spdx-spec icon indicating copy to clipboard operation
spdx-spec copied to clipboard
verified publisher icon spdx

Clarification Needed on SPDX File Relationships in Absence of Direct Mapping

Open nishanthsankaran opened this issue 6 months ago • 9 comments

✅ Scenario 1 (Reference Case)

Image

In my project, I have 5 files:

  • MyFile1 to MyFile3 are exact copies of OpenSourceFile1 to OpenSourceFile3.
  • MyFile4 and MyFile5 are modified versions of OpenSourceFile4 and OpenSourceFile5.

In this case, I’ve used the following SPDX relationships:

  • COPY_OF for MyFile1–3
  • DESCENDANT_OF for MyFile4–5

SPDX document for scenario 1 : MyProject_Scenario1.json

❓ Scenario 2 (Clarification Needed)

Image

In another case, my project again contains 5 files. All 5 files are either:

Copies of, or DESCENDANT_OF from files in an open-source package.

However:

  • I do not have a direct file-to-file mapping between my project files and the original open-source files.
  • I only know that all my files originate from the open-source package, but I can't specify which file corresponds to which.

🔍 Question

In this scenario 2, what is the appropriate SPDX relationship to use between my project’s files and the open-source package?

Should I still use COPY_OF or DESCENDANT_OF even without a 1:1 file mapping? Or is there a more suitable SPDX relationship (e.g., GENERATED_FROM, OTHER, or a file to package-level relationship) that better reflects this situation?

If the OTHER relationship is used, what kind of relationship comment would be appropriate to include, especially when none of the standard SPDX relationship types fully capture the scenario?

In this scenario 2, the relationship is modeled from each file to the open-source package. Is this direction appropriate, or would the reverse (from package to file) be more accurate or preferred in SPDX modeling?

Any guidance or best practices for modeling this kind of relationship in SPDX 2.3 would be greatly appreciated.

Thank you, Nishanth

nishanthsankaran avatar Jun 26 '25 05:06 nishanthsankaran

Hi everyone, Just wanted to circle back on this topic to see if anyone has had a chance to look into it or share any thoughts. I’d really appreciate any feedback or suggestions from the community. Thanks again!

nishanthsankaran avatar Sep 05 '25 06:09 nishanthsankaran

@nishanthsankaran do you like to add this to the Tech team meeting in the one of the coming weeks?

Btw, this issue is already in the backlog https://docs.google.com/document/d/1NdHYU_VZtLacD4bEmf2GiUVRTbrcev1beaJpq8s8-pU/edit?tab=t.4wfxhy2gdx3y

bact avatar Sep 05 '25 08:09 bact

Thank you, @bact. It would be great if this issue could be added to one of the upcoming Tech team meetings.

nishanthsankaran avatar Sep 05 '25 14:09 nishanthsankaran

@nishanthsankaran it's every Tuesdays at 12:00 US Eastern Time See meeting link here: https://github.com/spdx/meetings/?tab=readme-ov-file#tech-team

Meeting agenda: https://docs.google.com/document/d/1NdHYU_VZtLacD4bEmf2GiUVRTbrcev1beaJpq8s8-pU/edit?tab=t.t8f4t082ttml

bact avatar Sep 11 '25 15:09 bact

From 16 September 2025 Tech call:

  • We lack a relationship for describing the modified files to originating upstream package. At a file to file level, we are coherent. But set of files modified from Upstream package.
  • Possibly consider derived from and contains. Also issue of which files are not present needs to be considered. Pick this up again next week. Looking for solution to use existing relationship, or consider adding one for upcoming version.

goneall avatar Sep 18 '25 18:09 goneall

Thank you @goneall. I believe the "derived from" relationship could be appropriate for scenario 2 — file to package. However, this relationship is not currently included in the SPDX relationship types.

nishanthsankaran avatar Sep 23 '25 15:09 nishanthsankaran

Thank you @goneall. I believe the "derived from" relationship could be appropriate for scenario 2 — file to package. However, this relationship is not currently included in the SPDX relationship types.

Correct - this would have to be a new relationship type

goneall avatar Sep 23 '25 23:09 goneall

Thank you @goneall. I believe the "derived from" relationship could be appropriate for scenario 2 — file to package. However, this relationship is not currently included in the SPDX relationship types.

Correct - this would have to be a new relationship type

And so would that leave other as the most appropriate relationship type for this scenario in the meantime then?

jesseporter avatar Sep 30 '25 23:09 jesseporter

Thank you @goneall. I believe the "derived from" relationship could be appropriate for scenario 2 — file to package. However, this relationship is not currently included in the SPDX relationship types.

Correct - this would have to be a new relationship type

And so would that leave other as the most appropriate relationship type for this scenario in the meantime then?

Agree other is the most appropriate in meantime

goneall avatar Oct 02 '25 17:10 goneall