THE SPDX WIKI IS NO LONGER ACTIVE. ALL CONTENT HAS BEEN MOVED TO https://github.com/spdx
Technical Team/Minutes/2019-07-23
From SPDX Wiki
July 23, 2019
Attendees
- Philippe Ombredanne
- Steve Winslow
- Gary O’Neall
- Jim Hutchinson
- Rohit Lodha
- Tushar MIttal
- Kate Stewart
SPDX prefixes to use in Source Files Appendix
- General agreement that SPDX-“TagValue label” - is ok.
- https://github.com/spdx/spdx-spec/issues/122
- Action: Use FileCopyrightText:
- SPDX-License-Identifer and SPDX-ConcludedLicense:
- Philip would like to see clarification come with this that
- SPDX-Licence-Identifer is an alias for SPDX-DeclaredLicense
- Philippe - wondering about introducing alisas when used in files.
- Use this as a way to recocile the two?
- Steve - Note that its different and explain why different.
- Which section of the SPDX can be included.
- File section tags, make sense. Package a little higher.
- FileComment - generator.
- Referring to origin package.
- Philippe - two things. Provide SPDX- prefix tags in files.
- Some inconsistencies. Specify and see how folks use.
- Subtle things. Missing tags at the file level. One is download URL for that file.
- Maybe should state at file level tags with file prefix.
- Find a way to specify.
- Package level fields? Details of parents in child as apposed to child in parent.
- Put files and package level information. Package level of document, go to file of document. Risk of confusion and inconsistencies. Two files side by side.
- Both have SPDX tags insided. What happens if refer to different package?
- Probably ok - tools should create two SPDX documents. Relations is an issue at the document level. When you assemble and collect at the file level.
- Fields just level - makes sense, and some missing should be added.
- Releationships/packages/etc. hard to include.
- Hierarchy of what developers put as documentation in code, when borrow code from somewhere from code. First is to put a URL. So, adding this to file level of the specification. Download URL not part of spec at all.
- Gary - Have to be careful of semantics of URL, made a copy vs. go to URL to download a copy. Package level could be confusing. Auditor perspective - Half to 3/4 is not the origin, copied from can’t be trusted.
Once we have the appendix. SPDX website, predigested version with examples for developers.
- Use this tag for this purpose…. easier for developer to see.
- Steve - specify which fields not appropriate to use.
- Kate- Put as a table, and leave out deprecated.