Skip to content

Add SPDX 3 Predicate#508

Merged
SantiagoTorres merged 2 commits intoin-toto:mainfrom
JPEWdev:spdx-predicate
Jan 22, 2026
Merged

Add SPDX 3 Predicate#508
SantiagoTorres merged 2 commits intoin-toto:mainfrom
JPEWdev:spdx-predicate

Conversation

@JPEWdev
Copy link
Copy Markdown
Contributor

@JPEWdev JPEWdev commented Dec 2, 2025

Updates the SPDX predicate to handle version 3.0

@JPEWdev JPEWdev requested a review from a team as a code owner December 2, 2025 21:37
puerco
puerco reviewed Dec 4, 2025
View reviewed changes
Comment thread spec/predicates/spdx.md
Comment thread spec/predicates/spdx.md Outdated
henkbirkholz
henkbirkholz reviewed Dec 9, 2025
View reviewed changes
Comment thread spec/predicates/spdx.md
@JPEWdev
Add SPDX 3 Predicate
3ce6a28 
Adds a new predicate for SPDX version 3, and updates the SPDX 2
predicate to distinguish it.

Signed-off-by: Joshua Watt <JPEWhacker@gmail.com>
@JPEWdev
Copy link
Copy Markdown
Contributor Author

JPEWdev commented Jan 5, 2026

Per feedback from the SPDX community, they would prefer SPDX 3 to be a separate predicate

@JPEWdev JPEWdev changed the title Update SPDX Predicate Add SPDX 3 Predicate Jan 6, 2026
puerco
puerco reviewed Jan 7, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@puerco puerco left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @JPEWdev! Looks good to me. Just a nit, I'd like to hear what other @in-toto/attestation-maintainers think 👇

Comment thread spec/predicates/spdx2.md
# Predicate type: SPDX

Type URI: https://spdx.dev/Document
Type URI: https://spdx.dev/Document/v2.3
Copy link
Copy Markdown
Member

@puerco puerco Jan 7, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is interesting, the current spec document states that the typeURI is just https://spdx.dev/Document, but the examples uses /v2.3. I'm wondering if this document should recognize both as they always were here, even when v2.3 does not conform with the major only versioning rule .

Suggested change
Type URI: https://spdx.dev/Document/v2.3
Type URI: https://spdx.dev/Document
Type URI: https://spdx.dev/Document/v2.3

Copy link
Copy Markdown
Contributor Author

@JPEWdev JPEWdev Jan 7, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ya, that annoyed me also :) It was unclear which one was correct. FWIW, I'd be fine with the proposed change

Copy link
Copy Markdown
Member

@puerco puerco Jan 7, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

OK, I approved the suggestion from the UI, but it b0rked the DCO check. I've pushed a commit to your branch manually to fix it. I hope you don't mind (feel free to squash them if you want).

I've slapped the approval pending on the final word from the other maintainers.

Copy link
Copy Markdown
Contributor Author

@JPEWdev JPEWdev Jan 7, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

OK, I approved the suggestion from the UI, but it b0rked the DCO check. I've pushed a commit to your branch manually to fix it. I hope you don't mind (feel free to squash them if you want).

I've slapped the approval pending on the final word from the other maintainers.

Doesn't bother me. Thanks!

@puerco
Add both versioned and unversioned typeURIs for SPDX2
0506e59 
This commit adds a small change to add the old https://spdx.dev/Document
uri in addition to the 2.3 versioned variant.

Signed-off-by: Adolfo García Veytia (Puerco) <puerco@carabiner.dev>
@SantiagoTorres SantiagoTorres merged commit a45d695 into in-toto:main Jan 22, 2026
3 checks passed
@lehors lehors mentioned this pull request Apr 14, 2026
Open
SAY-5 added a commit to SAY-5/attestation that referenced this pull request Apr 15, 2026
@SAY-5
docs(spec): restore spdx.md as a redirect to spdx2.md / spdx3.md
0a4aa3a 
Per in-toto#547, in-toto#508 moved `spec/predicates/spdx.md` to `spdx2.md` (and
later added `spdx3.md`), which broke every external link to the
original file — including the one in the SLSA spec
(slsa-framework/slsa#1577).

Restore `spdx.md` as a stable redirect page that points at both
version-specific specs and explains the move. This keeps long-lived
external references working without requiring downstream specs to
chase the rename.

Closes in-toto#547
@SAY-5 SAY-5 mentioned this pull request Apr 15, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@puerco puerco puerco approved these changes

@SantiagoTorres SantiagoTorres SantiagoTorres approved these changes

+2 more reviewers

@goneall goneall goneall left review comments

@henkbirkholz henkbirkholz henkbirkholz left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@JPEWdev @goneall @SantiagoTorres @puerco @henkbirkholz