Comment about SPDX Lite and "Document Creation Information" fields

[swinslow]

Hello OpenChain Japan Work Group,

I am very interested in your proposal for SPDX Lite documents! It looks like a helpful way to exchange key information at a package level.

I work with the SPDX project and did want to note one other section of a few fields that are considered "mandatory" for SPDX documents. These are some of the fields in section 2 of the SPDX specification, "Document Creation Information". In an SPDX document, these fields would need to appear only once.

Here are the specific fields that I believe should be included in an SPDX document:

SPDX version 2.1	Rationale	Example
2.1 SPDX Version	To say which version of the SPDX specification is being used	SPDXVersion: SPDX-2.1
2.2 Data License	To say which license applies to the SPDX document data itself; SPDX requires CC0-1.0	DataLicense: CC0-1.0
2.3 SPDX Identifier	To create a reference to the SPDX document itself	SPDXID: SPDXRef-DOCUMENT
2.4 Document Name	To provide a short name to describe the SPDX document's topic	DocumentName: Acme-Project-0.0.1
2.5 SPDX Document Namespace	To provide a unique namespace specific to this SPDX document	DocumentNamespace: http://example.com/Acme-Project-0.0.1-abcdef
2.8 Creator	To describe the person, organization and/or tool that created this SPDX document	Creator: Person: John Doe
2.9 Created	To state the date and time when this SPDX document was created	Created: 2019-03-11T06:30:22Z

Here is one example of what this could look like, for a tag-value SPDX document:

SPDXVersion: SPDX-2.1
DataLicense: CC0-1.0
DocumentName: tools-golang
SPDXID: SPDXRef-DOCUMENT
DocumentNamespace: https://example.com/whatever/testdata-tools-golang-b97c39c5a2e7adf14d9a8732de1aba03fb6f1473
Creator: Person: Jane Doe
Creator: Tool: github.com/spdx/tools-golang/v0/builder
Created: 2019-03-06T02:02:35Z

I would be very happy to answer any questions you might have about this. Thank you again for your help with developing this.

[NorioKobota]

Hi @swinslow ,

Thanks for your information.
I think that it's bit difficult to create manually about 2.3 SPDX Identifier, 2.4 Document Name and 2.5 SPDX Document Namespace for the person who are not familiar with SPDX.
Can we fill it with NOASSERTION or NONE when creating manually?
And DataLicense: CC0-1.0 is a fixed value and SPDX requires CC0-1.0 as its specification, why do you
define it as a required field?

I think that the person who knows SPDX well uses SPDX as it is, so we have to care about the person who does not know SPDX well and there's a need to make it simple and easy.

Regards.