spdx / tools-golang

Collection of Go packages to work with SPDX files
Other
130 stars 59 forks source link

The term "unpackaged" is misleading #233

Open kzantow opened 11 months ago

kzantow commented 11 months ago

The library currently outputs "##### Unpackaged files" in Tag Value format when it outputs the files section. However, this is misleading, as the files may be associated with a package using relationships. We should change this comment line to just read "Files".

swinslow commented 10 months ago

@kzantow Just to share a bit of context on this (which you may already know!)

This originated with language that's now found in Section 5.2.3 of the SPDX 2.3 spec:

Starting with SPDX 2.0, it is not necessary to have a package wrapping a set of files. . . .

  • If a file is not part of any package, it shall precede any package information section reference in the SPDX document.

Because of the top-down structure of a tag-value document, with File-inside-Package status being context-dependent based on whether or not the File occurs after a PackageName tag starting the Package section, the "Unpackaged files" comment was meant to signal this status.

You make a good point, though, that a File might not be "in" a Package by virtue of being listed after the Package Info section; but could still be e.g. subject to a CONTAINS Relationship with that Package.

I might question whether that situation would align with the spec's language stating that this is for where "a file is not part of any package".

But either way, the "Unpackaged files" label is just a comment intended to be informative, and I agree that there's no harm at all in removing it here. so I'm +1 to making this change, for what it's worth :)