[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [EXT] Artifact, or Element, or Package

Greetings all –


I haven’t been involved in the earlier modeling discussions, so I don’t have all of the previous context.  Please excuse any errors in my interpretation of the current model proposal.


Also note that the opinions below are my own and do not represent all of the SPDX community.


Having a 1:1 relationship between properties like the creator, some type of signature or verification and the SBOM itself is indeed important.  In the SPDX model, this 1:1 relationship is between the SpdxDocument and those essential properties of the SpdxDocument class.  The same relationship could be accomplished by introducing another object/class between the Document and the elements described by the Document.  The SPDX community just decided to take the approach of representing these relationships as properties of the SpdxDocument.  Having a many to one relationship at some point in the model between the document and elements represented in the document would be important to supporting many of the SBOM use cases IMHO.


I do like the term Artifact as well.  I think this is a more descriptive term and less confusing than the SpexElement term we have used in SPDX.


In the SPDX model, we use SpdxElement as a superclass for a File, Package (a collection of code that can be downloaded or accessed as a unit), and Snippet (a Snippet is a byte range within a file).  The 1 to many mapping to the superclass allows for a document to describe any combination of files, packages and Snippets.


I probably have a bias to the SPDX model, but I still think having a 1 to many relationship between the Document and the Artifacts (using the new proposed terminology) would be a better approach than having a Document with a 1:1 relationship to an Artifact which has a many to one relationship to files, packages (and perhaps in the future) snippets.


BTW - Changing SPDX to use Artifact rather than SpdxElement will not cause any compatibility issues since SpdxElement is not a concrete class.  SpdxElement seldom (if ever) shows up in an SPDX document. 




From: Philippe-Emmanuel Douziech
Sent: Tuesday, October 22, 2019 10:51 AM
To: Ido Green Dan Lorenc Kay Williams Ido Green On Tue, Oct 22, 2019 at 09:10 Dan Lorenc <

From: Kay Williams <>
Sent: Monday, October 21, 2019 6:59:43 PM

From: Kay Williams Ido Green Dan Lorenc
Sent: Tuesday, October 22, 2019 10:51 AM
To: Ido Green <
On Tue, Oct 22, 2019 at 09:10 Dan Lorenc <