spdx-3-model icon indicating copy to clipboard operation
spdx-3-model copied to clipboard
verified publisher icon spdx

Can hasHost Relationship link to Build

Open ilans opened this issue 1 year ago • 6 comments

In RelationshipType:

hasHost: The from Build was run on the to Element during a LifecycleScopeType period (e.g. the host that the build runs on).

In the Build profile:

hasHost: Describes the relationship from the Build element to the build stage or host.

Can a Relationship with hasHost really link to a Build? Seems wrong.

ilans avatar Nov 14 '24 02:11 ilans

From what I understand, the intent was to link to a build.

@lumjjb @nishakm - Thoughts?

goneall avatar Nov 14 '24 19:11 goneall

Discussed with Kate and we're thinking this should be 3.1 - we don't have any validation in place other than the text, so I don' think fixing it will be a breaking change.

goneall avatar Nov 14 '24 19:11 goneall

Host machines provide dependencies for build to function. Hence we added a "hasHost" relationship.

nishakm avatar Nov 14 '24 20:11 nishakm

@goneall bringing in host machines into the build story allows for the inclusion of build runners in the SBOM. Hence I would strongly recommend NOT removing this relationship.

nishakm avatar Nov 14 '24 20:11 nishakm

@goneall bringing in host machines into the build story allows for the inclusion of build runners in the SBOM. Hence I would strongly recommend NOT removing this relationship.

Just to clarify, I don't think anyone is proposing we remove the relationship - just clarifying the to / from types.

We may need to clarify the language a bit - @ilans is working on translating the English text to SHACL restrictions, and we want to make sure we get the details right.

goneall avatar Nov 14 '24 23:11 goneall

Reviving this issue, as I'm actively implementing the SHACL shapes.

To clarity, requirement in RelationshipType that hasHost should link from Build to its Host machine makes sense and preserves important information. My concern is about the requirement in the Build profile which states that it could also link from the Build element to the build stage.

We don't have a "build stage" anywhere in our spec so I assumed it refers to a "build step". We don't have "build step" either, at least not explicitelly, but from what I understand, that's the core purpose of the Build class. If that's true than a Build element could be linked to another Build element through hasHost. So either I'm misunderstanding it or the "build stage" text is wrong.

And on that note, I strongly believe we should avoid defining the same constraint multiple times in different places. Constrains related to Relashionships should ideally be stated only once in the RelationshipType section and also managed there.

ilans avatar Mar 06 '25 15:03 ilans