating Council – A Public-Private Partnership



Never trust software, always verify and 
report!<https://reliableenergyanalytics.com/products> ™

http://www.reliableenergyanalytics.com<http://www.reliableenergyanalytics.com/>

Email: [email protected]<mailto:[email protected]>

Tel: +1 978-696-1788





From: [email protected] <[email protected]> On Behalf Of 
Vargenau, Marc-Etienne (Nokia - FR/Paris-Saclay)
Sent: Tuesday, September 5, 2023 6:44 AM
To: spdx-tech <[email protected]>
Subject: [spdx-tech] Question about FileName syntaxe



Hello,



This is related to https://github.com/spdx/Spdx-Java-Library/issues/195



FileName is defined in the spec as “a relative filename”.



So, we should reject as invalid a FileName starting with “/”.



The spec then says “In general, every filename is preceded with a ./”

Is this mandatory?



In other words, should we reject:

FileName: package/foo.c



What is your opinion?



Best regards,



Marc-Etienne Vargenau



--
Marc-Etienne Vargenau 
[email protected]<mailto:[email protected]>
Nokia, 12, rue Jean-Bart, 91300 Massy, FRANCE
Mobile: +33 6 24 49 78 68<tel:+33624497868>

Senior Specialist Open Source
Planned absence: none






-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#5331): https://lists.spdx.org/g/Spdx-tech/message/5331
Mute This Topic: https://lists.spdx.org/mt/101166533/21656
Group Owner: [email protected]
Unsubscribe: https://lists.spdx.org/g/Spdx-tech/unsub [[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-

Reply via email to