Re: [spdx-tech] Question about FileName syntaxe

[William Bartholomew (CELA) via lists.spdx.org]

There's a couple of reasons why this is helpful:

  1.  Since the path is relative to the root of the package a relative path in 
an image is equivalent to an absolute path.
  2.  We don't want paths to refer to things outside of the package 
(particularly for package managers that don't have as strict of a boundary as 
images do), e.g. no "/home/william/my-secret-stuff".
  3.  If you have the same set of files embedded in multiple packages you can 
reuse the file elements, this is useful for example if you want to represent a 
directory of files within an archive and then to represent that same directory 
of files when it's extracted to a different location.

Makes sense re: RFC-3986, thanks for calling that out (I had it in my mind that 
this was a plain string, not a URI).

William
________________________________
From: Spdx-tech@lists.spdx.org <Spdx-tech@lists.spdx.org> on behalf of Keith 
Zantow via lists.spdx.org <keith.zantow=anchore....@lists.spdx.org>
Sent: Tuesday, September 5, 2023 8:56 AM
To: spdx-tech <spdx-tech@lists.spdx.org>
Subject: [EXTERNAL] Re: [spdx-tech] Question about FileName syntaxe

You don't often get email from keith.zantow=anchore....@lists.spdx.org. Learn 
why this is important<https://aka.ms/LearnAboutSenderIdentification>
I'm curious what the motivation is for paths being relative. If I scan an 
image, for example, I would expect to see absolute paths to the files within 
the image filesystem, rather than those being translated to relative paths.

Cheers,
-Keith

On Tue, Sep 5, 2023 at 11:48 AM Vargenau, Marc-Etienne (Nokia - 
FR/Paris-Saclay) 
<marc-etienne.varge...@nokia.com<mailto:marc-etienne.varge...@nokia.com>> wrote:

Hi William,



I think https://www.ietf.org/rfc/rfc3986.txt only allows “/”, not “\”.



Marc-Etienne



--
Marc-Etienne Vargenau 
marc-etienne.varge...@nokia.com<mailto:marc-etienne.varge...@nokia.com>
Nokia, 12, rue Jean-Bart, 91300 Massy, FRANCE
Mobile: +33 6 24 49 78 68<tel:+33624497868>

Senior Specialist Open Source
Planned absence: none





De : William Bartholomew (CELA) 
<will...@microsoft.com<mailto:will...@microsoft.com>>
Date : mardi, 5 septembre 2023 à 17:43
À : Marc-Etienne Vargenau (Nokia) 
<marc-etienne.varge...@nokia.com<mailto:marc-etienne.varge...@nokia.com>>, 
'spdx-tech' <Spdx-tech@lists.spdx.org<mailto:Spdx-tech@lists.spdx.org>>, 
Richard Brooks 
<d...@reliableenergyanalytics.com<mailto:d...@reliableenergyanalytics.com>>
Objet : Re: [EXTERNAL] Re: [spdx-tech] Question about FileName syntaxe

I would recommend against requiring the "./" prefix, but still require that the 
path be relative (and clarifying that is relative to the location of the 
package that the file is contained in). We may also want to clarify whether you 
can use Windows-style path separators ("\") or only Linux-style ones ("/"), and 
we should say that a relative path can't backtrack (i.e. no "..").



William

________________________________

From: Spdx-tech@lists.spdx.org<mailto:Spdx-tech@lists.spdx.org> 
<Spdx-tech@lists.spdx.org<mailto:Spdx-tech@lists.spdx.org>> on behalf of Dick 
Brooks via lists.spdx.org<http://lists.spdx.org/> 
<dick=reliableenergyanalytics....@lists.spdx.org<mailto:reliableenergyanalytics....@lists.spdx.org>>
Sent: Tuesday, September 5, 2023 4:12 AM
To: 'Vargenau, Marc-Etienne (Nokia - FR/Paris-Saclay)' 
<marc-etienne.varge...@nokia.com<mailto:marc-etienne.varge...@nokia.com>>; 
'spdx-tech' <Spdx-tech@lists.spdx.org<mailto:Spdx-tech@lists.spdx.org>>
Subject: [EXTERNAL] Re: [spdx-tech] Question about FileName syntaxe



Many of the implementations that participated in the DocFest did not include 
the “relative path” (/) syntax. The online validation tool will pass an SBOM 
that does not contain the relative path filename syntax.



Thanks,



Dick Brooks

[cid:image001.png@01D9DFC8.4DBFF7E0]  [cid:image004.png@01D9DFC8.54DD68F0]

Active Member of the CISA Critical Manufacturing Sector,

Sector Coordinating Council – A Public-Private Partnership



Never trust software, always verify and 
report!<https://reliableenergyanalytics.com/products> ™

http://www.reliableenergyanalytics.com<http://www.reliableenergyanalytics.com/>

Email: d...@reliableenergyanalytics.com<mailto:d...@reliableenergyanalytics.com>

Tel: +1 978-696-1788





From: Spdx-tech@lists.spdx.org<mailto:Spdx-tech@lists.spdx.org> 
<Spdx-tech@lists.spdx.org<mailto:Spdx-tech@lists.spdx.org>> On Behalf Of 
Vargenau, Marc-Etienne (Nokia - FR/Paris-Saclay)
Sent: Tuesday, September 5, 2023 6:44 AM
To: spdx-tech <Spdx-tech@lists.spdx.org<mailto:Spdx-tech@lists.spdx.org>>
Subject: [spdx-tech] Question about FileName syntaxe



Hello,



This is related to https://github.com/spdx/Spdx-Java-Library/issues/195



FileName is defined in the spec as “a relative filename”.



So, we should reject as invalid a FileName starting with “/”.



The spec then says “In general, every filename is preceded with a ./”

Is this mandatory?



In other words, should we reject:

FileName: package/foo.c



What is your opinion?



Best regards,



Marc-Etienne Vargenau



--
Marc-Etienne Vargenau 
marc-etienne.varge...@nokia.com<mailto:marc-etienne.varge...@nokia.com>
Nokia, 12, rue Jean-Bart, 91300 Massy, FRANCE
Mobile: +33 6 24 49 78 68<tel:+33624497868>

Senior Specialist Open Source
Planned absence: none






-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#5336): https://lists.spdx.org/g/Spdx-tech/message/5336
Mute This Topic: https://lists.spdx.org/mt/101166533/21656
Group Owner: spdx-tech+ow...@lists.spdx.org
Unsubscribe: https://lists.spdx.org/g/Spdx-tech/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-