Enable SPDX document creation without licensing fields

[rnjudge]

There has been a proposal to change the SPDX 2.x spec to enable SPDX document creation without licensing fields in order to better support security use cases where the licensing fields may not be available and/or applicable. Currently, licensing fields like Concluded License, Declared License and Copyright Text are required for package elements. Given that we are working to communicate security information in SPDX 2.3, the proposal is to make the fields related to [package, file, snippet] licensing optional so those who want to use SPDX to only communicate security information can do that without the bloat of NOASSERTION licensing field values.

This issue is being opened to track the discussion and proposed changes.

[swinslow]

Hi @rnjudge, thanks for filing this!

I'm personally in favor of this change for SPDX 2.3. One caveat: I think the spec should explicitly state that, if one of these fields is absent for a Package / File / Snippet, then that has the equivalent meaning of NOASSERTION. Do you see any concerns with including this?

One nit on the commit at rnjudge@65b7087 (which I haven't reviewed more closely) -- I'd just note that if it is changed to a No value for Required, then I think the corresponding cardinalities would switch from a 1.. to 0..

[swinslow]

also cc @jlovejoy and @pmadick

[rnjudge]

Hi @rnjudge, thanks for filing this!

I'm personally in favor of this change for SPDX 2.3. One caveat: I think the spec should explicitly state that, if one of these fields is absent for a Package / File / Snippet, then that has the equivalent meaning of NOASSERTION. Do you see any concerns with including this?

I think this is great to include. Do you want me to include this note within each field description or is there somewhere that I could state it only once that would make sense?

One nit on the commit at rnjudge@65b7087 (which I haven't reviewed more closely) -- I'd just note that if it is changed to a No value for Required, then I think the corresponding cardinalities would switch from a 1.. to 0..

Thanks for pointing that out! I wasn't sure about this. I got confused by some of the other package fields like package summary description (7.18) and external reference (7.21) (along with a few others) which have No as the Required value but also have Cardinality 1... I'm happy to update my PR! Just for my own clarity, what's makes these fields different?

[swinslow]

Thanks @rnjudge!

Yes, I would say it's good to include it with each field. The reason being that there are other places in an SPDX Document where NOASSERTION might be used or omitted, where this wouldn't be generally applicable (e.g., Relationships to NOASSERTION). So I think mentioning it in each optional field where it applies is worthwhile.

For the cardinality, I think this was a broader conversion issue when the spec was being converted from 2.2 to the ISO formatting for 2.2.1. This came up in a separate issue yesterday, #632, which is why I was thinking of it :) -- take a look at my response in that thread. I think this may be a more general issue to be resolved in the spec for 2.3, for these and potentially other fields...

[kestewart]

Fixed in PR #635