My initial thought is that NOASSERTION should only be applicable to certain fields where a “known unknown” assertion is valuable.
In the RDF / OWL / semantic web SPDX spec., we would add a NOASSERTION value in the range of possible values for that property. This would allow computer semantic reasoning to answer questions like “what packages in this distribution have ‘known unknown’ version?”. The downside is that we would need to do more updates to the spec. Best, Gary From: Spdx-tech@lists.spdx.org <Spdx-tech@lists.spdx.org> On Behalf Of Brandon Lum via lists.spdx.org Sent: Friday, August 18, 2023 10:38 AM To: Gary O'Neall <g...@sourceauditor.com> Cc: d...@reliableenergyanalytics.com; SPDX Technical Mailing List <Spdx-tech@lists.spdx.org>; Emrick Donadei <edona...@google.com>; Tyler Pirtle <r...@google.com> Subject: Re: [spdx-tech] NOASSERTION on PackageVersion field I think one follow-up question is around whether it is recognized in the specification.. For example, package supplier (https://spdx.github.io/spdx-spec/v2.3/package-information/#75-package-supplier-field) it is stated clearly that NOASSERTION is within the format, but not in the case of VersionInfo I think the question is NOASSERTION usable in any text field? Or does there need to be explicit indication within the spec where a NOASSERTION can be used? On Fri, Aug 18, 2023 at 1:22 PM Gary O'Neall <g...@sourceauditor.com <mailto:g...@sourceauditor.com> > wrote: My opinion is that it would be useful to be able to express a “known unknown” on the version if the version can’t be determined. I also agree we should strive to always have a version available. This is especially important in tracking vulnerability information. I just know that there are several situations where this just isn’t possible (e.g. source files copied from an upstream project where no one kept track of the original version). It would be better to have the imperfect package information than no information at all. The NOASSERTION approach seems like a consistent way to represent the “known unknown”. Gary From: Spdx-tech@lists.spdx.org <mailto:Spdx-tech@lists.spdx.org> <Spdx-tech@lists.spdx.org <mailto:Spdx-tech@lists.spdx.org> > On Behalf Of Dick Brooks Sent: Friday, August 18, 2023 9:53 AM To: l...@google.com <mailto:l...@google.com> ; 'SPDX Technical Mailing List' <Spdx-tech@lists.spdx.org <mailto:Spdx-tech@lists.spdx.org> > Cc: 'Emrick Donadei' <edona...@google.com <mailto:edona...@google.com> >; 'Tyler Pirtle' <r...@google.com <mailto:r...@google.com> > Subject: Re: [spdx-tech] NOASSERTION on PackageVersion field Brandon, REA applies the NOASSERTION value when a PackageVersion is indeterminant, based on guidance provided by the NTIA work effort. This is not an issue with “file components” as no version is required. Thanks, Dick Brooks Active Member of the CISA Critical Manufacturing Sector, Sector Coordinating Council – A Public-Private Partnership <https://reliableenergyanalytics.com/products> Never trust software, always verify and report! ™ <http://www.reliableenergyanalytics.com/> http://www.reliableenergyanalytics.com Email: <mailto:d...@reliableenergyanalytics.com> d...@reliableenergyanalytics.com Tel: +1 978-696-1788 <tel:(978)%20696-1788> From: Spdx-tech@lists.spdx.org <mailto:Spdx-tech@lists.spdx.org> <Spdx-tech@lists.spdx.org <mailto:Spdx-tech@lists.spdx.org> > On Behalf Of Brandon Lum via lists.spdx.org <http://lists.spdx.org> Sent: Friday, August 18, 2023 12:16 PM To: SPDX Technical Mailing List <Spdx-tech@lists.spdx.org <mailto:Spdx-tech@lists.spdx.org> > Cc: Emrick Donadei <edona...@google.com <mailto:edona...@google.com> >; Tyler Pirtle <r...@google.com <mailto:r...@google.com> > Subject: [spdx-tech] NOASSERTION on PackageVersion field Hi, In generating some of our SPDX documents, we've (Tyler/Emrick CC'ed) run into situations where the version information of a package is unknown. What comes to mind is to set the version to NOASSERTION. However, this is not currently spelt out in the spec (https://spdx.github.io/spdx-spec/v2.3/package-information/#73-package-version-field). Although semantically, in terms of usage of information, it should be similar, it still lacks the ability to say that "This information is incomplete", with exception of having NOASSERTION be set on the DEPENDS_ON relationship more broadly - which may perhaps be a different discussion altogether. Wanted to get thoughts on this. Cheers Brandon -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#5305): https://lists.spdx.org/g/Spdx-tech/message/5305 Mute This Topic: https://lists.spdx.org/mt/100823660/21656 Group Owner: spdx-tech+ow...@lists.spdx.org Unsubscribe: https://lists.spdx.org/g/Spdx-tech/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
