spdx-spec icon indicating copy to clipboard operation
spdx-spec copied to clipboard
verified publisher icon spdx

Three questions about Relationships in SPDX

Open maxhbr opened this issue 3 years ago • 2 comments

These questions were initially asked in https://gitter.im/spdx-org/Lobby?at=62f39c84458f823ce0ac6194:

  1. What is the difference between DEPENDENCY_MANIFEST_OF and METAFILE_OF, the descriptions sound pretty similar and for me pom.xml and package.json live in the same bucket:

    • METAFILE_OF says: A SOURCE file pom.xml is a metafile of the APPLICATION ‘Apache Xerces’.
    • DEPENDENCY_MANIFEST_OF says: A file package.json is the dependency manifest of a package foo.

  2. There is CONTAINS which suggests to be used on archives (An ARCHIVE file bar.tgz contains a SOURCE file foo.c.). But then it does the same thing as EXPANDED_FROM_ARCHIVE? Can CONTAINS be used for non-archives, e.g. a iso-image contains a file?

  3. And as a potentially last question I would like to understand the relation types FILE_ADDED and FILE_DELETED. They feel like ternary relations, since I always would want to say "from archive A.tgz I deleted file B.txt and the result was the archive C.tgz". Or in other words: in the example "A SOURCE file foo.diff has been deleted from package ARCHIVE bar.tgz." does the archive still contain the foo.diff or not? How to reference the original input or the output?

maxhbr avatar Aug 19 '22 15:08 maxhbr

What is the difference between DEPENDENCY_MANIFEST_OF and METAFILE_OF

You can look at issue #154 where this was discussed

Can CONTAINS be used for non-archives, e.g. a iso-image contains a file?

I believe so - I use it for that purpose

For the FILE_ADDED and FILE_DELETED - I recall the use cases being discussed were for relationships to SPDX Packages, but the same relationship could be used for archives.

Good point in the ternary relationships. I don't use this relationship much myself, but my interpretation would be that you are describing a past action which results in a current state.

Or in other words: in the example "A SOURCE file foo.diff has been deleted from package ARCHIVE bar.tgz." does the archive still contain the foo.diff or not? How to reference the original input or the output?

In your example, the archive file should not have the source file present in this scenerio as you are describing a change that has been made (past tense).

goneall avatar Aug 20 '22 16:08 goneall

For the EXPANDED_FROM_ARCHIVE relationship, this would be used to describe a File that had been extracted to another location. For example, the File referenced by a CONTAINS relationship would have a path relative to the root of the archive, whereas a File referenced by EXPANDED_FROM_ARCHIVE would have a path relative to the Package that contains it. The EXPANDED_FROM_ARCHIVE is the provenance of the file.

iamwillbar avatar Aug 26 '22 03:08 iamwillbar

I believe this has been answered - closing...

goneall avatar Apr 04 '24 23:04 goneall