On Tue, Nov 9, 2021 at 1:25 AM Sean Barnum <sbar...@mitre.org> wrote:
> My 2 cents on whether our Bundle should have similar approach to the > current STIX Bundle. > > > > I actually proposed and created the original STIX Bundle. It had almost > identical semantics to what in our current model we refer to as a > non-contextual (generic) Collection. That is what we are currently calling > Document but I continue to believe it should be named Bundle to avoid the > ongoing confusion with the SPDX 2.X Document which is a contextual > collection. > > The current language around STIX Bundle that asserts it is only a > transient structure and not a STIX Object (somewhat analogous to our > Element) with persistent properties, etc. was added when STIX 2.0 was > defined and is a significant error in my opinion. It ignored the input from > numerous community members that asserted the Bundle itself had value as an > object. Some parties may receive a Bundle, take out the content and toss > the Bundle away but others receive a Bundle, take out the content but also > keep the Bundle around as a provenance artifact knowing how they received > those contained elements. The current STIX Bundle definition only allows > for the former and not the latter and does not allow any Relationships to > be defined against the Bundle. The parties that made the change insisted > that Bundle should only support the way they would use it and ignored the > other input, which among many other such bad decisions led to significant > portions of the community to walk away. > > We should learn from such lessons. > > > > I will continue to argue strongly that our model should have a Collection > Element that provides the ability to reference 0..* other Elements and to > specify one or more rootElements of that graph of referenced Elements. > Definitely yes. > And that our model should have a ContextualCollection subclass of > Collection that adds the ability to assert some affinity context shared by > Elements referenced by the ContextualCollection. > OK. I don't disagree, but would like to see a concrete example of an affinity context. I think defining that sufficiently to distinguish ContextualCollection from Collection is a challenge, but don't object to trying. > And that BOM should be a subclass of ContextualCollection and that SBOM > should be a subclass of BOM. > Definitely yes. > In pure semantics, a Bundle (what we are currently calling Document) is > really just a generic Collection and having the separate Document/Bundle > subclass of Collection is not a logically different thing. That being said, > I believe there is value in having a Bundle subclass of Collection for ease > of human perception. I do think that it makes sense to move the ExternalMap > structure to the Collection class rather than being only on Document/Bundle. > > There is a need to have both contextual and non-contextual collection > Elements. > I don't disagree but don't yet understand the value. If you disagree with the STIX 2.0 Bundle, then I'll create a new name for it: * "Bag" can be the name for an ephemeral collection of Elements, motivated by the same considerations and having the same characteristics as defined in STIX 2.0 * I don't have any opinion on what to call a persistent "Bundle" of Elements that is itself an SPDX Element. I just don't see the value. There is a use for keeping a tarfile after extracting the files from it, and there is also a use for reusing the same name for a tarfile each time you want to do a transfer. I usually call mine "z", and my Windows download folder winds up with z, z (1), z(2), etc. It's fine if you want a tarfile-like Element with an id IRI that, once minted, cannot be reused for a different Element. But that's different from a requirement for an ephemeral tarfile-like non-Element. I believe an ephemeral Bag of Elements is a useful zero-overhead building block, but admit that it can be modeled as a property with type Element and multiplicity 0..* without giving it a name. Naming it just makes it easier to discuss, as Polyphemus discovered of Odysseus. Dave -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#4247): https://lists.spdx.org/g/Spdx-tech/message/4247 Mute This Topic: https://lists.spdx.org/mt/86776587/21656 Group Owner: spdx-tech+ow...@lists.spdx.org Unsubscribe: https://lists.spdx.org/g/Spdx-tech/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
