Merge 2.3 development branch to main

Signed-off-by: Gary O'Neall <gary@sourceauditor.com>

.github/workflows/publish_common.yml

@@ -27,8 +27,9 @@ jobs:
       run: pip install mike==1.2.0
     - name: Extract branch or tag name
       id: extract-branch-or-tag-name
-      run: echo "::set-output name=${REF##*/}"
+      run: echo "::set-output name=ref_name::${REF##*/}"
       with:
         ref: ${{ github.event.client_payload.ref || github.event.inputs.ref }}
     - name: Build docs
       run: mike deploy ${{ steps.outputs.extract-branch-or-tag-name.name }} ${{ github.event.inputs.aliases }}
+

CONTRIBUTING.md

@@ -15,19 +15,24 @@ A properly formed Git commit subject line should always be able to complete the
 
     if applied, this commit will Add chapter on Security Vunerabilities in SPDX
     if applied, this commit will Delete section with deprecated SPDX attributes 
-    if applied, this commit will Fix grammar in SPDX 3.3 Package Version
+    if applied, this commit will Fix grammar in Package Version field description
 
 Git itself uses this approach. When you merge something it will generate a commit message like "Merge branch...", or when reverting "Revert...".
 
 ### Minor Changes
 Minor changes such as markup and typo fixes may be submitted directly to this repository (either as [issues][] or [pull-requests][]) without previous discussion.
-Please submit all minor changes against the `development/v2.2.2` branch which is the draft of the next version of the SPDX specification to be released.
+Please submit all minor changes against the `development/v2.3` branch which is the current version of the SPDX specification.
 
 ### Major Changes
 Any change that break backwards compatibility or requires significant tooling changes is considered a major change.
 You may want to discuss major changes on the mailing list first to get design feedback before investing time in a pull request.
 Please submit all major changes against the `development/v3.0` which is the next major version of the specification. 
 
+### Target Milestones
+When submitting an issue or pull request, please add a suggested release milestone.  This will ensure the issue or pull request is reviewed for inclusion in that release.
+
+If your issue or pull request is independent of a release, you can use the `release-independent` milestone.
+
 [issues]: https://github.com/spdx/spdx-spec/issues/
 [pull-requests]: https://github.com/spdx/spdx-spec/pulls/
 [spdx-legal]: https://wiki.spdx.org/view/Legal_Team

README.md

@@ -12,7 +12,6 @@ This repository holds under active development version of the specification as:
 * HTML (gh-pages branch, built on every commit to `master` and `development/` branches)
   * [Current](https://spdx.github.io/spdx-spec/)
   * [v2 Development](https://spdx.github.io/spdx-spec/v2-draft)
-  * [v3 Development](https://spdx.github.io/spdx-spec/v3-draft)
 
 See for the official [releases of the specification](https://spdx.org/specifications) or additional information also the [SPDX website](https://spdx.org).
 

chapters/RDF-object-model-and-identifier-syntax.md

@@ -4,11 +4,11 @@
 
 SPDX ® Vocabulary Specification
 
-See: [http://spdx.org/rdf/ontology/spdx-2-2-1](http://spdx.org/rdf/ontology/spdx-2-2-1)
+See: [http://spdx.org/rdf/ontology/spdx-2-3](http://spdx.org/rdf/ontology/spdx-2-3)
 
-Version: 2.2.2
+Version: 2.3
 
-![SPDX 2.2.2 RDF Ontology](img/spdx-2.2.2-rdf-ontology.png)
+![SPDX 2.3 RDF Ontology](../ontology/SPDX-2.3-simplified.png)
 
 **Figure C.1 — SPDX ontology**
 

chapters/SPDX-Lite.md

@@ -18,14 +18,16 @@ The SPDX Lite profile is a subset of the SPDX specification. SPDX Lite consists
 
 The mandatory part of the SPDX document creation information section (which consists of SPDX Version, Data License, SPDX Identifier, Document Name, SPDX Document Namespace, Creator and Created) is used for keeping compatibility with SPDX tools.
 
-The main part of the Package Information (those are Package Name, Package Version, Package File Name, Package Download Location, Package Home Page, Concluded License, Declared License, Comments on License and Copyright Text) is used for exchanging license information.
+The main part of the Package Information (those are Package Name, Package Version, Package File Name, Package Supplier, Package Download Location, Package Home Page, Concluded License, Declared License, Comments on License and Copyright Text) is used for exchanging license information.
 
 In the Package Information, Package SPDX Identifier and Files Analyzed are used for keeping compatibility with SPDX tools.
 
 Files Analyzed shall be set to "false" when SPDX Lite is used.
 
 Package Comment can be used to describe additional details, such as compiling options, where a license may change with a different compiling option.
 
+External Reference field can be used to express correlated external resources information such as security CPE strings as described in Annex F of SPDX spec.
+
 The Other License information section (License Identifier, Extracted Text, License Name and License Comment) is used for exchanging license information for licenses that are not on the [SPDX License List](https://spdx.org/licenses).
 
 ## G.3 Table of SPDX Lite fields <a name="G.3"></a>
@@ -37,23 +39,25 @@ The Other License information section (License Identifier, Extracted Text, Licen
 |L1.1  |6.1  | SPDX Version              |
 |L1.2  |6.2  | Data License              |
 |L1.3  |6.3  | SPDX Identifier           |
-|L1.4  |6.4	 | Document Name	           |
+|L1.4  |6.4	 | Document Name	         |
 |L1.5  |6.5	 | SPDX Document Namespace   |
 |L1.6  |6.8	 | Creator	                 |
 |L1.7  |6.9  | Created                   |
 |L2.1  |7.1	 | Package Name	             |
 |L2.2  |7.2	 | Package SPDX Identifier   |
 |L2.3  |7.3	 | Package Version           |
 |L2.4  |7.4	 | Package File Name         |
-|L2.5  |7.7	 | Package Download Location |
-|L2.6  |7.8	 | Files Analyzed            |
-|L2.7  |7.11 | Package Home Page         |
-|L2.8  |7.13 | Concluded License         |
-|L2.9  |7.15 | Declared License          |
-|L2.10 |7.16 | Comments on License       |
-|L2.11 |7.17 | Copyright Text            |
-|L2.12 |7.20 | Package Comment           |
-|L3.1  |10.1	 | License Identifier        |
-|L3.2  |10.2	 | Extracted Text            |
-|L3.3  |10.3	 | License Name              |
-|L3.4  |10.5	 | License Comment           |
+|L2.5  |7.5  | Package Supplier          |
+|L2.6  |7.7	 | Package Download Location |
+|L2.7  |7.8	 | Files Analyzed            |
+|L2.8  |7.11 | Package Home Page         |
+|L2.9  |7.13 | Concluded License         |
+|L2.10 |7.15 | Declared License          |
+|L2.11 |7.16 | Comments on License       |
+|L2.12 |7.17 | Copyright Text            |
+|L2.13 |7.20 | Package Comment           |
+|L2.14 |7.21 | External Reference field  |
+|L3.1  |10.1 | License Identifier        |
+|L3.2  |10.2 | Extracted Text            |
+|L3.3  |10.3 | License Name              |
+|L3.4  |10.5 | License Comment           |

chapters/SPDX-license-expressions.md

@@ -15,11 +15,11 @@ license-id = <short form license identifier in Annex A.1>
 
 license-exception-id = <short form license exception identifier in Annex A.2>
 
-license-ref = ["DocumentRef-"1\*(idstring)":"]"LicenseRef-"1*(idstring)
+license-ref = ["DocumentRef-"(idstring)":"]"LicenseRef-"(idstring)
 
 simple-expression = license-id / license-id"+" / license-ref
 
-compound-expression = 1*1(simple-expression /
+compound-expression = (simple-expression /
 
 
 simple-expression "WITH" license-exception-id /
@@ -30,7 +30,7 @@ simple-expression "WITH" license-exception-id /
 
   "(" compound-expression ")" )
 
-license-expression = 1*1(simple-expression / compound-expression)
+license-expression = (simple-expression / compound-expression)
 ```
 
 In the following sections we describe in more detail `<license-expression>` construct, a licensing expression string that enables a more accurate representation of the licensing terms of modern-day software.
@@ -91,6 +91,12 @@ For example, when given a choice between the LGPL-2.1-only or MIT licenses, a va
 LGPL-2.1-only OR MIT
 ```
 
+The "OR" operator is commutative, meaning that the above expression should be considered equivalent to:
+
+```text
+MIT OR LGPL-2.1-only
+```
+
 An example representing a choice between three different licenses would be:
 
 ```text
@@ -107,6 +113,12 @@ For example, when one is required to comply with both the LGPL-2.1-only or MIT l
 LGPL-2.1-only AND MIT
 ```
 
+The "AND" operator is commutative, meaning that the above expression should be considered equivalent to:
+
+```text
+MIT AND LGPL-2.1-only
+```
+
 An example where all three different licenses apply would be:
 
 ```text