From SPDX Wiki
- Gary O’Neall
- Bill Schineller
- Kirsten Newcomer
- Kate Stewart
- Rana Rahal
- Ed Warnicke
- Brandon Robinson
- Peter Williams
- Ed’s composite package proposal
- Git repos back online
Composite Package Proposal
- Ed walked through the proposal
- Discussion on the ACL – can be used to describe what is included or excluded – perhaps even what source files are used to produce a particular binary.
- Discussion on the domain model – should we be modeling general copyrightable material or modeling software packaging? Agree that we are not modeling the entire copyright domain. Mapping a subset of the copyright domain. The proposal is to model more of “copyrightable things” rather than just packages.
- Do we need to have more detail on the relationship between elements? (left open)
- Do we have a separate file for signature or do we have an “envelope” with a signature?
- Should we separate out the concept of what is physically included/embedded from the relationship of analyzed components? Should these be represented as separate graphs?
- Annotations approach compared to modifying a copy of an SPDX document. Annotations help solve the provenance problems. Annotation approach would be difficult for tools to recreate the new SPDX file representation. (left open)
- Example use cases – Different opinion on the licensing for the package, choice of a license for a package that offers license choices
- Alternative proposal – add an additional tag in an SPDX file to denote which SPDX file it is based on and what changes were made
- Do we care about backwards compatibility? Agree to have a future discussion.