THE SPDX WIKI IS NO LONGER ACTIVE. ALL CONTENT HAS BEEN MOVED TO https://github.com/spdx

Difference between revisions of "Technical Team/Proposals/2011-12-20/SPDX analysis history tracking"

From SPDX Wiki
Jump to: navigation, search
Line 1: Line 1:
<h2>Status</h2><h2><strong>Draft</strong></h2><h2>Issue</h2><p>Currently there is no way track relationships between SPDX datasets.</p><p>For example, PostgreSQL project is most licensed under an MIT like license but has some code in the contrib directory which is GPL. If i want a PostgreSQL without any GPL obligations i can simply build it without the contrib directory. I can start with publicly available SPDX dataset for PostgreSQL, remove all files in the contrib directory from the dataset and save it as the SPDX dataset for my PostgreSQL w/o GPL project.</p><p>If i do this there is no way for someone else to know that my SPDX data is derived from the public PostgreSQL SPDX data. If any issues are found in the public SPDX data they might effect my SPDX data also. Or if someone found problems in my SPDX data it would be useful to track that issue back to the original source and fix it there.</p>
+
<h2>Status</h2><h2><strong>Proposed</strong></h2><h2>Issue</h2><p>Currently there is no way track relationships between SPDX datasets.</p><p>For example, PostgreSQL project is most licensed under an MIT like license but has some code in the contrib directory which is GPL. If i want a PostgreSQL without any GPL obligations i can simply build it without the contrib directory. I can start with publicly available SPDX dataset for PostgreSQL, remove all files in the contrib directory from the dataset and save it as the SPDX dataset for my PostgreSQL w/o GPL project.</p><p>If i do this there is no way for someone else to know that my SPDX data is derived from the public PostgreSQL SPDX data. If any issues are found in the public SPDX data they might effect my SPDX data also. Or if someone found problems in my SPDX data it would be useful to track that issue back to the original source and fix it there.</p><h2>Proposal</h2><p>Add an optional property to <code>SpdxDocument</code> which would specify another <code>SpdxDocument</code> from which it was derived. The <a href="http://dublincore.org/usage/terms/history/#isVersionOf-003"><code>isVersionOf</code></a> property in the Dublin Core vocabulary is widely used and has the correct semantics.</p><h3>Example (Turtle RDF)</h3><pre><code> &lt;http://example.com/spdx/postgresql-sans-contrib-9.1.2&gt; a :SpdxDocument; dc:isVersionOf &lt;http://postgresql.org/spdx/9.1.2&gt;; :describesPackage ... . </code></pre><h3>Example (Tag)</h3><pre><code> IsVersionOf: http://postgresql.org/spdx/9.1.2 </code></pre><p>The addition of this property would allow the history a particular SPDX dataset to be determined by following the isVersionOf properties of each <code>SpdxDocument</code>. Differences between any two <code>SpdxDocument</code>s could be determined by comparing the two dataset.</p><h2>Compatibility</h2><p>This change is fully backwards compatible for consumers that ignore properties they do not understand.</p>
 
+
<h2>Proposal</h2>
+
<p>Add an optional property to <code>SpdxDocument</code> which would specify another <code>SpdxDocument</code> from which it was derived. The <a href="http://dublincore.org/usage/terms/history/#isVersionOf-003"><code>isVersionOf</code></a> property in the Dublin Core vocabulary is widely used and has the correct semantics.</p>
+
 
+
<h3>Example (Turtle RDF)</h3>
+
<pre><code>
+
&lt;http://example.com/spdx/postgresql-sans-contrib-9.1.2&gt; a :SpdxDocument;  
+
  dc:isVersionOf &lt;http://postgresql.org/spdx/9.1.2&gt;;  
+
  :describesPackage ... .
+
</code></pre>
+
 
+
<h3>Example (Tag)</h3>
+
<pre><code>
+
IsVersionOf: http://postgresql.org/spdx/9.1.2
+
</code></pre>
+
 
+
<p>The addition of this property would allow the history a particular SPDX dataset to be determined by following the isVersionOf properties of each <code>SpdxDocument</code>. Differences between any two <code>SpdxDocument</code>s could be determined by comparing the two dataset.</p>
+
 
+
<h2> Compatibility <h2>
+
 
+
<p>This change is fully backwards compatible for consumers that ignore properties they do not understand.</p>
+

Revision as of 15:53, 21 December 2011

Status

Proposed

Issue

Currently there is no way track relationships between SPDX datasets.

For example, PostgreSQL project is most licensed under an MIT like license but has some code in the contrib directory which is GPL. If i want a PostgreSQL without any GPL obligations i can simply build it without the contrib directory. I can start with publicly available SPDX dataset for PostgreSQL, remove all files in the contrib directory from the dataset and save it as the SPDX dataset for my PostgreSQL w/o GPL project.

If i do this there is no way for someone else to know that my SPDX data is derived from the public PostgreSQL SPDX data. If any issues are found in the public SPDX data they might effect my SPDX data also. Or if someone found problems in my SPDX data it would be useful to track that issue back to the original source and fix it there.

Proposal

Add an optional property to SpdxDocument which would specify another SpdxDocument from which it was derived. The <a href="http://dublincore.org/usage/terms/history/#isVersionOf-003">isVersionOf</a> property in the Dublin Core vocabulary is widely used and has the correct semantics.

Example (Turtle RDF)

<code> <http://example.com/spdx/postgresql-sans-contrib-9.1.2> a :SpdxDocument; dc:isVersionOf <http://postgresql.org/spdx/9.1.2>; :describesPackage ... . </code>

Example (Tag)

<code> IsVersionOf: http://postgresql.org/spdx/9.1.2 </code>

The addition of this property would allow the history a particular SPDX dataset to be determined by following the isVersionOf properties of each SpdxDocument. Differences between any two SpdxDocuments could be determined by comparing the two dataset.

Compatibility

This change is fully backwards compatible for consumers that ignore properties they do not understand.