Update profile to be a property on collections and specify conformance #447
Conversation
|
I think the profile-as-namespace property was to help non-RDF serialization know what kind of properties they will encounter in a document, making it easier to parse. Removing it, the JSON or TagValue parsers for example would have to be able to receive any key/tag, not from a predefined set. |
@zvr - good point. I would suggest we add 2 properties - one for namespaces and a different property for conformance. |
|
Profile as conformance point and as a team/community make sense.
I don't object to keeping it as a property, but haven't seen any use case describing the benefit of doing so. |
What I would like to capture is the intent of the SPDX producer - do they intend for this profile conformance to be supported or not? One example where I would use this is in the verification utility. If a collection claims to support a profile but does not include a required property, I would fail the validation. |
|
The serialization group separated the concept into "definitionProfile" that expresses which profile defines the element class, and "conformanceProfile" that applies to Collections (plus Agents according to @jeff-schutt). @sbarnum mentioned profiles and multiple namespaces. That might be illustrated with an example: Meetings lists teams and focus groups - people who are interested in a topic. That would be the "Profile Team" meaning (from #365). Imagine that the Security Team, instead of defining the Security Profile, defined the "VEX Profile" and the "Verification Profile" to address how to do payload hashes and signatures. If that were true, the Classes created by the Security team would be defined under the VEX profile or the Verification profile, but not both, and not under the Security team name. That's the only meaning of "Profile Namespace" I can think of that isn't either the definition or the team, and that doesn't seem useful. Radical Proposal:
|
|
The more I think about this the more I like the proposal. I have a couple reservations:
On the benefit side:
|
Fixes #365 Signed-off-by: Gary O'Neall <gary@sourceauditor.com>
Signed-off-by: Gary O'Neall <gary@sourceauditor.com>
goneall
changed the title
|
@jeff-schutt - ready for review |
| - type: ProfileIdentifierType | ||
| - minCount: 1 | ||
| - profileNamespace | ||
| - type: ProfileIdentifierType |
There was a problem hiding this comment.
I think, that, at least for the namespace case, we should be using anyURI type.
Why use http://spdx.org/rdf/v3/Core/ProfileIdentifierType/software as the value when we already have http://spdx.org/rdf/v3/Software ?
There was a problem hiding this comment.
I prefer to use enumerations to restrict the range of anyURI that is used. We already have the profile enumerations defined.
There was a problem hiding this comment.
Yes, I understand the advantages of a restricted set of values.
On the other hand:
- there has to be a correspondence between the value
http://spdx.org/rdf/v3/Core/ProfileIdentifierType/softwareand the prefixhttp://spdx.org/rdf/v3/Software, for a reader, for example, to check that only classes/properties of declared namespaces are being used... I tried to avoid using the words "namespace" and "map" for this 😝 - allowing arbitrary URIs automatically takes care of all the
Extensiondiscussions we had back in the day, allowing people to add their own classes and properties.
There was a problem hiding this comment.
This puts namespaces into practice. An application's conformance claim would be known by the namespaces it references, both within http://spdx.org/rdf/v3/ and from non-SPDX definitions.
And to touch the third rail of namespace maps 🔥, applications can define any prefix strings they want without affecting any other applications: c:Element, s:Package, l:Apache-2.0, sec:VEXstuff, etc. That's the beauty of maps, they are locally scoped, whether for software applications or for documents. Adopting prefix string conventions is outside the scope of the model; the model just defines the prefix (namespace) IRIs.
There was a problem hiding this comment.
If we want to be literal about the use of the actual namespaces use within the collection and the namespace property, I would go back to my original position that we should not have this property at all.
It isn't that much effort to traverse the elements and properties and collect what namespaces are actually used.
Even if we have the property, in practice it is quite possible we have a collection with a namespaceProfile declared at the collection level which isn't used as well as a no namespaceProfile declared for profiles that are used. Not to mention, it is an optional property.
As a tool developer, I would never use the namespaceProfile myself due to the possibility of introducing errors and inconsistencies.
Signed-off-by: Gary O'Neall <gary@sourceauditor.com>
|
Note: I updated the glossary definition of profile to match the proposed changes. |
goneall
changed the title
Signed-off-by: Gary O'Neall <gary@sourceauditor.com>
Signed-off-by: Gary O'Neall <gary@sourceauditor.com>
|
@davaya @jeff-schutt - Just finished updating the PR from the tech call, ready for review @zvr - we decided in the tech call to split out the I created a branch in this repo profilenamespace which has the |
This is a
draftproposed solution for #365.It changes the definition of a key property in the Core profile and should be discussed and reviewed before merging.This PR makes the following changes:
profilepropertyto 2 different propertiesprofileConformanceandprofileNamespaceCreationInfotoElementCollectionThe above changes were tentatively agreed to on the 5 Sept 2023 tech call and updated on the 12 Sept. call to only add the
profileConformancesince no one objected to the type. We can add backprofileNamespacelater as a separate PR.