I think using a package where you can't determine the version is a very bad idea. So adding NOASSERTION is sending a message that determining the version isn't that important. It is very important!
Whilst I appreciate that it maybe difficult in some cases to find all the details required for a package, I think we need to encourage behaviour where we expect the metadata for a package to be complete. Just my opinion... Anthony On Fri, 18 Aug 2023, 17:34 Keith Zantow via lists.spdx.org, <keith.zantow= anchore....@lists.spdx.org> wrote: > We just had a talk about this yesterday due to a Syft issue that came in: > https://github.com/anchore/syft/issues/2038 (from Emrick). Currently, > we're thinking about excluding packages without name and version > information, but the NOASSERTION idea is also something that seems to solve > the problem fairly well. > > I suppose I'm giving a plus-one on adding this as a specific value for the > version when we cannot determine it, but also welcome thoughts on how best > to handle this situation. > > Cheers, > -Keith > > On Fri, Aug 18, 2023 at 12:15 PM Brandon Lum via lists.spdx.org <lumb= > google....@lists.spdx.org> wrote: > >> Hi, >> >> In generating some of our SPDX documents, we've (Tyler/Emrick CC'ed) run >> into situations where the version information of a package is unknown. What >> comes to mind is to set the version to NOASSERTION. However, this is not >> currently spelt out in the spec ( >> https://spdx.github.io/spdx-spec/v2.3/package-information/#73-package-version-field >> ). >> >> Although semantically, in terms of usage of information, it should be >> similar, it still lacks the ability to say that "This information is >> incomplete", with exception of having NOASSERTION be set on the DEPENDS_ON >> relationship more broadly - which may perhaps be a different discussion >> altogether. >> >> Wanted to get thoughts on this. >> >> Cheers >> Brandon >> >> > -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#5301): https://lists.spdx.org/g/Spdx-tech/message/5301 Mute This Topic: https://lists.spdx.org/mt/100823660/21656 Group Owner: spdx-tech+ow...@lists.spdx.org Unsubscribe: https://lists.spdx.org/g/Spdx-tech/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
