spdx
Namespaces and serialization
While we are discussing namespace and creation info compression, we should keep in mind that every Element must have a unique SpdxId.
I propose that as we develop serialization examples, we use a few namespaces that reflect that reality. The first could be the one used in the 2.3 example:
"spdx-example": "http://spdx.org/spdxdocs/spdx-example-444504E0-4F89-41D3-9A0C-0305E82C3301#"
I proposed another that satisfies the same uniqueness requirement as the 2.3 GUID, but a little more compactly using a timestamp:
"spdxId": "http://spdx.acme.org/3FA9CB25#person2",
A non-unique SpdxId will not work:
"spdxId": "https://some.namespace#john_smith",
The GUID or some other uniqueness qualifier must appear in either the namespace or the local-part in all of our examples.
The GUID or some other uniqueness qualifier must appear in either the namespace or the local-part in all of our examples.
I like using the GUID for uniqueness - it is a best practice we've recommended in the past for making the URI's unique.
I agree that using a GUID for uniqueness is the right approach. I strongly believe the GUID should be part of the local-part of the ID rather than in the namespace. This is cleaner especially when aggregating/integrating content across BOMs, is easier for a human eye to follow, and is much cleaner for the potential possibility of deterministic (UUIDv5) GUIDs sometime in the future.
I strongly believe the GUID should be part of the local-part of the ID rather than in the namespace.
I strongly believe it could be either local or namespace - we should not specify this. Having it in the local part greatly expands the size of the serialized data.