THE SPDX WIKI IS NO LONGER ACTIVE. ALL CONTENT HAS BEEN MOVED TO https://github.com/spdx
Difference between revisions of "Technical Team/Use Cases/2.0"
From SPDX Wiki
Line 1: | Line 1: | ||
− | + | <p>We have several sources to begin pulling for SPDX Use Cases:</p><ol><li>The Pad from earlier conversations collected at <a href="http://spdx.org/wiki/use-cases-collected-20-discussion">Use Cases For SPDX 2.0 Discussion</a></li><li>The old <a href="http://spdx.org/wiki/spdx-use-case-1">SPDX 1.0 Use Cases</a> as well as the <a href="http://spdx.org/system/files/ecosystem.jpg">SDPX 1.0 Use Case Picture</a>.</li></ol><div> </div><div>I'd like to propose that we flesh out use cases here by having a brief summary listed here as a link to a more detailed child page. Note, these use cases should be *<strong>doable</strong>* but in general not *<strong>required</strong>*. Any item listed here that is not a link, should have a child page created for it.</div><div> </div><div><ol><li>Code commits (original work intended for the project)</li><ol><li><a href="http://spdx.org/wiki/committers-provides-spdx-data-code-being-committed">Committer provides SPDX data</a></li><li><a href="http://spdx.org/wiki/contributor-makes-commit-subject-existing-spdx-data-project">Contributor makes commit subject to existing SPDX data of project</a></li><li>Contributor makes commit subject to existing SPDX data of a dual licensed project and selects one license</li></ol><li><a href="http://spdx.org/wiki/committer-annotates-source-files-spdx-data">Committer annotates source files with SPDX data</a></li><li>Patches (original work intended for the project)</li><ol><li><a href="http://spdx.org/wiki/patch-provider-provides-spdx-data-patch">Patch provider provides SPDX data for the patch</a></li><li><a href="http://spdx.org/wiki/patch-provider-provides-spdx-data-patch-indicating-it-licensed-however-hell-its-applied">Patch provider provides SPDX data for the patch indicating it is licensed however the hell its applied</a></li><li><a href="http://spdx.org/wiki/patch-provider-provides-patch-subject-existing-spdx-data-project">Patch provider provides patch subject to existing SPDX data of project</a></li></ol><li>Patch provider provides a patch that modifies existing SPDX data of project</li><ol><li><a href="http://spdx.org/wiki/downstream-consumers-contributing-patches-provide-spdx-data-upstream-doesnt-have-it">Downstream consumers contributing patches to provide SPDX data to an upstream that doesn't have it.</a></li><li><a href="http://spdx.org/wiki/downstream-consumers-contributing-patches-provide-corrections-spdx-data-upstream-does-have-it">Downstream consumers contributing patches to provide corrections to SPDX data for an upstream that does have it.</a></li></ol><li><a href="http://spdx.org/wiki/spdx-20-usecase-upstream-maintainer-providing-spdx-data">Upstream maintainer providing SPDX data</a></li><ol><li><a href="http://spdx.org/wiki/upstream-maintainer-providing-spdx-data-source-archive">Upstream maintainer providing SPDX data in source archive</a></li><li><a href="http://spdx.org/wiki/upstream-maintainer-providing-spdx-data-scm">Upstream maintainer providing SPDX data in SCM</a></li><li><a href="http://spdx.org/wiki/upstream-maintainer-providing-spdx-data-url">Upstream maintainer providing SPDX data at a URL</a></li><li><a href="http://spdx.org/wiki/downstream-consumers-contributing-patches-provide-spdx-data-upstream-doesnt-have-it">Upstream maintainer preparing release artifacts (including SPDX data).</a></li><li>Intended usage communicated by the auditee (how/will the audited item get included in delivered/deployed bits) [Bill Schineller]</li></ol><li>Project maintainer incorporates another project</li><ol><li><a href="http://spdx.org/wiki/project-maintainer-incorporates-another-project-including-source">Project maintainer incorporates another project by including source</a></li><li><a href="http://spdx.org/wiki/project-maintainer-incorporates-another-project-including-binary">Project maintainer incorporates another project by including binary</a></li><li><a href="http://spdx.org/wiki/project-maintainer-pulling-individual-files-out-another-project-subsetting">Project maintainer pulling individual files out of another project (subsetting)</a></li></ol><li>Project maintainer incorporates another copyrightable artifact by reference (think maven, possibly linking cases)</li><ol><li>by static reference (the referenced library is included with a redistribution)</li><li>by dynamic reference (express runtime dependency on the external library, but not redistributing it)</li><li>Maven case</li></ol><li>SPDX-Lite:</li><ol><li>Allow a low investment SPDX producer to produce valid SPDX data (could be maintainer or some third party)</li><li><a href="http://spdx.org/wiki/producing-valid-spdx-files-face-missing-data">Produce a valid SPDX dataset even if some data is missing</a> </li></ol><li>Intermediate packager (rpm, deb, etc) passing on and adding to SPDX Data</li><ol><li>Intermediate packager builds source package from upstream source</li><ol><li><a href="http://spdx.org/wiki/intermediate-packager-builds-source-package-upstream-source-provides-spdx-data">Intermediate packager builds source package from upstream source that provides SPDX data</a></li><li><a href="http://spdx.org/wiki/intermediate-packager-builds-source-package-upstream-source-does-not-provide-spdx-data">Intermediate packager builds source package from upstream source that does not provide SPDX data</a></li></ol><li>Intermediate packager builds binary package from upstream source</li><ol><li><a href="http://spdx.org/wiki/intermediate-packager-builds-binary-package-upstream-source-provides-spdx-data">Intermediate packager builds binary package from upstream source that provides SPDX data</a></li><li><a href="http://spdx.org/wiki/intermediate-packager-builds-binary-package-upstream-source-does-not-provides-spdx-data">Intermediate packager builds binary package from upstream source that does not provides SPDX data</a></li></ol><li>Intermediate packager adds patches to upstream source </li><ol><li><a href="http://spdx.org/wiki/intermediate-packager-adds-patches-upstream-source-provides-spdx-data">Intermediate packager adds patches to upstream source that provides SPDX data</a></li><li><a href="http://spdx.org/wiki/intermediate-packager-adds-patches-upstream-source-does-not-provide-spdx-data">Intermediate packager adds patches to upstream source that does not provide SPDX data</a></li></ol><li>Intermediate packager adds someone else's patches to upstream source</li><ol><li><a href="http://spdx.org/wiki/intermediate-packager-adds-someone-elses-patches-upstream-source-provides-spdx-data">Intermediate packager adds someone else's patches to upstream source that provides SPDX data</a></li><li><a href="http://spdx.org/wiki/intermediate-packager-adds-someone-elses-patches-upstream-source-does-not-provide-spdx-data">Intermediate packager adds someone else's patches to upstream source that does not provide SPDX data</a></li></ol><li>Intermediate packager subsetting upstream source</li><ol><li><a href="http://spdx.org/wiki/intermediate-packager-subsetting-upstream-source-provides-spdx-data">Intermediate packager subsetting upstream source that provides SPDX data</a></li><li><a href="http://spdx.org/wiki/intermediate-packager-subsetting-upstream-source-does-not-provide-spdx-data">Intermediate packager subsetting upstream source that does not provide SPDX data</a></li></ol><li>Intermediate packager chooses to distribute one of multiple available under licenses provided for by upstream (check with legal team)</li><li>Intermediate packager reviews SPDX data provided by upstream.</li></ol><li>Build systems (build systems want to pass on SPDX data for the thing they are building)</li><ol><li><a href="http://www.spdx.org/wiki/spdx-use-case-build-systems-yocto">Yocto </a></li><ol><li>How does SPDX work in an environment where the sources aren't there, but are pulled from git or a mirror and patched.</li></ol><li>Maven [ Brian Fox ]</li><ol><li>Rolling into release artifacts things only referenced in the POM file</li><li>Shading (subsetting) portions of a transitive dependency for inclusion in your artifact</li></ol><li>Continuous integration around SPDX files (fixing SPDX files for commits coming in etc).</li><li>Linking</li><ol><li><a href="http://spdx.org/wiki/debian-has-interest-only-building-things-are-linking-license-compatible">Debian has an interest in only building things that are linking license compatible</a></li><ol><li>If a tool is consuming SPDX data to interact with heuristics.</li></ol></ol><li>Java complications [Richard Fontana]</li><ol><li>What to do about installers that download JDK directly from sun.</li></ol><li>I just made a binary out of some source</li><ol><li><a href="http://spdx.org/wiki/spdx-data-indicating-subset-source-made-it-particular-binary-or-binary-package">SPDX data indicating subset of the source that made it into a particular binary or binary package</a></li></ol><li>Tool used to produce software infecting distribution license of the software itself [Kevin Fleming] (e.g. code-generator? Bison? ..)</li></ol><li>Aggregator aggregating many 'copyrightable items' for redistribution</li><ol><li><a title="Linux Distro" href="https://spdx.org/wiki/linux-distro">Linux Distros</a></li><li><a href="http://spdx.org/wiki/embedded-images-eg-router-images-switch-images">Embedded Images (e.g. router images, switch images)</a></li><li>SDKs [Jack Manbeck]</li><li><a href="http://spdx.org/wiki/spdx-20-usecase-reference-implementations">Reference implementations </a>[Jack Manbeck]</li><li>Eclipse/OSGI distributions</li><li><a href="http://spdx.org/wiki/spdx-20-usecase-application-which-ships-documentation-media-software">Application which ships with documentation + media + software</a> [Jack Manbeck]</li><li><a title="Use case details" href="http://spdx.org/wiki/application-which-ships-contrib-libraries">Application which ships with a contrib libraries</a> [Gary O'Neall]</li><li><a title="Use case details" href="http://spdx.org/wiki/application-which-ships-development-tools">Application which ships with development tools</a> [Gary O'Neall]</li><li>Receiving what appears to be commercial software but that commercial software contains Open Source</li><li>Receiving what appears to be opensource software but that opensource software contains commercial software</li><li><a href="http://spdx.org/wiki/subsetting-out-only-shippable-bits-stuff-coming-sdk">Subsetting out only the shippable bits of stuff coming from an SDK</a></li><li><a href="http://spdx.org/wiki/aggregators-aggregating-other-aggregations-redistribution">Aggregators aggregating other aggregations for redistribution</a></li></ol><li>Consumers receiving SPDX data</li><ol><li>Procurement needs to view it and review it</li><li>Legal department needs to review</li><li>Comply with licensing when there are multiple rights holders each with licensing use under a different license</li><li><a href="http://spdx.org/wiki/provide-sufficient-data-allow-consumer-comply-licenses-redistribution">Provide sufficient data to allow consumer to comply with licenses on redistribution</a></li><li>Bradley want to extract all rights holders for a particular file</li><li>Multiple SPDX files you need to reconcile</li><li>Recognizing the same SPDX data for the same code coming from multiple supply chain paths</li><li>Flagging potential issues revealed by the SPDX</li><ol><li>License conflicts</li><li>Listing out obligations</li></ol><li>Helping to meet the obligations of the licenses (Given that I receive an SPDX file, does the info in SPDX file allow me to extract what I need to meet basic kinds of obligations)</li><ol><li>How to capture attribution information for binaries</li><li>Help with redistribution obligations</li></ol><li>Equivalence classes of binaries and tracking back to the same source and source SPDX data.</li><ol><li>Consider what to do about license metafiles</li><li>COPYING files</li><li>LICENSE.* files</li><li>README.*</li><li>Think about how to handle NOTICE files and Apache</li></ol></ol><li>Consuming code snippets (God help us all) (subfile pieces of code not originally intended for the project) [Gary O'Neall]</li><ol><li>Make sure that the license and copyright information for a snippet is reflected in the SPDX data for the file</li><li>Track differently licensed snippets explicitly</li><li>Handle the case where code is copied and pasted through online forums etc.</li></ol><li>Signoff/multiple signoff on SPDX data</li><ol><li>Contracts with multiple parties requiring signoff by all [Kate Stewart]</li><li>Signing off on only a subset of the SPDX data (of an SPDX document in progress?)</li></ol><li>Third party does licensing analysis</li><ol><li><a href="http://spdx.org/wiki/third-party-produces-bill-materials-software-package">Third party generates license analysis</a></li><li>Acceptable usage communicated by auditor [Peter Williams]</li><li>Actual usage communicated</li><li>Did the code that I shipped (the binaries) match the copyrightable items? i.e. be able to produce an SPDX file that applies to binary code</li><li><a href="http://spdx.org/wiki/collecting-enough-information-allow-auditor-make-recommendations-remove-or-not-component">Collecting enough information to allow auditor to make recommendations to remove or not a component</a></li><li>Tooling to assist with copyright (change copyright date and list of contributors/copyright holders, even as license and most of code remains unchanged) for changes between versions</li><li>Unaffiliated third party provides SPDX data for a project</li></ol><li>Auditor Analyzing/Sanity-checking/correcting Bill of Material he's handed</li><ol><li>outbound: validate that SPDX goes hand in hand with what's being shipped [Kirsten Newcomer]</li><ol><li>Check to see if the SPDX data provided matches the files provided [Kirsten Newcomer]</li><li>Check to see if the SPDX file is internally consistent (do I have a license refs to match licenses)</li><li>Did the code that I shipped (the binaries) match the copyrightable items.</li></ol><li>inbound: validate that SPDX goes hand in hand with what's being brought in [Kirsten Newcomer]</li><ol><li>Chcek to see if the SPDX data matches the files you are shipping [Kirsten Newcomer]</li><li>Check to see if the SPDX file is internally consistent (do I have a license refs to match licenses)</li></ol><li>SPDX lint</li><li>Incomplete SPDX data you may need to complete</li><li>Asserting corrections to SPDX data provided by others further upstream</li></ol><li>Migrating from one version of the SPDX spec to another (moving a file from SPDX 1.0 to 2.0 for example)</li><ol><li>e.g. knit together a bunch of 1.0 files into a 2.0...</li></ol><li>Extensions:</li><ol><li><a href="http://spdx.org/wiki/communicate-data-beyond-what-described-spec">Communicate data beyond what is described in spec between consenting parties w/o breaking consumers that are not in the know</a></li><li>Experimental improvements for new flavors data in SDPX files w/o breaking consumers that are not in the know. [Peter Williams]</li><li><a href="http://spdx.org/wiki/license-list-extension">License list extensions, how do you handle folks who have more licenses than SPDX</a></li><li><a href="http://spdx.org/wiki/decorating-already-produces-and-signed-spdx-dataset-extension-data">Decorating an already produces and signed SPDX dataset with extension data</a> [Bill Schineller]</li><li>Recording per ExtractedLicenseText a comment detailing exactly which pattern matching technique / string found that Extracted License Text (so that SPDX file doesn't need to repeat in every matched File instance) [D. M. German]</li><li>Recording free-form tribal knowledge about a file which is not otherwise visible in the text of the file itself (e.g. commit history from git repo, origin information such as scanning against a knowledge base of open source could provide) [Mark Gisi]</li><li>Conveying Encryption content (Export Control implications) of a package/file in a package [someone at collab summit]</li><li>Conveying Security Vulnerability information [Jianshen O.- Huawei]</li></ol><li>Look at a 'pingback' (URL string similar for blogs)kind of mechanism for original providers of SPDX (to allow them to figure out where it's used) [Andrew Hsu]</li><li>Cloud</li><ol><li>Materializing a VM and making sure it's OK from a licensing mechanism</li><li>SugarCRM case, obligation by virtue of using web service interface</li></ol><li>Legal Use Cases:</li><ol><li>Allow the NDA status of an SPDX document to be communicated in a machine readable way (not just a comment) for organizations that don't want the SPDX document to be publicly released [Mark Baushke from Juniper]</li><li>How are we going to handle Public Domain (not in license list... region specific...)</li></ol></ol><div> </div><div><div><h2>Cross-cutting concerns:</h2></div><div><ol><li>Provenance (the need to optionally use signing to validate who said what)</li><li>Trust</li><li>Handling staleness of data</li><li>Composite licensing</li><li>Ease of sharing information</li><ol><li>Collecting tribal knowledge along the way </li></ol><li>Guarding against file bloat</li><li>Simple simple simple</li><li>SPDX-Lite:</li><li>Clarity</li><li>Automation/toolifiability</li><li>Regionality</li></ol></div></div></div><div><h2>Themes:</h2></div><div> </div><div>Looking at these Use Cases, there are some underlying themes:</div><div><ol><li>Root of data (closer to upstream the better)</li><li>Subsetting of copyrightable things (and their SPDX data) (<strong>Note</strong>: Subsets of copyrightable things are usually also copyrightable things)</li><li>Aggregation of copyrightable things (and their SPDX data) (<strong>Note</strong>: Aggregations of copyrightable things are usually also copyrightable things).</li></ol></div><div> </div><div> </div><p> </p> |
Revision as of 16:19, 23 May 2012
We have several sources to begin pulling for SPDX Use Cases:
- The Pad from earlier conversations collected at <a href="http://spdx.org/wiki/use-cases-collected-20-discussion">Use Cases For SPDX 2.0 Discussion</a>
- The old <a href="http://spdx.org/wiki/spdx-use-case-1">SPDX 1.0 Use Cases</a> as well as the <a href="http://spdx.org/system/files/ecosystem.jpg">SDPX 1.0 Use Case Picture</a>.
I'd like to propose that we flesh out use cases here by having a brief summary listed here as a link to a more detailed child page. Note, these use cases should be *doable* but in general not *required*. Any item listed here that is not a link, should have a child page created for it.
- Code commits (original work intended for the project)
- <a href="http://spdx.org/wiki/committers-provides-spdx-data-code-being-committed">Committer provides SPDX data</a>
- <a href="http://spdx.org/wiki/contributor-makes-commit-subject-existing-spdx-data-project">Contributor makes commit subject to existing SPDX data of project</a>
- Contributor makes commit subject to existing SPDX data of a dual licensed project and selects one license
- <a href="http://spdx.org/wiki/committer-annotates-source-files-spdx-data">Committer annotates source files with SPDX data</a>
- Patches (original work intended for the project)
- <a href="http://spdx.org/wiki/patch-provider-provides-spdx-data-patch">Patch provider provides SPDX data for the patch</a>
- <a href="http://spdx.org/wiki/patch-provider-provides-spdx-data-patch-indicating-it-licensed-however-hell-its-applied">Patch provider provides SPDX data for the patch indicating it is licensed however the hell its applied</a>
- <a href="http://spdx.org/wiki/patch-provider-provides-patch-subject-existing-spdx-data-project">Patch provider provides patch subject to existing SPDX data of project</a>
- Patch provider provides a patch that modifies existing SPDX data of project
- <a href="http://spdx.org/wiki/downstream-consumers-contributing-patches-provide-spdx-data-upstream-doesnt-have-it">Downstream consumers contributing patches to provide SPDX data to an upstream that doesn't have it.</a>
- <a href="http://spdx.org/wiki/downstream-consumers-contributing-patches-provide-corrections-spdx-data-upstream-does-have-it">Downstream consumers contributing patches to provide corrections to SPDX data for an upstream that does have it.</a>
- <a href="http://spdx.org/wiki/spdx-20-usecase-upstream-maintainer-providing-spdx-data">Upstream maintainer providing SPDX data</a>
- <a href="http://spdx.org/wiki/upstream-maintainer-providing-spdx-data-source-archive">Upstream maintainer providing SPDX data in source archive</a>
- <a href="http://spdx.org/wiki/upstream-maintainer-providing-spdx-data-scm">Upstream maintainer providing SPDX data in SCM</a>
- <a href="http://spdx.org/wiki/upstream-maintainer-providing-spdx-data-url">Upstream maintainer providing SPDX data at a URL</a>
- <a href="http://spdx.org/wiki/downstream-consumers-contributing-patches-provide-spdx-data-upstream-doesnt-have-it">Upstream maintainer preparing release artifacts (including SPDX data).</a>
- Intended usage communicated by the auditee (how/will the audited item get included in delivered/deployed bits) [Bill Schineller]
- Project maintainer incorporates another project
- <a href="http://spdx.org/wiki/project-maintainer-incorporates-another-project-including-source">Project maintainer incorporates another project by including source</a>
- <a href="http://spdx.org/wiki/project-maintainer-incorporates-another-project-including-binary">Project maintainer incorporates another project by including binary</a>
- <a href="http://spdx.org/wiki/project-maintainer-pulling-individual-files-out-another-project-subsetting">Project maintainer pulling individual files out of another project (subsetting)</a>
- Project maintainer incorporates another copyrightable artifact by reference (think maven, possibly linking cases)
- by static reference (the referenced library is included with a redistribution)
- by dynamic reference (express runtime dependency on the external library, but not redistributing it)
- Maven case
- SPDX-Lite:
- Allow a low investment SPDX producer to produce valid SPDX data (could be maintainer or some third party)
- <a href="http://spdx.org/wiki/producing-valid-spdx-files-face-missing-data">Produce a valid SPDX dataset even if some data is missing</a>
- Intermediate packager (rpm, deb, etc) passing on and adding to SPDX Data
- Intermediate packager builds source package from upstream source
- <a href="http://spdx.org/wiki/intermediate-packager-builds-source-package-upstream-source-provides-spdx-data">Intermediate packager builds source package from upstream source that provides SPDX data</a>
- <a href="http://spdx.org/wiki/intermediate-packager-builds-source-package-upstream-source-does-not-provide-spdx-data">Intermediate packager builds source package from upstream source that does not provide SPDX data</a>
- Intermediate packager builds binary package from upstream source
- <a href="http://spdx.org/wiki/intermediate-packager-builds-binary-package-upstream-source-provides-spdx-data">Intermediate packager builds binary package from upstream source that provides SPDX data</a>
- <a href="http://spdx.org/wiki/intermediate-packager-builds-binary-package-upstream-source-does-not-provides-spdx-data">Intermediate packager builds binary package from upstream source that does not provides SPDX data</a>
- Intermediate packager adds patches to upstream source
- <a href="http://spdx.org/wiki/intermediate-packager-adds-patches-upstream-source-provides-spdx-data">Intermediate packager adds patches to upstream source that provides SPDX data</a>
- <a href="http://spdx.org/wiki/intermediate-packager-adds-patches-upstream-source-does-not-provide-spdx-data">Intermediate packager adds patches to upstream source that does not provide SPDX data</a>
- Intermediate packager adds someone else's patches to upstream source
- <a href="http://spdx.org/wiki/intermediate-packager-adds-someone-elses-patches-upstream-source-provides-spdx-data">Intermediate packager adds someone else's patches to upstream source that provides SPDX data</a>
- <a href="http://spdx.org/wiki/intermediate-packager-adds-someone-elses-patches-upstream-source-does-not-provide-spdx-data">Intermediate packager adds someone else's patches to upstream source that does not provide SPDX data</a>
- Intermediate packager subsetting upstream source
- <a href="http://spdx.org/wiki/intermediate-packager-subsetting-upstream-source-provides-spdx-data">Intermediate packager subsetting upstream source that provides SPDX data</a>
- <a href="http://spdx.org/wiki/intermediate-packager-subsetting-upstream-source-does-not-provide-spdx-data">Intermediate packager subsetting upstream source that does not provide SPDX data</a>
- Intermediate packager chooses to distribute one of multiple available under licenses provided for by upstream (check with legal team)
- Intermediate packager reviews SPDX data provided by upstream.
- Build systems (build systems want to pass on SPDX data for the thing they are building)
- <a href="http://www.spdx.org/wiki/spdx-use-case-build-systems-yocto">Yocto </a>
- How does SPDX work in an environment where the sources aren't there, but are pulled from git or a mirror and patched.
- Maven [ Brian Fox ]
- Rolling into release artifacts things only referenced in the POM file
- Shading (subsetting) portions of a transitive dependency for inclusion in your artifact
- Continuous integration around SPDX files (fixing SPDX files for commits coming in etc).
- Linking
- <a href="http://spdx.org/wiki/debian-has-interest-only-building-things-are-linking-license-compatible">Debian has an interest in only building things that are linking license compatible</a>
- If a tool is consuming SPDX data to interact with heuristics.
- Java complications [Richard Fontana]
- What to do about installers that download JDK directly from sun.
- I just made a binary out of some source
- <a href="http://spdx.org/wiki/spdx-data-indicating-subset-source-made-it-particular-binary-or-binary-package">SPDX data indicating subset of the source that made it into a particular binary or binary package</a>
- Tool used to produce software infecting distribution license of the software itself [Kevin Fleming] (e.g. code-generator? Bison? ..)
- Aggregator aggregating many 'copyrightable items' for redistribution
- <a title="Linux Distro" href="https://spdx.org/wiki/linux-distro">Linux Distros</a>
- <a href="http://spdx.org/wiki/embedded-images-eg-router-images-switch-images">Embedded Images (e.g. router images, switch images)</a>
- SDKs [Jack Manbeck]
- <a href="http://spdx.org/wiki/spdx-20-usecase-reference-implementations">Reference implementations </a>[Jack Manbeck]
- Eclipse/OSGI distributions
- <a href="http://spdx.org/wiki/spdx-20-usecase-application-which-ships-documentation-media-software">Application which ships with documentation + media + software</a> [Jack Manbeck]
- <a title="Use case details" href="http://spdx.org/wiki/application-which-ships-contrib-libraries">Application which ships with a contrib libraries</a> [Gary O'Neall]
- <a title="Use case details" href="http://spdx.org/wiki/application-which-ships-development-tools">Application which ships with development tools</a> [Gary O'Neall]
- Receiving what appears to be commercial software but that commercial software contains Open Source
- Receiving what appears to be opensource software but that opensource software contains commercial software
- <a href="http://spdx.org/wiki/subsetting-out-only-shippable-bits-stuff-coming-sdk">Subsetting out only the shippable bits of stuff coming from an SDK</a>
- <a href="http://spdx.org/wiki/aggregators-aggregating-other-aggregations-redistribution">Aggregators aggregating other aggregations for redistribution</a>
- Consumers receiving SPDX data
- Procurement needs to view it and review it
- Legal department needs to review
- Comply with licensing when there are multiple rights holders each with licensing use under a different license
- <a href="http://spdx.org/wiki/provide-sufficient-data-allow-consumer-comply-licenses-redistribution">Provide sufficient data to allow consumer to comply with licenses on redistribution</a>
- Bradley want to extract all rights holders for a particular file
- Multiple SPDX files you need to reconcile
- Recognizing the same SPDX data for the same code coming from multiple supply chain paths
- Flagging potential issues revealed by the SPDX
- License conflicts
- Listing out obligations
- Helping to meet the obligations of the licenses (Given that I receive an SPDX file, does the info in SPDX file allow me to extract what I need to meet basic kinds of obligations)
- How to capture attribution information for binaries
- Help with redistribution obligations
- Equivalence classes of binaries and tracking back to the same source and source SPDX data.
- Consider what to do about license metafiles
- COPYING files
- LICENSE.* files
- README.*
- Think about how to handle NOTICE files and Apache
- Consuming code snippets (God help us all) (subfile pieces of code not originally intended for the project) [Gary O'Neall]
- Make sure that the license and copyright information for a snippet is reflected in the SPDX data for the file
- Track differently licensed snippets explicitly
- Handle the case where code is copied and pasted through online forums etc.
- Signoff/multiple signoff on SPDX data
- Contracts with multiple parties requiring signoff by all [Kate Stewart]
- Signing off on only a subset of the SPDX data (of an SPDX document in progress?)
- Third party does licensing analysis
- <a href="http://spdx.org/wiki/third-party-produces-bill-materials-software-package">Third party generates license analysis</a>
- Acceptable usage communicated by auditor [Peter Williams]
- Actual usage communicated
- Did the code that I shipped (the binaries) match the copyrightable items? i.e. be able to produce an SPDX file that applies to binary code
- <a href="http://spdx.org/wiki/collecting-enough-information-allow-auditor-make-recommendations-remove-or-not-component">Collecting enough information to allow auditor to make recommendations to remove or not a component</a>
- Tooling to assist with copyright (change copyright date and list of contributors/copyright holders, even as license and most of code remains unchanged) for changes between versions
- Unaffiliated third party provides SPDX data for a project
- Auditor Analyzing/Sanity-checking/correcting Bill of Material he's handed
- outbound: validate that SPDX goes hand in hand with what's being shipped [Kirsten Newcomer]
- Check to see if the SPDX data provided matches the files provided [Kirsten Newcomer]
- Check to see if the SPDX file is internally consistent (do I have a license refs to match licenses)
- Did the code that I shipped (the binaries) match the copyrightable items.
- inbound: validate that SPDX goes hand in hand with what's being brought in [Kirsten Newcomer]
- Chcek to see if the SPDX data matches the files you are shipping [Kirsten Newcomer]
- Check to see if the SPDX file is internally consistent (do I have a license refs to match licenses)
- SPDX lint
- Incomplete SPDX data you may need to complete
- Asserting corrections to SPDX data provided by others further upstream
- Migrating from one version of the SPDX spec to another (moving a file from SPDX 1.0 to 2.0 for example)
- e.g. knit together a bunch of 1.0 files into a 2.0...
- Extensions:
- <a href="http://spdx.org/wiki/communicate-data-beyond-what-described-spec">Communicate data beyond what is described in spec between consenting parties w/o breaking consumers that are not in the know</a>
- Experimental improvements for new flavors data in SDPX files w/o breaking consumers that are not in the know. [Peter Williams]
- <a href="http://spdx.org/wiki/license-list-extension">License list extensions, how do you handle folks who have more licenses than SPDX</a>
- <a href="http://spdx.org/wiki/decorating-already-produces-and-signed-spdx-dataset-extension-data">Decorating an already produces and signed SPDX dataset with extension data</a> [Bill Schineller]
- Recording per ExtractedLicenseText a comment detailing exactly which pattern matching technique / string found that Extracted License Text (so that SPDX file doesn't need to repeat in every matched File instance) [D. M. German]
- Recording free-form tribal knowledge about a file which is not otherwise visible in the text of the file itself (e.g. commit history from git repo, origin information such as scanning against a knowledge base of open source could provide) [Mark Gisi]
- Conveying Encryption content (Export Control implications) of a package/file in a package [someone at collab summit]
- Conveying Security Vulnerability information [Jianshen O.- Huawei]
- Look at a 'pingback' (URL string similar for blogs)kind of mechanism for original providers of SPDX (to allow them to figure out where it's used) [Andrew Hsu]
- Cloud
- Materializing a VM and making sure it's OK from a licensing mechanism
- SugarCRM case, obligation by virtue of using web service interface
- Legal Use Cases:
- Allow the NDA status of an SPDX document to be communicated in a machine readable way (not just a comment) for organizations that don't want the SPDX document to be publicly released [Mark Baushke from Juniper]
- How are we going to handle Public Domain (not in license list... region specific...)
Cross-cutting concerns:
- Provenance (the need to optionally use signing to validate who said what)
- Trust
- Handling staleness of data
- Composite licensing
- Ease of sharing information
- Collecting tribal knowledge along the way
- Guarding against file bloat
- Simple simple simple
- SPDX-Lite:
- Clarity
- Automation/toolifiability
- Regionality
Themes:
Looking at these Use Cases, there are some underlying themes:
- Root of data (closer to upstream the better)
- Subsetting of copyrightable things (and their SPDX data) (Note: Subsets of copyrightable things are usually also copyrightable things)
- Aggregation of copyrightable things (and their SPDX data) (Note: Aggregations of copyrightable things are usually also copyrightable things).