Merge branch 'spdx:develop' into add-chap-history

.github/dependabot.yml

@@ -0,0 +1,15 @@
+# SPDX-License-Identifier: MIT
+# SPDX-FileCopyrightText: Copyright 2024 The SPDX Contributors
+
+version: 2
+updates:
+- package-ecosystem: "github-actions"
+  directory: "/"
+  schedule:
+    interval: "daily"
+  open-pull-requests-limit: 10
+- package-ecosystem: "pip"
+  directory: "/"
+  schedule:
+    interval: "weekly"
+  open-pull-requests-limit: 10

.github/workflows/validate_examples.yml

@@ -12,10 +12,16 @@ jobs:
   validate-examples:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332  #v4.1.7
+      - name: Checkout spdx-spec
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  #v4.2.2
+      - name: Set up specific Python version
+        uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b  #v5.3.0
+        with:
+          python-version: "3.12"
+          cache: "pip"
       - name: Install Python dependencies
         run: |
-          python3 -m pip install pyshacl==0.26.0 check-jsonschema==0.29.1
+          python3 -m pip install check-jsonschema==0.31.0 pyshacl==0.29.1 spdx3-validate==0.0.5
       - name: Install dependencies
         run: |
           sudo apt install -y gawk

.github/workflows/validate_pull_request.yml

@@ -4,46 +4,19 @@ jobs:
   validate:
     name: Validate build
     runs-on: ubuntu-latest
-    container: python:3
     steps:
-      - name: Checkout spdx-spec
-        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332  #v4.1.7
-        with:
-          path: spdx-spec
-          fetch-depth: 1
-      - name: Checkout spdx-3-model
-        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332  #v4.1.7
-        with:
-          repository: spdx/spdx-3-model
-          ref: main
-          path: spdx-3-model
-      - name: Checkout spec-parser
-        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332  #v4.1.7
-        with:
-          repository: spdx/spec-parser
-          ref: main
-          path: spec-parser
-      - name: Install pre-requisites for spdx-spec
-        run: pip install -r spdx-spec/requirements.txt
-      - name: Install pre-requisites for spec-parser
-        run: pip install -r spec-parser/requirements.txt
-      - name: Build model files
-        run: python3 spec-parser/main.py spdx-3-model/model spdx-spec/docs/model
-      - name: Build the site to validate
-        working-directory: spdx-spec
-        run: |
-          MODEL_YML="docs/model/mkdocs-files.yml"
-          BASE_MKDOCS_YML="mkdocs.yml"
-          FINAL_MKDOCS_YML="mkdocs-final.yml"
-          echo "Build $FINAL_MKDOCS_YML from $BASE_MKDOCS_YML and $MODEL_YML"
-          sed -e "\|- model.*#.*[MODEL_PLACEHOLDER].*|{
-              r $MODEL_YML
-              a\\
-
-              d
-          }" "$BASE_MKDOCS_YML" > "$FINAL_MKDOCS_YML"
-          echo "====================="
-          echo "Start mkdocs build"
-          echo "====================="
-          ENABLE_PDF_EXPORT=0 mkdocs build --clean --config-file "$FINAL_MKDOCS_YML" --verbose
-        # Build without the time-consuming PDF export
+    - name: Checkout spdx-spec
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  #v4.2.2
+      with:
+        fetch-depth: 1
+    - name: Set up specific Python version
+      uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b  #v5.3.0
+      with:
+        python-version: "3.12"
+        cache: "pip"
+    - name: Install pre-requisites
+      run: pip install -r requirements.txt
+    - name: Build the site to validate (use mkdocs.yml, no model files, no PDF export)
+      run: ENABLE_PDF_EXPORT=0 mkdocs build --clean --verbose
+      # To validate the PR from within spdx-spec repo, build using mkdocs.yml
+      # (no model files) and without the time-consuming PDF export

.gitignore

@@ -1,5 +1,6 @@
 # Generated files for model
 docs/model/
+docs/rdf/
 
 # GitBook directory and generated docs
 _book/
@@ -11,7 +12,7 @@ _book/
 dist/
 site/
 
-# Ignore all hidden files/dirs except .gitignore
+# Ignore all hidden files/dirs except .gitignore and .github
 .*
 !/.gitignore
 !/.github
@@ -28,3 +29,9 @@ node_modules/
 Thumbs.db
 Thumbs.db:encryptable
 *.lnk
+
+# Build temporary directory
+.env
+logs/
+__pycache__/
+__mkdocs-full.yml

CHANGELOG.md

@@ -2,6 +2,30 @@
 
 All notable changes to this project will be documented in this file.
 
+## 3.0.1 (2024-12-17)
+
+* Changes in document structure and location.
+  The following documents are now located in the
+  [spdx/using](https://github.com/spdx/using/) repository and are no longer
+  part of the specification.
+  * [Cross referencing in SPDX 3](https://github.com/spdx/using/blob/main/docs/cross-reference.md)
+  * [Differences from previous editions](https://github.com/spdx/using/blob/main/docs/diffs-from-previous-editions.md)
+  * [Getting started writing SPDX 3](https://github.com/spdx/using/blob/main/docs/getting-started.md)
+  * [Including Security Information in a SPDX document](https://github.com/spdx/using/blob/main/docs/including-security-information-in-SPDX.md)
+  * [Using SPDX license list short identifiers in source files](https://github.com/spdx/using/blob/main/docs/using-SPDX-short-identifiers-in-source-files.md)
+  * [Using SPDX to comply with Norms, Standards and Regulation](https://github.com/spdx/using/blob/main/docs/using-SPDX-to-comply-with-industry-guidance.md)
+* The following documents are added for the completeness of the specification:
+  * [Package URL specification v1](./docs/annexes/pkg-url-specification.md)
+  * [SPDX License List matching guidelines and templates](./docs/annexes/license-matching-guidelines-and-templates.md)
+* [SPDX Lite](./docs/annexes/spdx-lite.md) has been updated with more explicit
+  sections on "Mandatory" and "Recommended" properties.
+* See changes in the model from
+  [the model change log](https://github.com/spdx/spdx-3-model/blob/main/CHANGELOG.md).
+
+See the 3.0.1 GitHub release notes for changes
+[in the spec](https://github.com/spdx/spdx-spec/releases/tag/3.0.1) and
+[in the model](https://github.com/spdx/spdx-3-model/releases/tag/3.0.1).
+
 ## 3.0 (2024-04-15)
 
 See the v3.0 GitHub release notes for changes
@@ -34,7 +58,7 @@ See the [v2.3 GitHub release notes](https://github.com/spdx/spdx-spec/releases/t
 * Removed support for multi-line license expressions.
 * Added `swh` as an external reference to support linking to Software Heritage persistent identifiers.
 * Added clarification on the case sensitivity of license expressions.
-* Numerous formatting, gramatical, and spelling fixes.
+* Numerous formatting, grammatical, and spelling fixes.
 
 See also the [SPDX specification 2.2 release announcement](https://www.linuxfoundation.org/blog/2020/05/spdx-2-2-specification-released/)
 

CONTRIBUTING.md

@@ -39,34 +39,43 @@ following sentence: if applied, this commit will "Subject of the commit".
 For example :
 
 ```text
-if applied, this commit will Add chapter on Security Vunerabilities in SPDX
+if applied, this commit will Add chapter on Security Vulnerabilities in SPDX
 if applied, this commit will Delete section with deprecated SPDX attributes 
 if applied, this commit will Fix grammar in Package Version field description
 ```
 
 Git itself uses this approach. When you merge something it will generate a
 commit message like "Merge branch...", or when reverting "Revert...".
 
-### Minor Changes
+The appropriate branch for submitting changes depends on the nature of the
+changes, following [Semantic Versioning (SemVer)][semver] conventions.
 
-Minor changes such as markup and typo fixes may be submitted directly to this
-repository (either as [issues][] or [pull-requests][]) without previous
-discussion.
+### Patch changes
 
-Please submit all minor changes against the `development/v3.0.1` branch which
-is the current development version of the SPDX specification.
+Patch-level changes such as markup and typo fixes may be submitted directly
+as [issues][] or [pull requests][pull-requests], without previous discussion.
 
-### Major Changes
+Please submit all patch changes against the `support/3.0` branch.
+
+### Minor changes
+
+Minor changes, including amending, adding, or removing normative and
+informative documents, **that do not break backward compatibility,**
+can be submitted directly as [issues][] or [pull requests][pull-requests].
+However, prior discussion is always encouraged.
+
+Please submit all minor changes against the `develop` branch.
+
+### Major changes
 
 Any change that break backwards compatibility or requires significant tooling
 changes is considered a major change.
 You may want to discuss major changes on the mailing list first to get design
 feedback before investing time in a pull request.
 
-Please submit all major changes against the `development/v3.1` which is the
-next major version of the specification.
+Please submit all major changes against the `develop` branch.
 
-### Target Milestones
+### Target milestones
 
 When submitting an issue or pull request, please add a suggested release
 milestone. This will ensure the issue or pull request is reviewed for inclusion
@@ -75,10 +84,16 @@ in that release.
 If your issue or pull request is independent of a release, you can use the
 `release-independent` milestone.
 
+## Contributing to the model
+
+Please see [Contributing to the SPDX 3.0 Model][model-contrib] document.
+
 [cla]: https://github.com/spdx/governance/blob/main/0._SPDX_Contributor_License_Agreement.md
 [issues]: https://github.com/spdx/spdx-spec/issues/
 [meetings]: https://github.com/spdx/meetings/
+[model-contrib]: https://github.com/spdx/spdx-3-model/blob/develop/Contributing.md
 [pull-requests]: https://github.com/spdx/spdx-spec/pulls/
+[semver]: https://semver.org/
 [spdx-legal]: https://wiki.spdx.org/view/Legal_Team
 [spdx-legal-list]: https://lists.spdx.org/mailman/listinfo/spdx-legal
 [spdx-tech]: https://wiki.spdx.org/view/Technical_Team