We use <package-name>.spdx (e.g., busybox.1.22.1.spdx) for the following reasons:
1. We typically ship tens (if not hundreds) of SPDX files for a single product release. We consolidate all the SPDX files in a single archive. They can't all be called LICENSE.spdx 2. A package may contain multiple sub packages and having multiple LICENSE.spdx files (albeit in different directories). This can be confusing. 3. It is more immediate clear (self-descriptive) what the following file represents busybox.1.22.1.spdx as opposed to LICENSE.spdx (even within the package). Although LICENSE.spdx might become common practice we are unlikely to use it. - Mark From: spdx-tech-boun...@lists.spdx.org [mailto:spdx-tech-boun...@lists.spdx.org] On Behalf Of g...@sourceauditor.com Sent: Saturday, August 12, 2017 11:28 AM To: spdx-tech@lists.spdx.org Subject: [spdx-tech] SPDX file naming I would like to bring an issue that was raised on the SPDX tools github repo regarding the name of the SPDX file to the larger mailing list: https://github.com/spdx/tools/issues/107#issuecomment-321548533 Background: Although an SPDX file was present in the repo, it was not easily found. There are some references in the spec as to how to name the SPDX file, however, it isn't specific to source code repositories. Proposal: Add a "best practice" and/or FAQ on how to name SPDX files in the source code repository. There are a couple of proposals made in the issue by various contributors - 1) LICENSE.spdx 2) PACKAGE.spdx 3) [packename].spdx where packagename is the name of the package Note that #3 is currently in use. We should also decide the suffixes for tag/value and RDF (e.g. LICENSE.rdf or LICENSE.spdx.rdf). Below are a few snippets from the issues list - please refer to the actual issue for more detail. wking<https://github.com/wking> commented 4 days ago<https://github.com/spdx/tools/issues/107#issuecomment-321168376> On Tue, Aug 08, 2017 at 10:51:17PM -0700, stcroppe wrote: Need an SPDX file (files?) unless you think the SPDXParser.spdx file covers this... In benbalter/licensee#85<https://github.com/benbalter/licensee/issues/85>, @david-a-wheeler<https://github.com/david-a-wheeler> suggested LICENSE.spdx, and that seems like a good choice to me. Would think an SPDX folder might work or standard naming (project.spdx, package.spdx)... The spec also uses package.spdx in an example [1], so I think that would be a good choice as well. [1]: https://spdx.org/spdx-specification-21-web-version#h.2p2csry david-a-wheeler<https://github.com/david-a-wheeler> commented 2 days ago<https://github.com/spdx/tools/issues/107#issuecomment-321548533> I think LICENSE.spdx is the better name. Many tools and documents already say that files named LICENSE are special. silverhook<https://github.com/silverhook> commented 2 days ago<https://github.com/spdx/tools/issues/107#issuecomment-321653038> I very much like the LICENSE.spdx option as well - it pops out, is more descriptive than other suggestions, and as @david-a-wheeler<https://github.com/david-a-wheeler> mentions, it looks like something both a human (or a tool) would be looking for. The only downside I can see is that SPDX contains also technical info and maybe in the future those will be as interesting as the legal info stored in the same file. Please let me know any thoughts. We can also add this to one of the upcoming tech call. Thanks, Gary ------------------------------------------------- Gary O'Neall Principal Consultant Source Auditor Inc. Mobile: 408.805.0586 Email: g...@sourceauditor.com<mailto:g...@sourceauditor.com>
_______________________________________________ Spdx-tech mailing list Spdx-tech@lists.spdx.org https://lists.spdx.org/mailman/listinfo/spdx-tech
