THE SPDX WIKI IS NO LONGER ACTIVE. ALL CONTENT HAS BEEN MOVED TO https://github.com/spdx
Difference between revisions of "Technical Team/Use Cases/2.0/Third party produces bill of materials for software package"
Bschineller (Talk | contribs) |
|||
Line 1: | Line 1: | ||
− | <p>As a software publisher | + | <p>As a software publisher in order to reduce my legal risk I want to understand the obligations associated with my intended use of a software package. I do not have the internal capabilities/capacity to determine this information so i request a third party to analyze my entire codebase to determine all rights holders and licenses for every file in the codebase.</p><h3>Stackholders and Interests</h3><ul><li><strong>Developer</strong><p>The organization developing (or in possession of) the code that wants to understand the licensing and rights holders of that code.</p></li><li><strong>Compliance office</strong><p>The organization that is responsible for ensuring that the licensing of the code is complied with.</p></li><li><strong>Analyzer</strong><p>Third party that need to analyze the codebase and inform the auditee of what the licensing is and who the rights holders are.</p></li></ul><h3>Main Success Scenario</h3><ol><li>Developers delivers code to analyzer</li><li>Analyzer determines membership in sub-packages/components for each file.</li><li>Analyzer imports/embeds existing SPDX data for sub-packages/components.</li><li>Analyzer extracts licensing and copyright information from remaining files.</li><li>Analyzer determines the following for every remaining file in code base:<ul><li>Rights holders</li><li>Licensing terms</li></ul></li><li>Analyzer provides above data to Compliance office.</li><li>Compliance office looks at concluded licensing and right holder and take any necessary actions to comply with the licenses</li></ol><h3>Alternate Scenario A</h3><ol><li>Developers delivers code to analyzer</li><li>Analyzer determines membership in sub-packages/components for each file.</li><li>Analyzer imports/embeds existing SPDX data for sub-packages/components.</li><li>Analyzer extracts licensing and copyright information from remaining files.</li><li>Analyzer determines the following for every remaining file in code base:<ul><li>Rights holders</li><li>Licensing terms</li></ul></li><li>Analyzer provides above data to Compliance office.</li><li>Compliance office looks at concluded licensing and right holder and determines that certain sub-packages/components are unacceptable.</li><li>Developer removes the offending sub-components.</li><li>Developer delivers modified code to analyzer.</li><li>Analyzer redoes analysis (consider: not redo from scratch but re-using results of the earlier SPDX data) and provide new SPDX data to Compliance office.</li><li>Compliance office looks at concluded licensing and right holder and take any necessary actions to comply with the licenses</li></ol><p><strong>A failure scenario: </strong></p><p>Failed scenario if the third party auditor cannot take advantage of existing SPDX data about external packages/components in producing the SPDX data for the analyzed code which re-uses those external packages/components. </p> |
− | in order to reduce my legal risk | + | |
− | I want to understand the obligations associated with my intended use of a software package. I do not have the internal capabilities/capacity to determine this information so i request a third party to analyze my entire codebase to determine all rights holders and licenses for every file in the codebase.</p> | + | |
− | + | ||
− | <h3>Stackholders and Interests</h3> | + | |
− | + | ||
− | <ul> | + | |
− | <li><strong>Developer</strong> | + | |
− | <p>The organization developing (or in possession of) the code that wants to understand the licensing and rights holders of that code.</p></li> | + | |
− | + | ||
− | <li><strong>Compliance office</strong> | + | |
− | <p>The organization that is responsible for ensuring that the licensing of the code is complied with.</p></li> | + | |
− | + | ||
− | <li><strong>Analyzer</strong> | + | |
− | <p>Third party that need to analyze the codebase and inform the auditee of what the licensing is and who the rights holders are.</p></li> | + | |
− | + | ||
− | </ul> | + | |
− | + | ||
− | <h3>Main Success Scenario</h3> | + | |
− | + | ||
− | <ol> | + | |
− | <li>Developers delivers code to analyzer</li> | + | |
− | <li>Analyzer determines membership in sub-packages/components for each file.</li> | + | |
− | <li>Analyzer imports/embeds existing SPDX data for sub-packages/components.</li> | + | |
− | <li>Analyzer extracts licensing and copyright information from remaining files.</li> | + | |
− | <li>Analyzer determines the following for every remaining file in code base: | + | |
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | </li> | + | |
− | <li>Analyzer provides above data to Compliance office.</li> | + | |
− | <li>Compliance office looks at concluded licensing and right holder and take any necessary actions to comply with the licenses</li> | + | |
− | </ol> | + | |
− | + | ||
− | <h3>Alternate Scenario A</h3> | + | |
− | + | ||
− | <ol> | + | |
− | <li>Developers delivers code to analyzer</li> | + | |
− | <li>Analyzer determines membership in sub-packages/components for each file.</li> | + | |
− | <li>Analyzer imports/embeds existing SPDX data for sub-packages/components.</li> | + | |
− | <li>Analyzer extracts licensing and copyright information from remaining files.</li> | + | |
− | <li>Analyzer determines the following for every remaining file in code base: | + | |
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | </li> | + | |
− | <li>Analyzer provides above data to Compliance office.</li> | + | |
− | <li>Compliance office looks at concluded licensing and right holder and determines that certain sub-packages/components are unacceptable.</li> | + | |
− | <li>Developer removes the offending sub-components.</li> | + | |
− | <li>Developer delivers modified code to analyzer.</li> | + | |
− | <li>Analyzer redoes analysis and provide new SPDX data to Compliance office.</li> | + | |
− | <li>Compliance office looks at concluded licensing and right holder and take any necessary actions to comply with the licenses</li> | + | |
− | </ol> | + |
Revision as of 18:57, 25 September 2012
As a software publisher in order to reduce my legal risk I want to understand the obligations associated with my intended use of a software package. I do not have the internal capabilities/capacity to determine this information so i request a third party to analyze my entire codebase to determine all rights holders and licenses for every file in the codebase.
Stackholders and Interests
- Developer
The organization developing (or in possession of) the code that wants to understand the licensing and rights holders of that code.
- Compliance office
The organization that is responsible for ensuring that the licensing of the code is complied with.
- Analyzer
Third party that need to analyze the codebase and inform the auditee of what the licensing is and who the rights holders are.
Main Success Scenario
- Developers delivers code to analyzer
- Analyzer determines membership in sub-packages/components for each file.
- Analyzer imports/embeds existing SPDX data for sub-packages/components.
- Analyzer extracts licensing and copyright information from remaining files.
- Analyzer determines the following for every remaining file in code base:
- Rights holders
- Licensing terms
- Analyzer provides above data to Compliance office.
- Compliance office looks at concluded licensing and right holder and take any necessary actions to comply with the licenses
Alternate Scenario A
- Developers delivers code to analyzer
- Analyzer determines membership in sub-packages/components for each file.
- Analyzer imports/embeds existing SPDX data for sub-packages/components.
- Analyzer extracts licensing and copyright information from remaining files.
- Analyzer determines the following for every remaining file in code base:
- Rights holders
- Licensing terms
- Analyzer provides above data to Compliance office.
- Compliance office looks at concluded licensing and right holder and determines that certain sub-packages/components are unacceptable.
- Developer removes the offending sub-components.
- Developer delivers modified code to analyzer.
- Analyzer redoes analysis (consider: not redo from scratch but re-using results of the earlier SPDX data) and provide new SPDX data to Compliance office.
- Compliance office looks at concluded licensing and right holder and take any necessary actions to comply with the licenses
A failure scenario:
Failed scenario if the third party auditor cannot take advantage of existing SPDX data about external packages/components in producing the SPDX data for the analyzed code which re-uses those external packages/components.