packageVerificationCodeExcludedFile filename prefix

[ilans]

From /Core/packageVerificationCodeExcludedFile:
"In general, every filename is preceded with a ./, see RFC 3986 ..."

Why use "In general" if the summary clearly states that this is "The relative file name...".
Shouldn't it always preceded with ./?

If that's correct, I'll include a SHACL rule.

[bact]

Because RFC 3986 also has another kind of relative reference that begins with //.

A relative reference that begins with two slash characters is termed a network-path reference; such references are rarely used.

See "4.2. Relative Reference" in https://datatracker.ietf.org/doc/rfc3986/

Although it is rare, but it may possible to occur. So I think if there will be a validation rule, the rule should allow its occurrence.

--

To avoid confusion, we may like to add a small notes on this in the description, in packageVerificationCodeExcludedFile, may be in 3.0.2?

[zvr]

We're talking about filenames, not URIs. So, there should only be "relative-path" references (to follow the nomenclature of RFC3986).

I don't even understand why there is a reference to this RFC. I'd rewrite the whole sentence as simply:

Every filename starts with ./.

[bact]

Will "absolute-path" with a single slash (/) prefix (also from 4.2. Relative Reference) possible in this context?

[zvr]

I don't think so, since we're talking about which files inside a package should be excluded when computing the verification hash. It makes no sense to use absolute paths for these .

But probably @goneall should be the one to decide, since he's more proficient in this SPDXv2 verification stuff.

[bact]

Thanks. Would be great if it can be simplified.

For reference, the RFC reference is from https://spdx.github.io/spdx-spec/v2.3/package-information/#742-intent .
The description there does not have "in general".
The description also only mentioned about sub-directory name when discussed about the prefix.

[ilans]

Created a PR: #913