[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Model suggestions for the IP / licensing section

Hi Philippe,


Following up on the model discussion yesterday, I can provide you some UML in XMI format.  Let me know if you would prefer an email, attachment to a github issue or pull request.  If you could also point me to the repo that contains your XMI files, I’ll start with those. 


Also, FYI, the XMI for SPDX 2.2 is at https://github.com/spdx/spdx-spec/blob/development/v2.2/model/spdx-model.xmi


Since yesterday, I have been thinking about simplifying the SBOM model.  For the licensing, we could include license expressions rather than the full model of licenses.


The full license model is rather complex.  It does, however, allow for much stronger validation and the ability to query the graph of license information to answer important questions for some of the use cases.  Most users, however, will only want to express the license for a given material/artifact and the complex license will likely just get in the way.


The license _expression_ is reasonably well defined in BNF in the SPDX spec Appendix IV.  For many of the serialization formats (e.g. XML, JSON, YAML) we are storing the license information as expressions in SPDX.  Only RDF/XML uses the full graph.


My recommendation is to use the simpler license expressions. 


Philippe and the rest of the SBOM community, please let me know if you disagree.





Gary O'Neall

Principal Consultant

Source Auditor Inc.

Mobile: 408.805.0586