Add functions to return maps of licenses #290
Conversation
| private SpdxV2ListedLicenseModelStore licenseStoreV2; | ||
| private SpdxV3ListedLicenseModelStore licenseStoreV3; | ||
| private static ListedLicenses listedLicenses = null; | ||
| private Map<String, SpdxListedLicense> spdxListedLicenseMapCompatV2; |
There was a problem hiding this comment.
I'm still not entirely sure why we need version-specific storage of the license and exception lists, especially as this establishes a precedent that won't scale well over time (i.e. when SPDX model v4, v5, ..., are eventually released). The duplication in API surface, processing, and in-memory storage of these lists is concerning to me in the long term (and very difficult to fix, once introduced).
AFIACT the license and exception lists (deliberately?) use their own unique data structures unrelated to the SPDX model, and are versioned independently of the SPDX model too (so for example SPDX license list v3.26.0 has no special relationship with SPDX model v3.0.1, despite coincidentally sharing the same major version number); SPDX license list v3.26.0 is equally compatible with SPDX model v2.x or v3.x (and presumably in future, v4.x etc.).
It seems to me that there would be substantial benefits in having Spdx-Java-Library directly implement that existing separation in the source data, and simply store the license and exception lists separately, outside the SPDX model hierarchy, in their own dedicated class structure(s) that are independent of the generated model classes.
And yes, there may be value in having method(s) that can translate a license list object into an equivalent version-specific SPDX model object, but I think it would be better for that to be stateless (i.e. not cached in Spdx-Java-Library), and opt-in (i.e. such translations are only performed if/when a user calls those translation methods). This ensures that folx who use the license list, but either don't use the SPDX model objects at all, or only use a single version of them, aren't forced to incur runtime costs that never benefit them.
This happens to be my use case, fwiw - my code makes extensive use of the license and exception lists, but zero use of the SPDX model objects, and in that context shoehorning the license and exception lists into multiple version-specific SPDX model objects is going to be counterproductive (my code will be harder to understand, and there will be negative runtime impacts that my code doesn't benefit from).
There was a problem hiding this comment.
@pmonks - I appreciate the concern for maintainability (as one of the maintainers ;) and I agree with many aspects of your comments, with a few differences outlined below.
I'm still not entirely sure why we need version-specific storage of the license and exception lists
We're actually not storing the data in the format - it is more of a mapping to a common data format (the license JSON files). Since there is a lot of existing code that expects the SPDX 2.X model representation, I believe there is a lot of value in having the library support that representation. Similarly, anyone implementing the SPDX 3.X model would likely require a matching Java object. I have code that expects both of these model representations, for example. That being said, I won't be making use of the map myself.
especially as this establishes a precedent that won't scale well over time (i.e. when SPDX model v4, v5, ..., are eventually released).
For the library, I've only supported that last 2 major releases. For example, SPDX 1.0 is no longer supported in this version of the library. Since we only do major releases of the spec every 3 to 5 years, this seems to be OK.
AFIACT the license and exception lists (deliberately?) use their own unique data structures unrelated to the SPDX model, and are versioned independently of the SPDX model too (so for example SPDX license list v3.26.0 has no special relationship with SPDX model v3.0.1, despite coincidentally sharing the same major version number); SPDX license list v3.26.0 is equally compatible with SPDX model v2.x or v3.x (and presumably in future, v4.x etc.).
The license list data published in the JSON files are actually based on the SPDX 2.X model. There are a few differences due to the license list JSON file format predating the SPDX 2.X JSON format. The data itself is versioned separately, the the model is consistent. We just started publishing data in SPDX 3 format in parallel to the legacy SPDX 2 data format. BTW - In the SPDX Java library implementation, I just use the SPDX 2.X data and map that to the SPDX 3 format since they are pretty compatible.
In a way, current SPDX java library implementation isn't that far from what you are proposing:
- Nothing is created and there is no overhead until someone makes a call to a method that explicitly returns the Java model version (e.g.
getSpdxLicenseById), that way if no one is using a particular model version there is no penalty or overhead. - Both the 2.X and 3.X model representations use the same underlying JSON data structures to store the actual values. This is in the License List format - which is based on the SPDX 2.X license model.
- Access to the (same) license data is completely stateless for both model objects.
- Access to the license data is lazy loaded at the license or exception level. Even though we have a class representing a license or exception, the data is only fetched when the data is actually referenced. At that point, we'll fetch the license data either from the cache, website, or resource file depending on the configuration.
In terms of the maintenance issues - it is a real pain to maintain both SPDX 3 and SPDX 2 versions of the model, but this is necessary to support high demand use cases like translating an SPDX document from SPDX 2 to SPDX 3. The incremental overhead for maintaining the license structures is very small compared to the effort of maintaining the general models.
|
One more update - the unit tests run about 20% faster after this change, so it may be worth it just for the performance increase. |
|
@pmonks - After thinking about this a bit more, we could make the calls to the SPDX 2.X model versions of the license and exception maps private to encourage developers to use the SPDX 3 model. Let me know if that solves the issue you raised. Also, let me know if my response makes sense - the code is a bit (perhaps overly) complex and I may have missed something. @dwalluck - Let me know if you have any opinions on supporting one or both model versions as public APIs. I'd like to produce a release today - so let me know any thoughts. |
Signed-off-by: Gary O'Neall <[email protected]>
|
@goneall that addresses duplication in the API surface, which seemed to me to be the only thing that hadn't been covered in your previous comment (and thanks for that earlier detailed explanation!). So yeah that seems to me to be a good change to make. |
|
@pmonks - I just pushed a commit that makes the methods protected since making them private makes it harder to write the unit tests. This should be good to go - assuming it completes the CI tests successfully. |
Fixes #237