Gary O'Neall gary at sourceauditor.com
Sat Jul 25 00:00:00 UTC 2020

Greetings all,


+1 on not defining overlapping or duplicating terms with SPDX.  REUSE and
SPDX are already reasonably well aligned in terms of definitions, so I don't
think it would be too much of a stretch to leverage some of the formats.


The one feature missing from SPDX is a pattern match for the files - this
may be a useful feature to add to SPDX in general.


I completely agree with the concern on too many required fields.  The SPDX
community has removed many of the mandatory fields when a
"filesAnalyzed=false" is used.  Of course this does require the
"filesAnalyzed" field since the default is set to true for compatibility.
Somewhat inconvenient and perhaps something we should address in SPDX 3.0.


Another mandatory field which can be problematic is the SPDX document
namespace.  The value of this is required to be in a URI format and is
required to be unique.


Let me know if there are other fields which are of concern.


One other thing to note, we are adding profiles in SPDX 3.0.  Profiles is a
defined subset of fields for a specific purpose.  A group of automotive
manufacturers are already using a profile for "SDPX Lite" in SPDX version
2.2 (see https://spdx.github.io/spdx-spec/appendix-VIII-SPDX-Lite/).  SPDX
Lite is a valid SPDX document intended to be built with minimal or no tools.


Let me know if there is interest in creating a REUSE profile in SPDX.  The
REUSE group could determine which fields are mandatory and which fields are
optional.  Myself and the SPDX tech team would be happy to collaborate on
the effort.


Best regards,


From: REUSE <reuse-bounces at lists.fsfe.org> On Behalf Of Geyer-Blaumeiser
Lars (IOC/PDL4)
Sent: Thursday, July 23, 2020 7:22 AM
To: Max Mehl <max.mehl at fsfe.org>; reuse at lists.fsfe.org
Subject: Re: [REUSE] REUSE.yaml


Hello Max, Matija,


from what I understand there will be further changes in SPDX 3.0 that will
remove some of the mandatory stuff. I absolutely agree, that using SPDX
should not add stuff not needed for the use case. And if this means that the
SPDX file is not correct because some mandatory stuff is not included, this
is a good hint for the SPDX community to think about the need for a
mandatory field for the information.


Saying that, my basic intention is, that a REUSE.yaml file should not define
fields and structures, which have the same meaning but are defined
differently from SPDX. This would improve readability and processability of
the files.


Mit freundlichen Grüßen / Best regards 

Dr. Lars Geyer-Blaumeiser

Project Delivery - Open Source Services (IOC/PDL4) 
Bosch.IO GmbH | Stuttgarter Straße 130 | 71332 Waiblingen | GERMANY |
www.bosch.io <http://www.bosch.io>  
Mobil +49 172 4815079 | lars.geyer-blaumeiser at bosch.io
<mailto:lars.geyer-blaumeiser at bosch.io>  

Sitz: Berlin, Registergericht: Amtsgericht Charlottenburg; HRB 148411 B
Aufsichtsratsvorsitzender: Dr.-Ing. Thorsten Lücke; Geschäftsführung: Dr.
Stefan Ferber, Dr. Aleksandar Mitrovic, Yvonne Reckling



Von: REUSE <reuse-bounces at lists.fsfe.org
<mailto:reuse-bounces at lists.fsfe.org> > im Auftrag von Max Mehl
<max.mehl at fsfe.org <mailto:max.mehl at fsfe.org> >
Gesendet: Donnerstag, 23. Juli 2020 15:04:02
An: reuse at lists.fsfe.org <mailto:reuse at lists.fsfe.org> 
Betreff: Re: [REUSE] REUSE.yaml 


~ Matija Šuklje [2020-07-22 13:54 +0200]:
> Die 21. 07. 20 et hora 08:44 Geyer-Blaumeiser Lars (IOC/PDL4) scripsit:
>> I like the idea, but just a thought. There is the new yaml format in SPDX
>> 2.2, and we are thinking around using this format to mark certain folders
>> as open source component,
> That is a great idea.

Yes, thanks for sharing this idea! Being compatible with other
compliance projects is one of our core goals.

> But you'd really go make a full SPDX valid file for that? How?  There are 
> quite a few fields there that are obligatory.
> One potential issue might be the hash value. For marking 3rd party code
> a great boon, but for marking your own living code that might be a bit of
> issue, if you need to change the hash value every time the code changes.

I see the same issues. Additionally, I am always having
user-friendliness in mind which is another big goal of REUSE. The SPDX
document seems to work with e.g. "licenseId", "licenseConcluded",
"licenseDeclared". While these make sense in the SPDX radius, REUSE
users are used to work with License-Identifier and FileCopyrightText.
Just like with the snippets I am afraid of different "keys" for the same


Max Mehl - Programme Manager - Free Software Foundation Europe
Contact and information: https://fsfe.org/about/mehl | @mxmehl
Become a supporter of software freedom:  https://fsfe.org/join
REUSE mailing list
REUSE at lists.fsfe.org <mailto:REUSE at lists.fsfe.org> 

This mailing list is covered by the FSFE's Code of Conduct. All
participants are kindly asked to be excellent to each other:

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fsfe.org/pipermail/reuse/attachments/20200724/52832e37/attachment.htm>

More information about the REUSE mailing list