Hello,
I am quite new to SPDX and REUSE. In only one file of my project I need to set explicit the version of the package in context of SPDX. I read about "packageVersion" in the specs:
https://spdx.github.io/spdx-spec/v2.3/package-information/#73-package-version-field
My problem is that I don't know how to use this in Python code. I tried this with two variantes o package version.
# SPDX-FileCopyrightText: © 2023 Christian BUHTZ c.buhtz@posteo.jp # PackageVersion: 1.2.3 # SPDX-PackageVersion: 1.2.3 # SPDX-License-Identifier: GPL-3.0-only # # This file is part of the program "Hyperorg" which is released under GNU # General Public License v3 (GPLv3). # See folder LICENSES or go to https://www.gnu.org/licenses/#GPL.
Then "reuse lint" didn't mentioned an error. Then I used "reuse spdx" and check the output for that file:
FileName: ./src/hyperorg/exporter.py SPDXID: SPDXRef-53df60eaa649de974734329cc7c77625 FileChecksum: SHA1: 7224b16f4bf06c8465cce8013b4cb9900cf063fe LicenseConcluded: NOASSERTION LicenseInfoInFile: GPL-3.0-only FileCopyrightText: <text>SPDX-FileCopyrightText: © 2023 Christian BUHTZ c.buhtz@posteo.jp</text>
You see here the version is missing. That is why I think I do something wrong. But I don't know how to fix this, or if even "reuse spdx" is not working correct? (see https://github.com/fsfe/reuse-tool/issues/935)
Thanks in advance, Christian Buhtz
Dear Christian,
I am quite new to SPDX and REUSE. In only one file of my project I need to set explicit the version of the package in context of SPDX. I read about "packageVersion" in the specs:
I am afraid there is a general misunderstanding. SPDX and REUSE have an overlap in the sense that REUSE "borrows" a few things from SPDX (e.g. the tag names, the license identifiers and a few logics). But REUSE has some logic that is not expressed in the SPDX spec, and its focus is much narrower. This overlap is mostly described in Annex H of the 2.3 SPDX spec which is about conveying SPDX *file* and *snippet* information directly in source code files: https://spdx.github.io/spdx-spec/v2.3/file-tags/
So, the first mistake is trying to convey *package* information in source code files which is supported by neither REUSE nor SPDX. The second misunderstanding is how the `reuse spdx` works. It doesn't take all kind of metadata information from the file but just the things that are relevant to REUSE: licensing and copyright (and a few optional tags, collaborator/author IIRC).
That means, you can certainly use that field in source code files, but it's not and will never be covered by the REUSE spec. Following the current logic, this probably would be `SPDX-PackageVersion` or even `SPDX-PackagePackageVersion`, but again, putting package-level metadata in individual files doesn't really make sense IMHO.
Best, Max
-- Max Mehl Open Source Strategy & Governance Enterprise-Team Chief Technology Office (CTO), T.IP E-T-378
DB Systel GmbH
________________________________
Pflichtangaben anzeigenhttps://www.deutschebahn.com/pflichtangaben/20240311
Nähere Informationen zur Datenverarbeitung im DB-Konzern finden Sie hier: https://www.deutschebahn.com/de/konzern/datenschutz
Dear Max,
Thanks for the reply. Nice to know that DB is involved in things like this. :)
On 2024-03-25 10:06 Max Mehl Max.Mehl@deutschebahn.com wrote:
I am afraid there is a general misunderstanding. SPDX and REUSE have an overlap in the sense that REUSE "borrows" a few things from SPDX [...] So, the first mistake is trying to convey *package* information in source code files which is supported by neither REUSE nor SPDX. The second misunderstanding is how the `reuse spdx` works. It doesn't take all kind of metadata information from the file but just the things that are relevant to REUSE
I got it. Thank for explaining.
putting package-level metadata in individual files doesn't really make sense IMHO.
I do agree now.
Best regards, Christian Buhtz