Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Make required licensing fields optional #635

Merged
merged 1 commit into from May 17, 2022

Conversation

rnjudge
Copy link
Contributor

@rnjudge rnjudge commented Mar 10, 2022

Currently, licensing fields like Concluded License, Declared License
and Copyright Text are required for package elements. Given that we
are working to communicate security information in SPDX 2.3, this commit
proposes a change to make the fields related to [package, file, snippet]
licensing optional so those who want to use SPDX to only communicate
security information can do that without the bloat of NOASSERTION
licensing field values.

This PR specifically changes the following fields to optional:

Package Concluded license - 7.13
Package Declared license - 7.15
Package Copyright text - 7.17
File Concluded license - 8.5
License information in file - 8.6
File Copyright text - 8.8
Snippet Concluded license - 9.5
Snippet Copyright text - 9.8

Resolves #634

Signed-off-by: Rose Judge rjudge@vmware.com

@rnjudge rnjudge changed the base branch from development/v2.2.2 to development/v2.3 March 10, 2022 22:00
@rnjudge
Copy link
Contributor Author

rnjudge commented Mar 10, 2022

@swinslow also suggested adding a comment to the effect of If one of these fields is absent for a Package / File / Snippet, then that has the equivalent meaning of NOASSERTION. I suggest adding this comment to each changed field for clarity but we could also put the notice somewhere more central. Would something like the following to be added under the "Description" section of each field work?

If [insert appropriate field name here] is not present for a [package/file/snippet], it implies an equivalent meaning to NOASSERTION.

Suggestions welcome :)

@swinslow
Copy link
Member

Hi @rnjudge, overall this looks great! Thanks for the updates in the latest commit.

A couple of notes from a closer review:

  • 7.14 ("All licenses information from files field") should probably be included here too. Note that it is currently structured as required if FilesAnalyzed is true and must be omitted if FilesAnalyzed is false.
    • I think this should be changed to optional if FilesAnalyzed is true (with the same "missing means NOASSERTION" language), but still required to be omitted if FilesAnalyzed is false.
  • 9.6 ("License information in snippet field") looks like it is already optional and 0..*; we should probably also add the same "missing means NOASSERTION" language to it as well.

Thanks so much for preparing this PR! I'll take one more closer look but I think this covers the things I had seen.

@rnjudge
Copy link
Contributor Author

rnjudge commented Mar 11, 2022

Hi @swinslow- I made the edits you suggested, please take a look when you have time. Hoping to review this at next Tuesday's tech call.

@kestewart kestewart added this to the 2.3 milestone Mar 12, 2022
@kestewart kestewart requested a review from swinslow March 12, 2022 01:30
Copy link
Contributor

@kestewart kestewart left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Reviewed and I think we're good.

Copy link
Member

@swinslow swinslow left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

+1 from me, thanks @rnjudge and sorry for the delay!

Copy link
Member

@tsteenbe tsteenbe left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@rnjudge Could you fix the merge conflict?

Currently, licensing fields like `Concluded License`, `Declared License`
and `Copyright Text` are required for package elements. Given that we
are working to communicate security information in SPDX 2.3, this commit
proposes a change to make the fields related to [package, file, snippet]
licensing optional so those who want to use SPDX to only communicate
security information can do that without the bloat of NOASSERTION
licensing field values.

Resolves spdx#634

Signed-off-by: Rose Judge <rjudge@vmware.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Enable SPDX document creation without licensing fields
4 participants