Greetings all,
+1 on not defining overlapping or duplicating terms with SPDX. REUSE and SPDX are already reasonably well aligned in terms of definitions, so I don't think it would be too much of a stretch to leverage some of the formats.
The one feature missing from SPDX is a pattern match for the files - this may be a useful feature to add to SPDX in general.
I completely agree with the concern on too many required fields. The SPDX community has removed many of the mandatory fields when a "filesAnalyzed=false" is used. Of course this does require the "filesAnalyzed" field since the default is set to true for compatibility. Somewhat inconvenient and perhaps something we should address in SPDX 3.0.
Another mandatory field which can be problematic is the SPDX document namespace. The value of this is required to be in a URI format and is required to be unique.
Let me know if there are other fields which are of concern.
One other thing to note, we are adding profiles in SPDX 3.0. Profiles is a defined subset of fields for a specific purpose. A group of automotive manufacturers are already using a profile for "SDPX Lite" in SPDX version 2.2 (see https://spdx.github.io/spdx-spec/appendix-VIII-SPDX-Lite/). SPDX Lite is a valid SPDX document intended to be built with minimal or no tools.
Let me know if there is interest in creating a REUSE profile in SPDX. The REUSE group could determine which fields are mandatory and which fields are optional. Myself and the SPDX tech team would be happy to collaborate on the effort.
Best regards, Gary
From: REUSE reuse-bounces@lists.fsfe.org On Behalf Of Geyer-Blaumeiser Lars (IOC/PDL4) Sent: Thursday, July 23, 2020 7:22 AM To: Max Mehl max.mehl@fsfe.org; reuse@lists.fsfe.org Subject: Re: [REUSE] REUSE.yaml
Hello Max, Matija,
from what I understand there will be further changes in SPDX 3.0 that will remove some of the mandatory stuff. I absolutely agree, that using SPDX should not add stuff not needed for the use case. And if this means that the SPDX file is not correct because some mandatory stuff is not included, this is a good hint for the SPDX community to think about the need for a mandatory field for the information.
Saying that, my basic intention is, that a REUSE.yaml file should not define fields and structures, which have the same meaning but are defined differently from SPDX. This would improve readability and processability of the files.
Mit freundlichen Grüßen / Best regards
Dr. Lars Geyer-Blaumeiser
Project Delivery - Open Source Services (IOC/PDL4) Bosch.IO GmbH | Stuttgarter Straße 130 | 71332 Waiblingen | GERMANY | www.bosch.io http://www.bosch.io Mobil +49 172 4815079 | lars.geyer-blaumeiser@bosch.io mailto:lars.geyer-blaumeiser@bosch.io
Sitz: Berlin, Registergericht: Amtsgericht Charlottenburg; HRB 148411 B Aufsichtsratsvorsitzender: Dr.-Ing. Thorsten Lücke; Geschäftsführung: Dr. Stefan Ferber, Dr. Aleksandar Mitrovic, Yvonne Reckling
_____
Von: REUSE <reuse-bounces@lists.fsfe.org mailto:reuse-bounces@lists.fsfe.org > im Auftrag von Max Mehl <max.mehl@fsfe.org mailto:max.mehl@fsfe.org > Gesendet: Donnerstag, 23. Juli 2020 15:04:02 An: reuse@lists.fsfe.org mailto:reuse@lists.fsfe.org Betreff: Re: [REUSE] REUSE.yaml
~ Matija Šuklje [2020-07-22 13:54 +0200]:
Die 21. 07. 20 et hora 08:44 Geyer-Blaumeiser Lars (IOC/PDL4) scripsit:
I like the idea, but just a thought. There is the new yaml format in SPDX 2.2, and we are thinking around using this format to mark certain folders as open source component,
That is a great idea.
Yes, thanks for sharing this idea! Being compatible with other compliance projects is one of our core goals.
But you'd really go make a full SPDX valid file for that? How? There are quite a few fields there that are obligatory.
One potential issue might be the hash value. For marking 3rd party code
that's
a great boon, but for marking your own living code that might be a bit of
a
issue, if you need to change the hash value every time the code changes.
I see the same issues. Additionally, I am always having user-friendliness in mind which is another big goal of REUSE. The SPDX document seems to work with e.g. "licenseId", "licenseConcluded", "licenseDeclared". While these make sense in the SPDX radius, REUSE users are used to work with License-Identifier and FileCopyrightText. Just like with the snippets I am afraid of different "keys" for the same information.
Best, Max