spdx-spec icon indicating copy to clipboard operation
spdx-spec copied to clipboard
verified publisher icon spdx

Inconsistency between tag/value and model for PackageVerificationCode Excluded Files

Open goneall opened this issue 5 years ago • 2 comments

The spec for the PackageVerificationCode tag/value format implies a cardinality of excluded files of 1:

Tag: PackageVerificationCode: (and optionally (excludes: FileName))

FileName is specified in section 4.1.

Example:

PackageVerificationCode: d6a770ba38583ed4bb4525bd96e50461655d2758 (excludes: ./package.spdx)

The model and RDF representation allows for 0 or more excluded files.

goneall avatar Jun 11 '20 22:06 goneall

It is useful in some scenarios to allow for more than one excluded file (e.g. metadata is included in the tarball, but it should not be considered part of the package - similar to how we treat the SPDX document).

Recommend changing the spec to allow multiple files to be excluded separated by comma's. For example:

(excludes: ./package.spdx, ./.metadata, ./.moremetadata)

goneall avatar Jun 11 '20 22:06 goneall

Moving this to 3.0 since it may involve breaking changes

goneall avatar Aug 11 '22 18:08 goneall

Since 3.0+ will have a significantly different tag/value format, closing this issue.

cc: @kestewart

goneall avatar Apr 04 '24 17:04 goneall