[PATCH] updated / [GIT PULL REQUEST]: SPDX experimental generation target

[Ian Wienand]

On 09/21/2012 10:23 AM, Bradley M. Kuhn wrote:
>   * My overarching concern is that having this accepted upstream would
>     cause those finding the "spdx" target in the Makefile to think that
>     meant the output they got was an SPDX file vetted by the BusyBox
>     project and/or Conservancy (BusyBox's non-profit home).

>     My suggested solution is to call the Makefile target
>     "spdx-experimental" (I'm open to something else, as long as it is
>     abundantly clear that it's not official yet).  One of my patches
>     attached that does this.

Top level build targets are the type of thing that become ingrained --
I don't feel they should be transient.

I agree with your point that the generated file has caveats that
should be carefully considered.  I think it would be better to use the
generic "spdx" target, but add a explanatory comment in a
"DocumentComment:" field about any current limitations that should be
understood when parsing/using the file (DocumentComment is defined as
"comments to consumers [of the file]" so this seems like the right
place).

>   * I think it's not fitting with SPDX's spec definition of "Concluded
>     License" for an automated script to add "Concluded" fields without
>     human intervention.  I have a patch attached that deals with that by
>     not making conclusions the default, but leaves it as an option (i.e.,
>     to save typing if someone is making such conclusions).

That seems fair.  I would prefer not have an option as
LicenseConcluded is a mandatory field per the spec and thus without
the tag the output becomes invalid SPDX.

Rather it seems that the ConcludedLicense: tag should be modified to
to NOASSERTION.  This way, the output is always a valid SPDX file that
can be tag->rdf converted.

I've attached an intermediate diff.  Bradley; per your previous mail I
believe you would be in the best position to write a description of
the limitations of the output file.  If you agree, I can consolidate
something you provide into a combined change-set.

(p.s. can you post patches inline, makes them easier to reply too :)

Thanks

-i

 scripts/COPYRIGHT.spdx.template |    4 +++-
 scripts/create-spdx             |    2 +-
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/scripts/COPYRIGHT.spdx.template b/scripts/COPYRIGHT.spdx.template
index f36a1f7..cde6ee9 100644
--- a/scripts/COPYRIGHT.spdx.template
+++ b/scripts/COPYRIGHT.spdx.template
@@ -1,6 +1,8 @@
 SPDXVersion: SPDX-1.1
 DataLicense: CC0-1.0
 
+DocumentComment:<text>A note about the limitations of this file</text>
+
 ##
 ##  Busybox SPDX Copyright Info
 ##
@@ -23,4 +25,4 @@ Licensed under GPLv2. See source distribution for detailed copyright notices</te
 PackageLicenseDeclared: GPL-2.0
 PackageLicenseConcluded: GPL-2.0
 
-PackageLicenseInfoFromFiles: GPL-2.0
+PackageLicenseInfoFromFiles: NOASSERTION
diff --git a/scripts/create-spdx b/scripts/create-spdx
index ffa6a97..629b53f 100755
--- a/scripts/create-spdx
+++ b/scripts/create-spdx
@@ -66,7 +66,7 @@ do
     echo "FileName: ${f#$SRC_DIR}" >> "${DEST_FILE}"
     echo "FileType: SOURCE" >> "${DEST_FILE}"
     echo "FileChecksum: SHA1: ${chksum}" >> "${DEST_FILE}"
-    echo "LicenseConcluded: GPL-2.0" >> "${DEST_FILE}"
+    echo "LicenseConcluded: NOASSERTION" >> "${DEST_FILE}"
     echo "LicenseInfoInFile: NOASSERTION" >> "${DEST_FILE}"
     if [ -n "${copyright}" ]; then
         echo "FileCopyrightText: <text>${copyright}</text>" >> "${DEST_FILE}"
-- 
1.7.4.1