Re: [media-types] Community review for proposed 'spdx' media type
Rose Judge <rjudge@vmware.com> Thu, 09 April 2020 20:41 UTC
Return-Path: <rjudge@vmware.com>
X-Original-To: media-types@ietfa.amsl.com
Delivered-To: media-types@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2B2773A0E05 for <media-types@ietfa.amsl.com>; Thu, 9 Apr 2020 13:41:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.266
X-Spam-Level:
X-Spam-Status: No, score=-2.266 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.168, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_FAIL=0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=vmware.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sMz_5iYCxzfW for <media-types@ietfa.amsl.com>; Thu, 9 Apr 2020 13:41:46 -0700 (PDT)
Received: from pechora8.dc.icann.org (pechora8.icann.org [192.0.46.74]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 629183A0E04 for <media-types@ietf.org>; Thu, 9 Apr 2020 13:41:46 -0700 (PDT)
Received: from NAM10-BN7-obe.outbound.protection.outlook.com (mail-bn7nam10on2064.outbound.protection.outlook.com [40.107.92.64]) (using TLSv1.2 with cipher AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by pechora8.dc.icann.org (Postfix) with ESMTPS id 4CC4CC0E53 for <ietf-types@iana.org>; Thu, 9 Apr 2020 20:41:45 +0000 (UTC)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=X7YAifPyDvWHkEW7JuJbbSz9XF0aaGMJjIRstRBZQFnuxcP+1Z9CZ5lLyB3Z/dnbz1bjsh6P0QBMHg3o+3KdpbMXgc0itg6FbTNDx27EhVzAGS7XBXK2KUqYvruFHJ+rpatycJYB3YxCR+WAaOKecynNP4+eCYLfIFEfze90LTWVKyU0O2HzfVYA+lEZHChh07nm2iGzHjkvGzIKnZ3e71vLpLjYpus3fOGnXKaA1WR4d1rpXEsC2P1UuBoo1sFYXfYbF1NDunGzwUbOzIfHLRWWdxH8ZL/T44dt4K2YuubJ6nouy9+X1i0+DcR/zaupJ0YCoFY10Epn/6PcBdhYfw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=eVETsAOVYn62q/dM5uReHr/OMn5FydSF0UrGR+Z89XA=; b=d5Mpte9SMXj2deRI4ovTQikEfDw4z5Db9Qt6z7VeKL6H1iRB4p0eQWcDASR9XG6ELioYo0ZwF9LGdEPHh39djKP6f7e0BkqA03hU+N/67VPyXsxnnR+68m4IncuC3KRadCpKRKOpe+i/ERMWn/EHvh1gQ9rBYPv3XdT/abiqMGb9vksxajZWcOKo9zlG42OC8gv9dO8PRIDXgU3uS75/tvkQEOwQcQalljT12TnebbB7rg7JZc/0GBEzZIOnD5AUcKwVYq1MQ1Mjq7Z3Hq+tPlKGfQuDZHIbtGzyR22jrMigJdP1lba/OOOK99LyYEHHV8ZTNvLqX7EoDhtcr7eSrQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=vmware.com; dmarc=pass action=none header.from=vmware.com; dkim=pass header.d=vmware.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=vmware.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=eVETsAOVYn62q/dM5uReHr/OMn5FydSF0UrGR+Z89XA=; b=OCDjGRe4sIxvxn9zi54GNmN0mcgTC2BrSrKrQhNParPkLUSntKSYUGn8cSKNsLu07OVroqM4p51eO+1bNp6BjSvCy7/zoiGwf8K1oNmdZ7a0SYN56HrexH1dtM59/RJFB8Q6llhD4sNIPQ3JDAsz2++2JkM1wPRad8BjtdHf9XE=
Received: from MWHPR05MB2815.namprd05.prod.outlook.com (2603:10b6:300:5f::18) by MWHPR05MB3280.namprd05.prod.outlook.com (2603:10b6:300:b5::18) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2900.13; Thu, 9 Apr 2020 20:41:22 +0000
Received: from MWHPR05MB2815.namprd05.prod.outlook.com ([fe80::1d6f:ac70:4115:606e]) by MWHPR05MB2815.namprd05.prod.outlook.com ([fe80::1d6f:ac70:4115:606e%11]) with mapi id 15.20.2900.015; Thu, 9 Apr 2020 20:41:22 +0000
From: Rose Judge <rjudge@vmware.com>
To: Henrik Andersson <henke@henke37.cjb.net>, "ietf-types@iana.org" <ietf-types@iana.org>
Thread-Topic: [media-types] Community review for proposed 'spdx' media type
Thread-Index: AQHWCTzt6YlijS0e00utXiVY/6C/uKhpUpEAgAeEEQA=
Date: Thu, 09 Apr 2020 20:41:22 +0000
Message-ID: <30F09CC3-41AE-447F-A177-2A983332D488@vmware.com>
References: <4045F0DF-DD97-42A1-9857-C64566E84842@vmware.com> <bb7f8088-1b9c-7323-a3a5-969679616938@henke37.cjb.net>
In-Reply-To: <bb7f8088-1b9c-7323-a3a5-969679616938@henke37.cjb.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/16.35.20030802
authentication-results: spf=none (sender IP is ) smtp.mailfrom=rjudge@vmware.com;
x-originating-ip: [64.98.17.25]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: e23f67c1-f29c-4134-c725-08d7dcc65d8b
x-ms-traffictypediagnostic: MWHPR05MB3280:
x-microsoft-antispam-prvs: <MWHPR05MB3280D42EA7AEBACE67ABF592A4C10@MWHPR05MB3280.namprd05.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:2803;
x-forefront-prvs: 0368E78B5B
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:MWHPR05MB2815.namprd05.prod.outlook.com; PTR:; CAT:NONE; SFTY:; SFS:(10009020)(4636009)(366004)(396003)(136003)(376002)(346002)(39860400002)(81156014)(33656002)(91956017)(83080400001)(45080400002)(26005)(110136005)(76116006)(66574012)(186003)(66946007)(36756003)(86362001)(478600001)(966005)(6506007)(2616005)(8936002)(8676002)(6486002)(316002)(66556008)(66476007)(66446008)(5660300002)(71200400001)(6512007)(64756008)(2906002)(81166007); DIR:OUT; SFP:1101;
received-spf: None (protection.outlook.com: vmware.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: 9mBpIhfLPyNdxqsuao9GDN9aimIgtexuIMtjXrNW+zjGaUFZpdZ96JRbVRszCtsgYiHPj/OOeRgAcpSe8SKZFQCWZNk70AaahekBwBVb4jZ2Kf3DSWdzq/8bz2i2+PDz98ewF642nzNh9XqykeFl1AKGTMVa4u+5r5anaWgpy/ZpwdT4cew1dutfWMsWhFypzlULbYukO5ewBUvaxZ77DUr89SNJpiUqQerrYsIKe0JU7cbJyWLmnGQVHmzgrsOD6Hv25uM8I/YiQHBJtcwGPBNbx6CU50hNbN8+gJSBH+5eXr56YZiuM0rYh2SZ2nfntRwOEOlMjePVMBR0qoCCTHHzyh+W/l2yAzWUWu43Z0N2cq11ogAAM68Ucpn1/+q0yHRo8fQO39rlBJmqvpKiIVb9Gtu+5hPV0rtke+eG/R5+XWZJLNcw2FrS1UMxjujO4ZhvJ8DXPrJ3N4XRYha2v0o7RU7fZQ9uGeU2sZf6u57rv1Yah3Eo31Hhc14t0b7hXPZch8VAnYGvljhEcmiP8A==
x-ms-exchange-antispam-messagedata: YHngeP4YSErznmsISATuT+kJ3AthSyfBedtvSR3IU3TuI6+MGhY5RBiatiNh9Nxb8NR5+DaTxz7hIjru0FR6REpXMiPI/Mx1AH+s7iSM28RgN/+TfCqvRm/5FUffJaE9trsk27l0fpczoMeCtNsQAA==
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="utf-8"
Content-ID: <9C383C6F0CF52444AA6BA52F75714027@namprd05.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: vmware.com
X-MS-Exchange-CrossTenant-Network-Message-Id: e23f67c1-f29c-4134-c725-08d7dcc65d8b
X-MS-Exchange-CrossTenant-originalarrivaltime: 09 Apr 2020 20:41:22.6401 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: b39138ca-3cee-4b4a-a4d6-cd83d9dd62f0
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: AeMdHQ15RJ6SVzPe+N/d0oUPN5Lz/4goXM71sCgGDn7CvBNq2ZBg1KoLqlvQQd/Q3J68OLmlZ/U/OOOxHYoXFw==
X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.2 (pechora8.dc.icann.org [192.0.46.74]); Thu, 09 Apr 2020 20:41:45 +0000 (UTC)
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MWHPR05MB3280
Archived-At: <https://mailarchive.ietf.org/arch/msg/media-types/l4QAL431AI6zyZOPe6ZfiOwSEH8>
X-Mailman-Approved-At: Fri, 10 Apr 2020 08:35:35 -0700
Subject: Re: [media-types] Community review for proposed 'spdx' media type
X-BeenThere: media-types@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "IANA mailing list for reviewing Media Type \(MIME Type, Content Type\) registration requests." <media-types.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/media-types>, <mailto:media-types-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/media-types/>
List-Post: <mailto:media-types@ietf.org>
List-Help: <mailto:media-types-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/media-types>, <mailto:media-types-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 09 Apr 2020 20:41:48 -0000
>>> You seem to have misunderstood the purpose of required and optional
>>> parameters. They are not about the contents of the file. They are
>>> parameters attached to the media type designation as the file is
>>> transferred, stored and processed.
Thanks for pointing this out, Henrik. I will revise our answer for this question. I took better look at the Text Media Types Info and New Rules for Default “charset” Parameter Values for “text/*” Media Types sections and it seems like it boils down to the following, in which case the spdx media type would qualify as a type where the charset information is transported inside the payload. In this case, do I just leave the Required/Optional parameter fields with N/A?
====
In order to improve interoperability with deployed agents, "text/*"
media type registrations SHOULD either
a. specify that the "charset" parameter is not used for the defined
subtype, because the charset information is transported inside
the payload (such as in "text/xml"), or
b. require explicit unconditional inclusion of the "charset"
parameter, eliminating the need for a default value.
In accordance with option (a) above, registrations for "text/*" media
types that can transport charset information inside the corresponding
payloads (such as "text/html" and "text/xml") SHOULD NOT specify the
use of a "charset" parameter, nor any default value, in order to
avoid conflicting interpretations should the "charset" parameter
value and the value specified in the payload disagree.
====
Thanks,
Rose
On 4/4/20, 11:56 AM, "Henrik Andersson" <henke@henke37.cjb.net> wrote:
Rose Judge wrote:
>
> Hello,
>
>
>
> Please see below for application of proposed new media type:
>
>
>
>
>
> Name: Rose Judge
>
> Email: rjudge@vmware.com <mailto:rjudge@vmware.com>
>
>
>
> Media type name: text
>
> Media subtype name: spdx
>
>
>
> Required parameters:
>
> Based on 2.2 spec the following fields and tags are mandatory in the
> specification document.
>
>
>
> Document Creation Information Tags:
>
> SPDXVersion, DataLicense, SPDXID, DocumentName, DocumentNamespace,
> Creator, Created
>
>
>
> Package Information Tags:
>
> PackageName, SPDXID, PackageDownloadLocation, FileName,
> PackageVerificationCode**, PackageLicenseConcluded,
> PackageLicenseInfoFromFiles**, PackageLicenseDeclared,
> PackageCopyrightText,
>
>
>
> File Information Tags:
>
> FileName, SPDXID, FileChecksum, LicenseConcluded, LicenseInfoInFile,
> FileCopyrightText,
>
>
>
> Snippet Information Tags:
>
> SPDXRef, DocumentRef, SnippetByteRange, SnippetLicenseConcluded,
> SnippetCopyrightText,
>
>
>
> Annotation Information Tags:
>
> Annotator
>
>
>
>
>
> ** Mandatory, one or many if FilesAnalyzed is true or omitted, zero
> (must be omitted) if FilesAnalyzed is false.
>
>
>
>
>
> Optional parameters:
>
> Based on 2.2 spec the following fields and tags are optional in the
> specification document.
>
>
>
> Optional Document Creation Information Tags:
>
> ExternalDocumentRef, LicenseListVersion, CreatorComment, DocumentComment
>
>
>
> Optional Package Information Tags:
>
> PackageVersion, PackageFileName, PackageSupplier, PackageOriginator,
> FilesAnalyzed, PackageChecksum, PackageHomePage, PackageSourceInfo,
> PackageLicenseComments, PackageSummary, PackageDescription,
> PackageComment, ExternalRef, ExternalRefComment (conditional for each
> ExternalRef)
>
>
>
> Optional File Information Tags:
>
> FileType, LicenseComments, ArtifactOfProjectName,
> ArtifactOfProjectHomePage, ArtifactOfProjectURI, FileComment,
> FileNotice, FileContributor
>
>
>
> Optional Snippet Information Tags:
>
> SnippetLineRange, LicenseInfoInSnippet, SnippetLicenseComments,
> SnippetComment, SnippetName
>
>
>
> Optional Other Licensing Information Detected Tags:
>
> LicenseComment, LicenseID [Conditional (mandatory, one) if license is
> not on SPDX License List], ExtractedText [Conditional (Mandatory, one)
> if there is a License Identifier assigned.], LicenseName [Conditional
> (mandatory, one) if license is not on SPDX License List.],
> LicenseCrossReference [Conditional (optional, one or more) if license
> is not on SPDX License List.]
>
>
>
> Optional Relationships between SPDX Elements:
>
> Relationship, RelationshipComment
>
>
>
> Optional Annotation Information Tags:
>
> Annotator [Conditional (Mandatory, one), if there is an Annotation],
> AnnotationDate [Conditional (Mandatory, one), if there is an
> Annotation], AnnotationType [Conditional (Mandatory, one), if there is
> an Annotation], SPDXREF [Conditional (Mandatory, one), if there is an
> Annotation], AnnotationComment [Conditional (Mandatory, one), if there
> is an Annotation]
>
>
>
>
>
> Encoding considerations: 8bit
>
> The spdx media type must support UTF-8 encoding.
>
>
>
> Security considerations:
>
> The ExternalRef tag provides linkage to the NVD via CPE. Data can be
> stored in spdx files that may contain printf-style format characters
> that could cause a program to display unintended information.
>
>
>
> Interoperability considerations:
>
> The spdx media type can be distributed free of external systems or
> processors and is represented in a human-readable format. There are
> also internet text-processing applications that may consume these
> documents.
>
>
>
> Published specification:
>
> Current versions of the specification is available at
> https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fspdx.github.io%2Fspdx-spec%2F&data=02%7C01%7Crjudge%40vmware.com%7C3c336ac81f574bb2b6d908d7d8c9b4f0%7Cb39138ca3cee4b4aa4d6cd83d9dd62f0%7C0%7C1%7C637216234078280507&sdata=B%2FuxJfOBdG3P4ieFp0gJP9wUqRr8wHGbTwjDSPF0rIM%3D&reserved=0. Historical versions can be found at
> https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fspdx.org%2Fspecifications&data=02%7C01%7Crjudge%40vmware.com%7C3c336ac81f574bb2b6d908d7d8c9b4f0%7Cb39138ca3cee4b4aa4d6cd83d9dd62f0%7C0%7C1%7C637216234078280507&sdata=lD4LehotNAl1%2Bz7WgeYPMhTF6oogjhKADkRgz3WMTbM%3D&reserved=0.
>
>
>
> Applications which use this media:
>
> Exchange of Metadata for software.
>
>
>
> Fragment identifier considerations:
>
> N/A
>
>
>
> Restrictions on usage:
>
> spdx media types should only be associated with validated SPDX
> documents that follow the SPDX specification.
>
>
>
> Provisional registration? (standards tree only):
>
> N/A
>
>
>
> Additional information:
>
>
>
> 1. Deprecated alias names for this type: N/A
>
> 2. Magic number(s): N/A
>
> 3. File extension(s): .spdx
>
> 4. Macintosh file type code: N/A
>
> 5. Object Identifiers: N/A
>
>
>
> General Comments:
>
> Software Package Data Exchange® (SPDX®) is an open standard for
> communicating software bill of material information (including
> components, licenses, copyrights, and security references).
>
>
>
> Person to contact for further information:
>
>
>
> 1. Name: Rose Judge
>
> 2. Email: rjudge@vmware.com <mailto:rjudge@vmware.com>
>
>
>
> Intended usage: Common
>
> Intended to be used to enable companies and organizations to share
> human-readable and machine-processable software package metadata to
> facilitate software supply chain processes. An SPDX media type will be
> associated with a particular software package or set of packages and
> will contain information about it in the SPDX format.
>
>
>
> Author/Change controller: kstewart@linuxfoundation.org
> <mailto:kstewart@linuxfoundation.org>
>
>
>
>
>
>
>
>
>
> _______________________________________________
> media-types mailing list
> media-types@ietf.org
> https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Fmedia-types&data=02%7C01%7Crjudge%40vmware.com%7C3c336ac81f574bb2b6d908d7d8c9b4f0%7Cb39138ca3cee4b4aa4d6cd83d9dd62f0%7C0%7C1%7C637216234078280507&sdata=uvKAjG1rc%2Bz%2F2xlcDug2WXHPUemrBGRdIy6GVMxyh7w%3D&reserved=0
You seem to have misunderstood the purpose of required and optional
parameters. They are not about the contents of the file. They are
parameters attached to the media type designation as the file is
transferred, stored and processed.
- [media-types] Community review for proposed 'spdx… Rose Judge
- Re: [media-types] Community review for proposed '… Henrik Andersson
- Re: [media-types] Community review for proposed '… Rose Judge