Add RUNTIME_ENVIRONMENT_OF relationship

[JPEWdev]

We have a case where packages present in an image have circular runtime dependencies (this is allowed by most package managers), which means it is impossible to encode the runtime dependency information using RUNTIME_DEPENDENCY_OF in these documents, because it is not a Directed Acyclical Graph (which is required for the document checksums be calculable). To work around this, we create a separate ("runtime") document that describes the runtime dependencies between other package SPDX documents. Currently, we use AMENDS to describe how the "runtime" document relationship to the package document, but this doesn't seem to be ideal. A different relationship to describe this is desired

[JPEWdev]

As background: we are generating SPDX documents for Embedded Linux images, and we have SPDX documents that describe the packages installed in the image (e.g. .deb/.ipk/.rpm packages, just like you would install on your desktop), with one document being written per package. The problem is that package managers do not disallow circular runtime dependencies (it just means all the packages in the circle have to be installed together). Because of this, it is impossible for us to include the RUNTIME_DEPENDS_ON relationship in our package SPDX files because there is no Directed Acyclical Graph of runtime dependencies which is required because external document references include the checksum of the document they reference; as such we would eventually end up needing to modify a document we'd already visited when adding runtime dependencies which would change it's checksum and invalidate any other references to it.

To work around this, we write a separate "runtime" documents (one per package SPDX document) that solely exists to describe the runtime dependencies between packages. Because these are created after all the package SPDX documents are written, they break the circular dependencies problem and turn the documents back into a DAG. These new "runtime" documents are currently linked to the package SPDX document they describe with an AMENDS relationship, but this isn't ideal as it's not entirely clear what the purpose is.

An example of our SPDX output can be found here

[kestewart]

@nishakm - Has the build profile group considered this proposal?

[nishakm]

@kestewart no but I think it would be great to have it @lumjjb

[nishakm]

Although, on reading the text above, it looks like the problems are different: the original use case was to handle circular dependencies, whereas the build profile group was looking for something that describes the relationship between a package and a build environment consisting of a list of packages, configs, containers, VMs, however deep you want to go down the stack. I don't think it's the same. Thoughts?

[lumjjb]

I've added an agenda item to the build profile to discuss this. From reading through (and also context from chatting with @JPEWdev and @kestewart at OSS NA), I think it is related but still will be separate context.

Chatting with folks from deps.dev, there are also some cases in language ecosystems where the circular dependencies show up as well... Wondering if any ideas from the envelope/postcard discussion can apply to this.

[goneall]

@JPEWdev @lumjjb - Is this still an issue? If so, should we move it to 3.0?

[lumjjb]

I'll defer to @JPEWdev on this since they're closer to the problem

[goneall]

Moving to 3.1 since this is non-breaking