Hi all, with REUSE 3.2¹ out the door, there is another thing that has been baffling me for some time when it comes to SPDX File Tags².
When tagging source code files with SPDX tags, it may be useful to also designate the correct origin/provenance – either so your origin travels with your code, or if you pulled a file or snippet from elsewhere, but want to store its origin. There are three problems I see: 1. File Tags are limited to File-level tags: > The meaning and semantics of any SPDX file tag are intended to be identical > to those described in the File Information (Clause 8) section of the SPDX > specification. while the External Repository Identifiers³ are referred to on Package-level⁴. There used to be `ArtifactOf[…]` tags that were used on a File-level, but these have been deprpcated in favour of the External Repository Identifiers. 2. `ExternalRef` tags get quite long and unwieldy, definitely not something easy to write by hand. If I understand correctly, this would look something like: `SPDX-PackageExternalRef PERSISTENT-ID swh swh:1:cnt: 94a9ed024d3859793618152ea559a168bbcbb5e2` `SPDX-PackageExteralRef PACKAGE-MANAGER purl pkg:gem/ruby-advisory-db- [email protected]` 3. There are potentially also `PackageOriginator`, `PackageSupplier` and `PackageDownloadLocation` tags. Technically PURL is an URL, so it would fit here, but that is not what the spec says. I know everyone’s busy with SPDX 3.0, but REUSE / File Tags are out there and very useful, so I would like to keep them being useful. cheers, Matija — 1 https://reuse.software/spec-3.2/ 2 https://spdx.github.io/spdx-spec/v2.3/file-tags/ 3 https://spdx.github.io/spdx-spec/v2.3/external-repository-identifiers/ 4 https://spdx.github.io/spdx-spec/v2.3/package-information/#721-external-reference-field -- gsm: tel:+386.41.849.552 www: https://matija.suklje.name xmpp: [email protected] matrix: @silverhook:matrix.org -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#1907): https://lists.spdx.org/g/spdx/message/1907 Mute This Topic: https://lists.spdx.org/mt/107684319/21656 Group Owner: [email protected] Unsubscribe: https://lists.spdx.org/g/spdx/leave/2655439/21656/1698928721/xyzzy [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
