Difference between revisions of "Technical Team/Use Cases/2.0"

<p>We have several sources to begin pulling for SPDX Use Cases:</p><ol><li>The Pad from earlier conversations collected at <a href="http://spdx.org/wiki/use-cases-collected-20-discussion">Use Cases For SPDX 2.0 Discussion</a></li><li>The old <a href="https://fossbazaar.org/wiki/spdx-use-case-1">SPDX 1.0 Use Cases</a>&nbsp;as well as the <a href="http://spdx.org/system/files/ecosystem.jpg">SDPX 1.0 Use Case Picture</a>.</li></ol><div>&nbsp;</div><div>I'd like to propose that we flesh out use cases here by having a brief summary listed here as a link to a more detailed child page. &nbsp; Note, these use cases should be *<strong>doable</strong>* but in general not *<strong>required</strong>*. &nbsp;Any item listed here that is not a link, should have a child page created for it.</div><div>&nbsp;</div><div><ol><li><a href="http://spdx.org/wiki/spdx-20-usecase-upstream-maintainer-providing-spdx-data">Upstream maintainer providing SPDX data</a></li><li>Upstream maintainer consuming another project</li><ol><li>Upstream maintainer including another project by including source</li><li>Upstream maintainer including another project by reference (think maven, possibly linking cases)</li><ol><li>by static reference (the referenced library is included with a redistribution)</li><li>by dynamic reference (express runtime dependency on the external library, but not redistributing it)</li></ol><li>Upstream maintainer pulling individual files out of another project (subsetting)</li></ol><li>Intermediate packager (rpm, deb, etc) passing on and adding to SPDX Data</li><ol><li>Intermediate packager subsetting upstream package</li></ol><li>Yocto [Jack Manbeck]</li><li>Aggregator aggregating many 'copyrightable items' for redistribution</li><ol><li>Linux Distros</li><li>Embedded Images</li><li>SDKs</li><li>Reference implementations</li><li>Eclipse/OSGI distributions</li><li>Application which ships with documentation + &nbsp;media + software [Jack Manbeck]</li></ol><li>Aggregators aggregating other aggergations for redistribution</li><li>Asserting corrections to SPDX data provided by others further upstream</li><li>Committers providing, or assenting to SPDX data</li><li>Committers annotating source files with SPDX info</li><li>Consumers receiving SPDX data</li><li>Signoff/multiple signoff on SPDX data</li><ol><li>Contracts with multiple parties requiring signoff by all [Kate Stewart]</li></ol><li>Auditor scenario: given big pile of 'copyrightable items', creating Bill of Materials [Peter Williams]</li><li>Sanity-checking Bill of Material</li><li>&nbsp;- validate that it represents a&nbsp;</li></ol><div>&nbsp;</div><div><div><h2>Cross-cutting concerns:</h2></div><div><ol><li>Provenance (the need to optionally use signing to validate who said what)</li><li>Handling staleness of data</li></ol></div></div><div>&nbsp;</div></div><div><h2>Themes:</h2></div><div>&nbsp;</div><div>Looking at these Use Cases, there are some underlying themes:</div><div><ol><li>Root of data (closer to upstream the better)</li><li>Subsetting of copyrightable things (and their SPDX data) (<strong>Note</strong>: Subsets of copyrightable things are usually also copyrightable things)</li><li>Aggregation of copyrightable things (and their SPDX data) (<strong>Note</strong>: Aggregations of copyrightable things are usually also copyrightable things).</li></ol></div><div>&nbsp;</div><div>&nbsp;</div><p>&nbsp;</p>