Hi Matija, I think the purpose of the SPDX File Tags was intentionally limited to file-level metadata, since that’s what aligns with e.g. embedding inside a single source code file.
Where the goal is to convey package-level information, I’d guess it would probably be best to just create an actual SPDX document for the package metadata? See also this discussion thread from 2021/2022 regarding the idea of having a sort of “pre-SPDX” lightweight manifest that could be used to auto-generate an SPDX document: https://github.com/spdx/spdx-spec/issues/502#issuecomment-807414277. Best, Steve On Aug 2, 2024, at 9:11 AM, Matija Šuklje via lists.spdx.org <[email protected]> wrote: Hi all, with REUSE 3.2¹ out the door, there is another thing that has been baffling me for some time when it comes to SPDX File Tags². When tagging source code files with SPDX tags, it may be useful to also designate the correct origin/provenance – either so your origin travels with your code, or if you pulled a file or snippet from elsewhere, but want to store its origin. There are three problems I see: 1. File Tags are limited to File-level tags: The meaning and semantics of any SPDX file tag are intended to be identical to those described in the File Information (Clause 8) section of the SPDX specification. while the External Repository Identifiers³ are referred to on Package-level⁴. There used to be `ArtifactOf[…]` tags that were used on a File-level, but these have been deprpcated in favour of the External Repository Identifiers. 2. `ExternalRef` tags get quite long and unwieldy, definitely not something easy to write by hand. If I understand correctly, this would look something like: `SPDX-PackageExternalRef PERSISTENT-ID swh swh:1:cnt: 94a9ed024d3859793618152ea559a168bbcbb5e2` `SPDX-PackageExteralRef PACKAGE-MANAGER purl pkg:gem/ruby-advisory-db- [email protected]` 3. There are potentially also `PackageOriginator`, `PackageSupplier` and `PackageDownloadLocation` tags. Technically PURL is an URL, so it would fit here, but that is not what the spec says. I know everyone’s busy with SPDX 3.0, but REUSE / File Tags are out there and very useful, so I would like to keep them being useful. cheers, Matija — 1 https://reuse.software/spec-3.2/ 2 https://spdx.github.io/spdx-spec/v2.3/file-tags/ 3 https://spdx.github.io/spdx-spec/v2.3/external-repository-identifiers/ 4 https://spdx.github.io/spdx-spec/v2.3/package-information/#721-external-reference-field -- gsm: tel:+386.41.849.552 www: https://matija.suklje.name xmpp: [email protected] matrix: @silverhook:matrix.org -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#1908): https://lists.spdx.org/g/spdx/message/1908 Mute This Topic: https://lists.spdx.org/mt/107684319/21656 Group Owner: [email protected] Unsubscribe: https://lists.spdx.org/g/spdx/leave/2655439/21656/1698928721/xyzzy [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
