I think this is mostly accurate with a couple of caveats/observations: * We have been very careful to not depend on ordering or creation time. The order of creation of elements has no implied meaning but is purely informational, the graph is what defines lineage. This is important because the description of an artifact (which is what an Element is) will happen after the creation of the artifact, by different parties, and at different times and the description of the artifact can evolve independently of the artifact as new knowledge about the artifact is acquired. This is also one of the reasons why most things are outside of the Element and reference the Element, this allows them to have a lifecycle independent of the Element they reference (e.g. you can add an Annotation, Relationship, etc. over time that references the same Element). * I believe an already existing Element can be added to a Collection, this could be a reference to an Element in the same Document or it could be a reference to an external Element via ExternalMap. We do have an open discussion about whether you can copy the Element into the Document but that requires some way of verifying its integrity (which we haven't defined yet). This implies that an Element can logically be in multiple Collections. I'd be interested in the group's opinion on whether this expected or desired? (This is independent of Relationship which provides a similar ability in a different way). * We made a deliberate decision to focus on logical design independent of physical implementation, however, it's important to validate that by dipping down to the implementation level to determine if it's practical and achieves what was intended. Some people will always be more comfortable at the syntax/concrete/implementation level, and we want to be inclusive and map those discussions to the logical model (or map the logical concepts to the physical implementations they're comfortable with). * Element immutability in SPDX v2 and SPDX v3 (so far) is achieved by the Element "belonging" to a Document and having a cryptographic hash of that document. An Element being inside a Document and knowing the Document hasn't been tampered lets us transitively know that an Element hasn't been tampered. Allowing an Element to be independent of a Document and copied to different Documents (not referenced but copied) means that you need a way to verify the integrity of that Element, this is not a trivial problem to solve. The document reference + hash approach handles this relatively well but requires you to have a copy of the Document (it can be a cached copy).
Regards, William Bartholomew (he/him) - Let's chat<https://outlook.office.com/findtime/vote?book=will...@microsoft.com&anonymous&ep=plink> Principal Security Strategist Cybersecurity Policy - Digital Diplomacy From: Spdx-tech@lists.spdx.org <Spdx-tech@lists.spdx.org> On Behalf Of David Kemp via lists.spdx.org Sent: Monday, November 8, 2021 1:02 PM To: SPDX-list <Spdx-tech@lists.spdx.org> Subject: [EXTERNAL] [spdx-tech] Infinity Category Theory and SBOMs. The October Scientific American had a fascinating article on mathematics: https://www.scientificamerican.com/article/infinity-category-theory-offers-a-birds-eye-view-of-mathematics1/<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.scientificamerican.com%2Farticle%2Finfinity-category-theory-offers-a-birds-eye-view-of-mathematics1%2F&data=04%7C01%7Cwillbar%40microsoft.com%7C52c70ecc6af444f00ce708d9a2fb1978%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637720021635694186%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=fplD55T5y1GrNs1Zad4QZOp4vV0E4976Ywf%2FVozQoHw%3D&reserved=0>. I'm not a mathematician and most of the details are beyond my understanding, but the premise is crystal clear: "How is it that mathematicians can quickly teach every new generation of undergraduates discoveries that astonished the previous generation's experts? Part of the answer has to do with recent developments in mathematics that provide a "birds-eye view" of the field through ever increasing levels of abstraction. ... As Eugenia Cheng puts it in The Art of Logic in an Illogical World, "a powerful aspect of abstraction is that many different situations become the same when you forget some details." The transformation of SPDX from v2 to v3 based on ideas from 3T is a concrete example of abstraction. Everything in v3 is a Graph consisting of Nodes with a uniform structure (classes derived from Element), connected by Edges (various kinds of relationships). Starting with the logical model (the highest level of abstraction), making design decisions at the logical level and then validating them for feasibility at the information and data (syntax) levels is the process we seem to be following, but that process isn't explicitly described or universally understood. And syntax-based design still seems to be with us. We recently agreed that Elements are immutable. That is fundamental to understanding SPDX as a graph - every Element in the continually expanding Element graph is *created*, and once created it never changes. We then don't need to understand any specific details about SPDX in order to know that the set of all Elements ever created must be a DAG (directed acyclic graph) which has a topological (partial) ordering based on creation time. (A linear or total ordering would mean that no two Elements have the same creation info, i.e., there is no such thing as an Element created within another Element.) So based on causality (the laws of physics) and immutability (our agreement): * A collection Element has a collection id and was created. * Every Element that is a member of a collection logically either: * a. has the same collection id and was created at the same instant by the same entity as the collection (call them internal Elements) * b. has different or no collection id and was created prior to the collection (call them external Elements) This is regardless of what if any creation properties are defined in the logical model. An Element that exists was by definition created by some entity at some point in time. Do those bullets make sense? Dave -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#4238): https://lists.spdx.org/g/Spdx-tech/message/4238 Mute This Topic: https://lists.spdx.org/mt/86918867/21656 Group Owner: spdx-tech+ow...@lists.spdx.org Unsubscribe: https://lists.spdx.org/g/Spdx-tech/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
