diff mbox series

[RFC,v2,06/12] README.SPDX3: add file

Message ID 20231031224733.367227-7-louis.rannou@syslinbit.com
State New
Headers show
Series SPDX3 Proof-of-Concept | expand

Commit Message

Louis Rannou Oct. 31, 2023, 10:47 p.m. UTC 
From: Marta Rybczynska <marta.rybczynska@syslinbit.com>

Add a specific readme for SPDX3 with open questions and other notes
related to the PoC.

Signed-off-by: Marta Rybczynska <marta.rybczynska@syslinbit.com>
Signed-off-by: Samantha Jalabert <samantha.jalabert@syslinbit.com>
Signed-off-by: Louis Rannou <louis.rannou@syslinbit.com>
---
 README.SPDX3 | 45 +++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 45 insertions(+)
 create mode 100644 README.SPDX3
diff mbox series

Patch

diff --git a/README.SPDX3 b/README.SPDX3
new file mode 100644
index 0000000000..73f67c2857
--- /dev/null
+++ b/README.SPDX3
@@ -0,0 +1,45 @@ 
+This repository contains the Proof-of-Concept code for SPDX3 support
+in the Yocto Project.
+
+What does the code include:
+* The SPDX3 generation with JSON-LD serialization, still using .json extension
+* Implementations of the core, and software profiles
+
+Here are the known limitations:
+* At the time of writing this code, the SPDX3 specification is still undergoing
+  changes. Especially, the root element has not been yet decided. Because of
+  that, the code might require changes when the final specification is
+  released.
+
+* Some parts of the SPDX3 require clarifications. Current issues:
+  - Software.Package.homepage is sometiemes also called homePage: need to
+    confirm spelling
+  - Core.Relationship.from needs special care in Python as it conflicts
+    with a built-in
+  - should suppliedBy be serialized by an array or as a single string?
+  - In examples, SpdxDocument has an attribute namespace. It does not in the
+    documentation
+  - what is the equivalent of the documentNamespace that was in 2.2?
+
+* SPDX3 introduces modular model, where content depends on the profile used.
+  The configuration of profiles to generate needs to be reworked. Today,
+  generation is gated by variables shared with SPDX2.2 code like
+  SPDX_INCLUDE_SOURCES. In SPDX3 it could be done by enabling specific
+  profiles and variables like SPDX3_ENABLE_LICENSING or SPDX3_ENABLE_SECURITY.
+
+* The implementation includes data similar to the YP SPDX 2.2 content. SPDX 3.0
+  has additional profiles and fields that did not exist in the earier version.
+  The project needs a discussion on what is useful to include in the YP SPDX.
+  Additional profiles and classes might be implemented to carry that data.
+
+* The security profile implementation has been prototyped. However, some part
+  of the needed data is necessary from the cve-check database (for example:
+  CVSS). Obtaining the information is possible, but will require dependency on
+  the cve-check to download the database, then refactoring of the cve-check
+  database accesses so that they can be done from other classes while keeping
+  correct locks. Also, VulnAssessmentRelationship requires classification
+  of fixes as "Fixed", "NotAffected", while YP cve-check has only one category
+  for both. At the moment of writing this, there is a patch on the ML.
+
+* SPDX 3.0 cannot be validate yet with pyspdxtools. The default SPDX version is
+  set to 2.2.
\ No newline at end of file