Should we require imports for SPDX defined individual elements?

[goneall]

In SPDX 2.X we allow references to listed licenses and listed exceptions without referencing the external document(s) containing these definitions.

In SPDX 3, the spdx3-validator looks for import statements for all element URIs not defined within the document.

In addition to the license list, the SPDX organization element would also need to be added to imports if it is used.

[goneall]

My opinion is that we should exempt any SPDX standard defined elements for the import requirement. and SPDX standard defined element would have a pre-defined URI prefix or namespace.

Otherwise, the SPDX serialized files will become unnecessarily verbose.

This would require an update to the spdx3-validator.

[bact]

Agree that we should have a set of "default imports" and pre-defined URI prefix/namespace.

• See also Specify spdx prefix names in model Turtle file ("@prefix ns2" -> "@prefix spdx-sw") spec-parser#157

[zvr]

@goneall the spec defines a number of Individuals (like the organization you mentioned, but also the None and NoAssertion Elements and licenses). Since SPDX data may be using these, these should be included in the validation data.

And when the ExtendedLicensing profile is used, depending on the License List version used, a corresponding set of definition for licenses and expressions should also be included in the data being validated.

I am not sure of the best alternative technically to achieve this inclusion.

[zvr]

@bact I don't think this has anything to do with namespaces and imports.