THE SPDX WIKI IS NO LONGER ACTIVE. ALL CONTENT HAS BEEN MOVED TO https://github.com/spdx

Difference between revisions of "Technical Team/Use Cases/2.0"

From SPDX Wiki
Jump to: navigation, search
Line 1: Line 1:
<p>We have several sources to begin pulling for SPDX Use Cases:</p><ol><li>The Pad from earlier conversations collected at <a href="http://spdx.org/wiki/use-cases-collected-20-discussion">Use Cases For SPDX 2.0 Discussion</a></li><li>The old <a href="http://spdx.org/wiki/spdx-use-case-1">SPDX 1.0 Use Cases</a>&nbsp;as well as the <a href="http://spdx.org/system/files/ecosystem.jpg">SDPX 1.0 Use Case Picture</a>.</li></ol><div>&nbsp;</div><div>I'd like to propose that we flesh out use cases here by having a brief summary listed here as a link to a more detailed child page. &nbsp; Note, these use cases should be *<strong>doable</strong>* but in general not *<strong>required</strong>*. &nbsp;Any item listed here that is not a link, should have a child page created for it.</div><div>&nbsp;</div><div><ol><li>Code commits (original work intended for the project)</li><ol><li><a href="http://spdx.org/wiki/committers-provides-spdx-data-code-being-committed">Committer provides SPDX data</a></li><li><a href="http://spdx.org/wiki/contributor-makes-commit-subject-existing-spdx-data-project">Contributor makes commit &nbsp;subject to existing SPDX data of project</a></li><li>Contributor makes commit subject to existing SPDX data of a dual licensed project and selects one license</li></ol><li><a href="http://spdx.org/wiki/committer-annotates-source-files-spdx-data">Committer annotates source files with SPDX data</a></li><li>Patches (original work intended for the project)</li><ol><li><a href="http://spdx.org/wiki/patch-provider-provides-spdx-data-patch">Patch provider provides SPDX data for the patch</a></li><li><a href="http://spdx.org/wiki/patch-provider-provides-spdx-data-patch-indicating-it-licensed-however-hell-its-applied">Patch provider provides SPDX data for the patch indicating it is licensed however the hell its applied</a></li><li><a href="http://spdx.org/wiki/patch-provider-provides-patch-subject-existing-spdx-data-project">Patch provider provides patch subject to existing SPDX data of project</a></li></ol><li>Patch provider provides a patch that modifies existing SPDX data of project</li><ol><li><a href="http://spdx.org/wiki/downstream-consumers-contributing-patches-provide-spdx-data-upstream-doesnt-have-it">Downstream consumers contributing patches to provide SPDX data to an upstream that doesn't have it.</a></li><li><a href="http://spdx.org/wiki/downstream-consumers-contributing-patches-provide-corrections-spdx-data-upstream-does-have-it">Downstream consumers contributing patches to provide corrections to SPDX data for an upstream that does have it.</a></li></ol><li><a href="http://spdx.org/wiki/spdx-20-usecase-upstream-maintainer-providing-spdx-data">Upstream maintainer providing SPDX data</a></li><ol><li><a href="http://spdx.org/wiki/upstream-maintainer-providing-spdx-data-source-archive">Upstream maintainer providing SPDX data in source archive</a></li><li><a href="http://spdx.org/wiki/upstream-maintainer-providing-spdx-data-scm">Upstream maintainer providing SPDX data in SCM</a></li><li><a href="http://spdx.org/wiki/upstream-maintainer-providing-spdx-data-url">Upstream maintainer providing SPDX data at a URL</a></li><li><a href="http://spdx.org/wiki/downstream-consumers-contributing-patches-provide-spdx-data-upstream-doesnt-have-it">Upstream maintainer preparing release artifacts (including SPDX data).</a></li><li>Intended usage communicated&nbsp;by the auditee&nbsp;(how/will the audited item get included in delivered/deployed bits)&nbsp;&nbsp;[Bill Schineller]</li></ol><li>Project maintainer incorporates another project</li><ol><li><a href="http://spdx.org/wiki/project-maintainer-incorporates-another-project-including-source">Project maintainer incorporates another project by including source</a></li><li><a href="http://spdx.org/wiki/project-maintainer-incorporates-another-project-including-binary">Project maintainer incorporates another project by including binary</a></li><li><a href="http://spdx.org/wiki/project-maintainer-pulling-individual-files-out-another-project-subsetting">Project maintainer pulling individual files out of another project (subsetting)</a></li></ol><li>Project maintainer incorporates another copyrightable artifact by reference (think maven, possibly linking cases)</li><ol><li>by static reference (the referenced library is included with a redistribution)</li><li>by dynamic reference (express runtime dependency on the external library, but not redistributing it)</li><li>Maven case</li></ol><li>SPDX-Lite:</li><ol><li><a href="http://spdx.org/wiki/low-cost-spdx-file">Allow a low investment SPDX producer to produce valid SPDX data</a></li><li><a href="http://spdx.org/wiki/producing-valid-spdx-files-face-missing-data">Produce a valid SPDX dataset even if some data is missing</a>&nbsp;</li></ol><li>Intermediate packager (rpm, deb, etc) passing on and adding to SPDX Data</li><ol><li>Intermediate packager builds source package from upstream source</li><ol><li><a href="http://spdx.org/wiki/intermediate-packager-builds-source-package-upstream-source-provides-spdx-data">Intermediate packager builds source package from upstream source&nbsp;that provides SPDX data</a></li><li><a href="http://spdx.org/wiki/intermediate-packager-builds-source-package-upstream-source-does-not-provide-spdx-data">Intermediate packager builds source package from upstream source that does not provide SPDX data</a></li></ol><li>Intermediate packager builds binary package from upstream source</li><ol><li><a href="http://spdx.org/wiki/intermediate-packager-builds-binary-package-upstream-source-provides-spdx-data">Intermediate packager builds binary package from upstream source that provides SPDX data</a></li><li><a href="http://spdx.org/wiki/intermediate-packager-builds-binary-package-upstream-source-does-not-provides-spdx-data">Intermediate packager builds binary package from upstream source that does not provides SPDX data</a></li></ol><li>Intermediate packager adds patches to upstream source&nbsp;</li><ol><li><a href="http://spdx.org/wiki/intermediate-packager-adds-patches-upstream-source-provides-spdx-data">Intermediate packager adds patches to upstream source that provides SPDX data</a></li><li><a href="http://spdx.org/wiki/intermediate-packager-adds-patches-upstream-source-does-not-provide-spdx-data">Intermediate packager adds patches to upstream source that does not provide SPDX data</a></li></ol><li>Intermediate packager adds someone else's patches to upstream source</li><ol><li><a href="http://spdx.org/wiki/intermediate-packager-adds-someone-elses-patches-upstream-source-provides-spdx-data">Intermediate packager adds someone else's patches to upstream source that provides SPDX data</a></li><li><a href="http://spdx.org/wiki/intermediate-packager-adds-someone-elses-patches-upstream-source-does-not-provide-spdx-data">Intermediate packager adds someone else's patches to upstream source that does not provide SPDX data</a></li></ol><li>Intermediate packager subsetting upstream source</li><ol><li><a href="http://spdx.org/wiki/intermediate-packager-subsetting-upstream-source-provides-spdx-data">Intermediate packager subsetting upstream source that provides SPDX data</a></li><li><a href="http://spdx.org/wiki/intermediate-packager-subsetting-upstream-source-does-not-provide-spdx-data">Intermediate packager subsetting upstream source that does not provide SPDX data</a></li></ol><li>Intermediate packager chooses to distribute one of multiple available under licenses provided for by upstream (check with legal team)</li><li>Intermediate packager reviews SPDX data provided by upstream.</li></ol><li>Build systems (build systems want to pass on SPDX data for the thing they are building)</li><ol><li><a href="http://www.spdx.org/wiki/spdx-use-case-build-systems-yocto">Yocto </a></li><ol><li>How does SPDX work in an environment where the sources aren't there, but are pulled from git or a mirror and patched.</li></ol><li>Maven [ Brian Fox ]</li><ol><li>Rolling into release artifacts things only referenced in the POM file</li><li>Shading (subsetting) portions of a transitive dependency for inclusion in your artifact</li></ol><li>Continuous integration around SPDX files (fixing SPDX files for commits coming in etc).</li><li>Linking</li><ol><li><a href="http://spdx.org/wiki/debian-has-interest-only-building-things-are-linking-license-compatible">Debian has an interest in only building things that are linking license compatible</a></li><ol><li>If a tool is consuming SPDX data to interact with heuristics.</li></ol></ol><li>Java complications [Richard Fontana]</li><ol><li>What to do about installers that download JDK directly from sun.</li></ol><li>I just made a binary out of some source</li><ol><li><a href="http://spdx.org/wiki/spdx-data-indicating-subset-source-made-it-particular-binary-or-binary-package">SPDX data indicating subset of the source that made it into a particular binary or binary package</a></li></ol><li>Tool used to produce software infecting distribution license of the software itself [Kevin Fleming] (e.g. code-generator? Bison? ..)</li></ol><li>Aggregator aggregating many 'copyrightable items' for redistribution</li><ol><li><a title="Linux Distro" href="https://spdx.org/wiki/linux-distro">Linux Distros</a></li><li><a href="http://spdx.org/wiki/embedded-images-eg-router-images-switch-images">Embedded Images (e.g. router images, switch images)</a></li><li>SDKs [Jack Manbeck]</li><li><a href="http://spdx.org/wiki/spdx-20-usecase-reference-implementations">Reference implementations </a>[Jack Manbeck]</li><li>Eclipse/OSGI distributions</li><li><a href="http://spdx.org/wiki/spdx-20-usecase-application-which-ships-documentation-media-software">Application which ships with documentation + &nbsp;media + software</a> [Jack Manbeck]</li><li><a title="Use case details" href="http://spdx.org/wiki/application-which-ships-contrib-libraries">Application which ships with a contrib libraries</a></li><li><a title="Use case details" href="http://spdx.org/wiki/application-which-ships-development-tools">Application which ships with development tools</a></li><li>Receiving what appears to be commercial software but that commercial software contains Open Source</li><li>Receiving what appears to be opensource software but that opensource software contains commercial software</li><li><a href="http://spdx.org/wiki/subsetting-out-only-shippable-bits-stuff-coming-sdk">Subsetting out only the shippable bits of stuff coming from an SDK</a></li><li><a href="http://spdx.org/wiki/aggregators-aggregating-other-aggregations-redistribution">Aggregators aggregating other aggregations for redistribution</a></li></ol><li>Consumers receiving SPDX data</li><ol><li>Procurement needs to view it and review it</li><li>Legal department needs to review</li><li>Comply with licensing when there are multiple rights holders each with licensing use under a different license</li><li><a href="http://spdx.org/wiki/provide-sufficient-data-allow-consumer-comply-licenses-redistribution">Provide sufficient data to allow consumer to comply with licenses on redistribution</a></li><li>Bradley want to extract all rights holders for a particular file</li><li>Multiple SPDX files you need to reconcile</li><li>Recognizing the same SPDX data for the same code coming from multiple supply chain paths</li><li>Flagging potential issues revealed by the SPDX</li><ol><li>License conflicts</li><li>Listing out obligations</li></ol><li>Helping to meet the obligations of the licenses (Given that I receive an SPDX file, does the info in SPDX file allow me to extract what I need to meet basic kinds of obligations)</li><ol><li>How to capture attribution information for binaries</li><li>Help with redistribution obligations</li></ol><li>Equivalence classes of binaries and tracking back to the same source and source SPDX data.</li><ol><li>Consider what to do about license metafiles</li><li>COPYING files</li><li>LICENSE.* files</li><li>README.*</li><li>Think about how to handle NOTICE files and Apache</li></ol></ol><li><a href="http://spdx.org/wiki/consuming-code-snippets">Consuming code snippets </a>(God help us all) (subfile pieces of code not originally intended for the project)</li><ol><li>Make sure that the license and copyright information for a snippet is reflected in the SPDX data for the file</li><li>Track differently licensed snippets explicitly</li><li>Handle the case where code is copied and pasted through online forums etc.</li></ol><li>Signoff/multiple signoff on SPDX data</li><ol><li>Contracts with multiple parties requiring signoff by all [Kate Stewart]</li><li>Signing off on only a subset of the SPDX data (of an SPDX document in progress?)</li></ol><li>Third party does licensing analysis</li><ol><li><a href="http://spdx.org/wiki/third-party-produces-bill-materials-software-package">Third party generates license analysis</a></li><li>Acceptable usage communicated by auditor [Peter Williams]</li><li>Actual usage communicated</li><li>Did the code that I shipped (the binaries) match the copyrightable items? i.e. be able to produce an SPDX file that applies to binary code</li><li><a href="http://spdx.org/wiki/collecting-enough-information-allow-auditor-make-recommendations-remove-or-not-component">Collecting enough information to allow auditor to make recommendations to remove or not a component</a></li><li>Tooling to assist with copyright (change copyright date and list of contributors/copyright holders, even as license and most of code remains unchanged) for changes between versions</li><li>Unaffiliated third party provides SPDX data for a project</li></ol><li>Auditor Analyzing/Sanity-checking/correcting Bill of Material he's handed</li><ol><li>outbound: validate that SPDX goes hand in hand with what's being shipped [Kirsten Newcomer]</li><ol><li><a href="http://spdx.org/wiki/check-see-if-spdx-data-provided-matches-files-provided">Check to see if the SPDX data provided matches the files provided</a></li><li>Check to see if the SPDX file is internally consistent (do I have a license refs to match licenses)</li><li>Did the code that I shipped (the binaries) match the copyrightable items.</li></ol><li>inbound: &nbsp;validate that SPDX goes hand in hand with what's being brought in&nbsp;[Kirsten Newcomer]</li><ol><li>Chcek to see if the SPDX data matches the files you are shipping [Kirsten Newcomer]</li><li>Check to see if the SPDX file is internally consistent (do I have a license refs to match licenses)</li></ol><li>SPDX lint</li><li>Incomplete SPDX data you may need to complete</li><li>Asserting corrections to SPDX data provided by others further upstream</li></ol><li>Migrating from one version of the SPDX spec to another (moving a file from SPDX 1.0 to 2.0 for example)</li><ol><li>e.g. knit together a bunch of 1.0 files into a 2.0...</li></ol><li>Extensions:</li><ol><li><a href="http://spdx.org/wiki/communicate-data-beyond-what-described-spec">Communicate data beyond what is described in spec between consenting parties w/o breaking consumers that are not in the know</a></li><li>Experimental improvements to SDPX files w/o breaking consumers that are not in the know. [Peter Williams]</li><li><a href="http://spdx.org/wiki/license-list-extension">License list extensions, how do you handle folks who have more licenses than SPDX</a></li><li><a href="http://spdx.org/wiki/decorating-already-produces-and-signed-spdx-dataset-extension-data">Decorating an already produces and signed SPDX dataset with extension data</a> [Bill Schineller]</li><li>Recording per ExtractedLicenseText a comment detailing exactly which pattern matching technique / string found that Extracted License Text (so that SPDX file doesn't need to repeat in every matched File instance) [D. M. German]</li><li>Recording free-form tribal knowledge about a file which is not otherwise visible in the text of the file itself (e.g. commit history from git repo, origin information such as scanning against a knowledge base of open source could provide) [Mark Gisi]</li><li>Conveying Encryption content (Export Control implications) of a package/file in a package [someone at collab summit]</li><li>Conveying Security Vulnerability information [Jianshen O.- Huawei]</li></ol><li>Look at a 'pingback' (URL string similar for blogs)kind of mechanism for original providers of SPDX (to allow them to figure out where it's used) [Andrew Hsu]</li><li>Cloud</li><ol><li>Materializing a VM and making sure it's OK from a licensing mechanism</li><li>SugarCRM case, obligation by virtue of using web service interface</li></ol><li>Legal Use Cases:</li><ol><li>Allow the NDA status of an SPDX document to be communicated in a machine readable way (not just a comment) for organizations that don't want the SPDX document to be publicly released [Mark Baushke from Juniper]</li><li>How are we going to handle Public Domain (not in license list... region specific...)</li></ol></ol><div>&nbsp;</div><div><div><h2>Cross-cutting concerns:</h2></div><div><ol><li>Provenance (the need to optionally use signing to validate who said what)</li><li>Trust</li><li>Handling staleness of data</li><li>Composite licensing</li><li>Ease of sharing information</li><ol><li>Collecting tribal knowledge along the way&nbsp;</li></ol><li>Guarding against file bloat</li><li>Simple simple simple</li><li>SPDX-Lite:</li><li>Clarity</li><li>Automation/toolifiability</li><li>Regionality</li></ol></div></div></div><div><h2>Themes:</h2></div><div>&nbsp;</div><div>Looking at these Use Cases, there are some underlying themes:</div><div><ol><li>Root of data (closer to upstream the better)</li><li>Subsetting of copyrightable things (and their SPDX data) (<strong>Note</strong>: Subsets of copyrightable things are usually also copyrightable things)</li><li>Aggregation of copyrightable things (and their SPDX data) (<strong>Note</strong>: Aggregations of copyrightable things are usually also copyrightable things).</li></ol></div><div>&nbsp;</div><div>&nbsp;</div><p>&nbsp;</p>
+
<p>We have several sources to begin pulling for SPDX Use Cases:</p><ol><li>The Pad from earlier conversations collected at <a href="http://spdx.org/wiki/use-cases-collected-20-discussion">Use Cases For SPDX 2.0 Discussion</a></li><li>The old <a href="http://spdx.org/wiki/spdx-use-case-1">SPDX 1.0 Use Cases</a>&nbsp;as well as the <a href="http://spdx.org/system/files/ecosystem.jpg">SDPX 1.0 Use Case Picture</a>.</li></ol><div>&nbsp;</div><div>I'd like to propose that we flesh out use cases here by having a brief summary listed here as a link to a more detailed child page. &nbsp; Note, these use cases should be *<strong>doable</strong>* but in general not *<strong>required</strong>*. &nbsp;Any item listed here that is not a link, should have a child page created for it.</div><div>&nbsp;</div><div><ol><li>Code commits (original work intended for the project)</li><ol><li><a href="http://spdx.org/wiki/committers-provides-spdx-data-code-being-committed">Committer provides SPDX data</a></li><li><a href="http://spdx.org/wiki/contributor-makes-commit-subject-existing-spdx-data-project">Contributor makes commit &nbsp;subject to existing SPDX data of project</a></li><li>Contributor makes commit subject to existing SPDX data of a dual licensed project and selects one license</li></ol><li><a href="http://spdx.org/wiki/committer-annotates-source-files-spdx-data">Committer annotates source files with SPDX data</a></li><li>Patches (original work intended for the project)</li><ol><li><a href="http://spdx.org/wiki/patch-provider-provides-spdx-data-patch">Patch provider provides SPDX data for the patch</a></li><li><a href="http://spdx.org/wiki/patch-provider-provides-spdx-data-patch-indicating-it-licensed-however-hell-its-applied">Patch provider provides SPDX data for the patch indicating it is licensed however the hell its applied</a></li><li><a href="http://spdx.org/wiki/patch-provider-provides-patch-subject-existing-spdx-data-project">Patch provider provides patch subject to existing SPDX data of project</a></li></ol><li>Patch provider provides a patch that modifies existing SPDX data of project</li><ol><li><a href="http://spdx.org/wiki/downstream-consumers-contributing-patches-provide-spdx-data-upstream-doesnt-have-it">Downstream consumers contributing patches to provide SPDX data to an upstream that doesn't have it.</a></li><li><a href="http://spdx.org/wiki/downstream-consumers-contributing-patches-provide-corrections-spdx-data-upstream-does-have-it">Downstream consumers contributing patches to provide corrections to SPDX data for an upstream that does have it.</a></li></ol><li><a href="http://spdx.org/wiki/spdx-20-usecase-upstream-maintainer-providing-spdx-data">Upstream maintainer providing SPDX data</a></li><ol><li><a href="http://spdx.org/wiki/upstream-maintainer-providing-spdx-data-source-archive">Upstream maintainer providing SPDX data in source archive</a></li><li><a href="http://spdx.org/wiki/upstream-maintainer-providing-spdx-data-scm">Upstream maintainer providing SPDX data in SCM</a></li><li><a href="http://spdx.org/wiki/upstream-maintainer-providing-spdx-data-url">Upstream maintainer providing SPDX data at a URL</a></li><li><a href="http://spdx.org/wiki/downstream-consumers-contributing-patches-provide-spdx-data-upstream-doesnt-have-it">Upstream maintainer preparing release artifacts (including SPDX data).</a></li><li>Intended usage communicated&nbsp;by the auditee&nbsp;(how/will the audited item get included in delivered/deployed bits)&nbsp;&nbsp;[Bill Schineller]</li></ol><li>Project maintainer incorporates another project</li><ol><li><a href="http://spdx.org/wiki/project-maintainer-incorporates-another-project-including-source">Project maintainer incorporates another project by including source</a></li><li><a href="http://spdx.org/wiki/project-maintainer-incorporates-another-project-including-binary">Project maintainer incorporates another project by including binary</a></li><li><a href="http://spdx.org/wiki/project-maintainer-pulling-individual-files-out-another-project-subsetting">Project maintainer pulling individual files out of another project (subsetting)</a></li></ol><li>Project maintainer incorporates another copyrightable artifact by reference (think maven, possibly linking cases)</li><ol><li>by static reference (the referenced library is included with a redistribution)</li><li>by dynamic reference (express runtime dependency on the external library, but not redistributing it)</li><li>Maven case</li></ol><li>SPDX-Lite:</li><ol><li><a href="http://spdx.org/wiki/low-cost-spdx-file">Allow a low investment SPDX producer to produce valid SPDX data</a></li><li><a href="http://spdx.org/wiki/producing-valid-spdx-files-face-missing-data">Produce a valid SPDX dataset even if some data is missing</a>&nbsp;</li></ol><li>Intermediate packager (rpm, deb, etc) passing on and adding to SPDX Data</li><ol><li>Intermediate packager builds source package from upstream source</li><ol><li><a href="http://spdx.org/wiki/intermediate-packager-builds-source-package-upstream-source-provides-spdx-data">Intermediate packager builds source package from upstream source&nbsp;that provides SPDX data</a></li><li><a href="http://spdx.org/wiki/intermediate-packager-builds-source-package-upstream-source-does-not-provide-spdx-data">Intermediate packager builds source package from upstream source that does not provide SPDX data</a></li></ol><li>Intermediate packager builds binary package from upstream source</li><ol><li><a href="http://spdx.org/wiki/intermediate-packager-builds-binary-package-upstream-source-provides-spdx-data">Intermediate packager builds binary package from upstream source that provides SPDX data</a></li><li><a href="http://spdx.org/wiki/intermediate-packager-builds-binary-package-upstream-source-does-not-provides-spdx-data">Intermediate packager builds binary package from upstream source that does not provides SPDX data</a></li></ol><li>Intermediate packager adds patches to upstream source&nbsp;</li><ol><li><a href="http://spdx.org/wiki/intermediate-packager-adds-patches-upstream-source-provides-spdx-data">Intermediate packager adds patches to upstream source that provides SPDX data</a></li><li><a href="http://spdx.org/wiki/intermediate-packager-adds-patches-upstream-source-does-not-provide-spdx-data">Intermediate packager adds patches to upstream source that does not provide SPDX data</a></li></ol><li>Intermediate packager adds someone else's patches to upstream source</li><ol><li><a href="http://spdx.org/wiki/intermediate-packager-adds-someone-elses-patches-upstream-source-provides-spdx-data">Intermediate packager adds someone else's patches to upstream source that provides SPDX data</a></li><li><a href="http://spdx.org/wiki/intermediate-packager-adds-someone-elses-patches-upstream-source-does-not-provide-spdx-data">Intermediate packager adds someone else's patches to upstream source that does not provide SPDX data</a></li></ol><li>Intermediate packager subsetting upstream source</li><ol><li><a href="http://spdx.org/wiki/intermediate-packager-subsetting-upstream-source-provides-spdx-data">Intermediate packager subsetting upstream source that provides SPDX data</a></li><li><a href="http://spdx.org/wiki/intermediate-packager-subsetting-upstream-source-does-not-provide-spdx-data">Intermediate packager subsetting upstream source that does not provide SPDX data</a></li></ol><li>Intermediate packager chooses to distribute one of multiple available under licenses provided for by upstream (check with legal team)</li><li>Intermediate packager reviews SPDX data provided by upstream.</li></ol><li>Build systems (build systems want to pass on SPDX data for the thing they are building)</li><ol><li><a href="http://www.spdx.org/wiki/spdx-use-case-build-systems-yocto">Yocto </a></li><ol><li>How does SPDX work in an environment where the sources aren't there, but are pulled from git or a mirror and patched.</li></ol><li>Maven [ Brian Fox ]</li><ol><li>Rolling into release artifacts things only referenced in the POM file</li><li>Shading (subsetting) portions of a transitive dependency for inclusion in your artifact</li></ol><li>Continuous integration around SPDX files (fixing SPDX files for commits coming in etc).</li><li>Linking</li><ol><li><a href="http://spdx.org/wiki/debian-has-interest-only-building-things-are-linking-license-compatible">Debian has an interest in only building things that are linking license compatible</a></li><ol><li>If a tool is consuming SPDX data to interact with heuristics.</li></ol></ol><li>Java complications [Richard Fontana]</li><ol><li>What to do about installers that download JDK directly from sun.</li></ol><li>I just made a binary out of some source</li><ol><li><a href="http://spdx.org/wiki/spdx-data-indicating-subset-source-made-it-particular-binary-or-binary-package">SPDX data indicating subset of the source that made it into a particular binary or binary package</a></li></ol><li>Tool used to produce software infecting distribution license of the software itself [Kevin Fleming] (e.g. code-generator? Bison? ..)</li></ol><li>Aggregator aggregating many 'copyrightable items' for redistribution</li><ol><li><a title="Linux Distro" href="https://spdx.org/wiki/linux-distro">Linux Distros</a></li><li><a href="http://spdx.org/wiki/embedded-images-eg-router-images-switch-images">Embedded Images (e.g. router images, switch images)</a></li><li>SDKs [Jack Manbeck]</li><li><a href="http://spdx.org/wiki/spdx-20-usecase-reference-implementations">Reference implementations </a>[Jack Manbeck]</li><li>Eclipse/OSGI distributions</li><li><a href="http://spdx.org/wiki/spdx-20-usecase-application-which-ships-documentation-media-software">Application which ships with documentation + &nbsp;media + software</a> [Jack Manbeck]</li><li><a title="Use case details" href="http://spdx.org/wiki/application-which-ships-contrib-libraries">Application which ships with a contrib libraries</a></li><li><a title="Use case details" href="http://spdx.org/wiki/application-which-ships-development-tools">Application which ships with development tools</a></li><li>Receiving what appears to be commercial software but that commercial software contains Open Source</li><li>Receiving what appears to be opensource software but that opensource software contains commercial software</li><li><a href="http://spdx.org/wiki/subsetting-out-only-shippable-bits-stuff-coming-sdk">Subsetting out only the shippable bits of stuff coming from an SDK</a></li><li><a href="http://spdx.org/wiki/aggregators-aggregating-other-aggregations-redistribution">Aggregators aggregating other aggregations for redistribution</a></li></ol><li>Consumers receiving SPDX data</li><ol><li>Procurement needs to view it and review it</li><li>Legal department needs to review</li><li>Comply with licensing when there are multiple rights holders each with licensing use under a different license</li><li><a href="http://spdx.org/wiki/provide-sufficient-data-allow-consumer-comply-licenses-redistribution">Provide sufficient data to allow consumer to comply with licenses on redistribution</a></li><li>Bradley want to extract all rights holders for a particular file</li><li>Multiple SPDX files you need to reconcile</li><li>Recognizing the same SPDX data for the same code coming from multiple supply chain paths</li><li>Flagging potential issues revealed by the SPDX</li><ol><li>License conflicts</li><li>Listing out obligations</li></ol><li>Helping to meet the obligations of the licenses (Given that I receive an SPDX file, does the info in SPDX file allow me to extract what I need to meet basic kinds of obligations)</li><ol><li>How to capture attribution information for binaries</li><li>Help with redistribution obligations</li></ol><li>Equivalence classes of binaries and tracking back to the same source and source SPDX data.</li><ol><li>Consider what to do about license metafiles</li><li>COPYING files</li><li>LICENSE.* files</li><li>README.*</li><li>Think about how to handle NOTICE files and Apache</li></ol></ol><li><a href="http://spdx.org/wiki/consuming-code-snippets">Consuming code snippets </a>(God help us all) (subfile pieces of code not originally intended for the project)</li><ol><li>Make sure that the license and copyright information for a snippet is reflected in the SPDX data for the file</li><li>Track differently licensed snippets explicitly</li><li>Handle the case where code is copied and pasted through online forums etc.</li></ol><li>Signoff/multiple signoff on SPDX data</li><ol><li>Contracts with multiple parties requiring signoff by all [Kate Stewart]</li><li>Signing off on only a subset of the SPDX data (of an SPDX document in progress?)</li></ol><li>Third party does licensing analysis</li><ol><li><a href="http://spdx.org/wiki/third-party-produces-bill-materials-software-package">Third party generates license analysis</a></li><li>Actual usage communicated</li><li>Did the code that I shipped (the binaries) match the copyrightable items? i.e. be able to produce an SPDX file that applies to binary code</li><li><a href="http://spdx.org/wiki/collecting-enough-information-allow-auditor-make-recommendations-remove-or-not-component">Collecting enough information to allow auditor to make recommendations to remove or not a component</a></li><li>Tooling to assist with copyright (change copyright date and list of contributors/copyright holders, even as license and most of code remains unchanged) for changes between versions</li><li>Unaffiliated third party provides SPDX data for a project</li></ol><li>Auditor Analyzing/Sanity-checking/correcting Bill of Material he's handed</li><ol><li>outbound: validate that SPDX goes hand in hand with what's being shipped [Kirsten Newcomer]</li><ol><li><a href="http://spdx.org/wiki/check-see-if-spdx-data-provided-matches-files-provided">Check to see if the SPDX data provided matches the files provided</a></li><li>Check to see if the SPDX file is internally consistent (do I have a license refs to match licenses)</li><li>Did the code that I shipped (the binaries) match the copyrightable items.</li></ol><li>inbound: &nbsp;validate that SPDX goes hand in hand with what's being brought in&nbsp;[Kirsten Newcomer]</li><ol><li>Chcek to see if the SPDX data matches the files you are shipping [Kirsten Newcomer]</li><li>Check to see if the SPDX file is internally consistent (do I have a license refs to match licenses)</li></ol><li>SPDX lint</li><li>Incomplete SPDX data you may need to complete</li><li>Asserting corrections to SPDX data provided by others further upstream</li></ol><li>Migrating from one version of the SPDX spec to another (moving a file from SPDX 1.0 to 2.0 for example)</li><ol><li>e.g. knit together a bunch of 1.0 files into a 2.0...</li></ol><li>Extensions:</li><ol><li><a href="http://spdx.org/wiki/communicate-data-beyond-what-described-spec">Communicate data beyond what is described in spec between consenting parties w/o breaking consumers that are not in the know</a></li><li>Experimental improvements to SDPX files w/o breaking consumers that are not in the know. [Peter Williams]</li><li><a href="http://spdx.org/wiki/license-list-extension">License list extensions, how do you handle folks who have more licenses than SPDX</a></li><li><a href="http://spdx.org/wiki/decorating-already-produces-and-signed-spdx-dataset-extension-data">Decorating an already produces and signed SPDX dataset with extension data</a> [Bill Schineller]</li><li>Recording per ExtractedLicenseText a comment detailing exactly which pattern matching technique / string found that Extracted License Text (so that SPDX file doesn't need to repeat in every matched File instance) [D. M. German]</li><li>Recording free-form tribal knowledge about a file which is not otherwise visible in the text of the file itself (e.g. commit history from git repo, origin information such as scanning against a knowledge base of open source could provide) [Mark Gisi]</li><li>Conveying Encryption content (Export Control implications) of a package/file in a package [someone at collab summit]</li><li>Conveying Security Vulnerability information [Jianshen O.- Huawei]</li></ol><li>Look at a 'pingback' (URL string similar for blogs)kind of mechanism for original providers of SPDX (to allow them to figure out where it's used) [Andrew Hsu]</li><li>Cloud</li><ol><li>Materializing a VM and making sure it's OK from a licensing mechanism</li><li>SugarCRM case, obligation by virtue of using web service interface</li></ol><li>Legal Use Cases:</li><ol><li>Allow the NDA status of an SPDX document to be communicated in a machine readable way (not just a comment) for organizations that don't want the SPDX document to be publicly released [Mark Baushke from Juniper]</li><li>How are we going to handle Public Domain (not in license list... region specific...)</li></ol></ol><div>&nbsp;</div><div><div><h2>Cross-cutting concerns:</h2></div><div><ol><li>Provenance (the need to optionally use signing to validate who said what)</li><li>Trust</li><li>Handling staleness of data</li><li>Composite licensing</li><li>Ease of sharing information</li><ol><li>Collecting tribal knowledge along the way&nbsp;</li></ol><li>Guarding against file bloat</li><li>Simple simple simple</li><li>SPDX-Lite:</li><li>Clarity</li><li>Automation/toolifiability</li><li>Regionality</li></ol></div></div></div><div><h2>Themes:</h2></div><div>&nbsp;</div><div>Looking at these Use Cases, there are some underlying themes:</div><div><ol><li>Root of data (closer to upstream the better)</li><li>Subsetting of copyrightable things (and their SPDX data) (<strong>Note</strong>: Subsets of copyrightable things are usually also copyrightable things)</li><li>Aggregation of copyrightable things (and their SPDX data) (<strong>Note</strong>: Aggregations of copyrightable things are usually also copyrightable things).</li></ol></div><div>&nbsp;</div><div>&nbsp;</div><p>&nbsp;</p>

Revision as of 21:06, 27 May 2012

We have several sources to begin pulling for SPDX Use Cases:

  1. The Pad from earlier conversations collected at <a href="http://spdx.org/wiki/use-cases-collected-20-discussion">Use Cases For SPDX 2.0 Discussion</a>
  2. The old <a href="http://spdx.org/wiki/spdx-use-case-1">SPDX 1.0 Use Cases</a> as well as the <a href="http://spdx.org/system/files/ecosystem.jpg">SDPX 1.0 Use Case Picture</a>.
 
I'd like to propose that we flesh out use cases here by having a brief summary listed here as a link to a more detailed child page.   Note, these use cases should be *doable* but in general not *required*.  Any item listed here that is not a link, should have a child page created for it.
 
  1. Code commits (original work intended for the project)
    1. <a href="http://spdx.org/wiki/committers-provides-spdx-data-code-being-committed">Committer provides SPDX data</a>
    2. <a href="http://spdx.org/wiki/contributor-makes-commit-subject-existing-spdx-data-project">Contributor makes commit  subject to existing SPDX data of project</a>
    3. Contributor makes commit subject to existing SPDX data of a dual licensed project and selects one license
  2. <a href="http://spdx.org/wiki/committer-annotates-source-files-spdx-data">Committer annotates source files with SPDX data</a>
  3. Patches (original work intended for the project)
    1. <a href="http://spdx.org/wiki/patch-provider-provides-spdx-data-patch">Patch provider provides SPDX data for the patch</a>
    2. <a href="http://spdx.org/wiki/patch-provider-provides-spdx-data-patch-indicating-it-licensed-however-hell-its-applied">Patch provider provides SPDX data for the patch indicating it is licensed however the hell its applied</a>
    3. <a href="http://spdx.org/wiki/patch-provider-provides-patch-subject-existing-spdx-data-project">Patch provider provides patch subject to existing SPDX data of project</a>
  4. Patch provider provides a patch that modifies existing SPDX data of project
    1. <a href="http://spdx.org/wiki/downstream-consumers-contributing-patches-provide-spdx-data-upstream-doesnt-have-it">Downstream consumers contributing patches to provide SPDX data to an upstream that doesn't have it.</a>
    2. <a href="http://spdx.org/wiki/downstream-consumers-contributing-patches-provide-corrections-spdx-data-upstream-does-have-it">Downstream consumers contributing patches to provide corrections to SPDX data for an upstream that does have it.</a>
  5. <a href="http://spdx.org/wiki/spdx-20-usecase-upstream-maintainer-providing-spdx-data">Upstream maintainer providing SPDX data</a>
    1. <a href="http://spdx.org/wiki/upstream-maintainer-providing-spdx-data-source-archive">Upstream maintainer providing SPDX data in source archive</a>
    2. <a href="http://spdx.org/wiki/upstream-maintainer-providing-spdx-data-scm">Upstream maintainer providing SPDX data in SCM</a>
    3. <a href="http://spdx.org/wiki/upstream-maintainer-providing-spdx-data-url">Upstream maintainer providing SPDX data at a URL</a>
    4. <a href="http://spdx.org/wiki/downstream-consumers-contributing-patches-provide-spdx-data-upstream-doesnt-have-it">Upstream maintainer preparing release artifacts (including SPDX data).</a>
    5. Intended usage communicated by the auditee (how/will the audited item get included in delivered/deployed bits)  [Bill Schineller]
  6. Project maintainer incorporates another project
    1. <a href="http://spdx.org/wiki/project-maintainer-incorporates-another-project-including-source">Project maintainer incorporates another project by including source</a>
    2. <a href="http://spdx.org/wiki/project-maintainer-incorporates-another-project-including-binary">Project maintainer incorporates another project by including binary</a>
    3. <a href="http://spdx.org/wiki/project-maintainer-pulling-individual-files-out-another-project-subsetting">Project maintainer pulling individual files out of another project (subsetting)</a>
  7. Project maintainer incorporates another copyrightable artifact by reference (think maven, possibly linking cases)
    1. by static reference (the referenced library is included with a redistribution)
    2. by dynamic reference (express runtime dependency on the external library, but not redistributing it)
    3. Maven case
  8. SPDX-Lite:
    1. <a href="http://spdx.org/wiki/low-cost-spdx-file">Allow a low investment SPDX producer to produce valid SPDX data</a>
    2. <a href="http://spdx.org/wiki/producing-valid-spdx-files-face-missing-data">Produce a valid SPDX dataset even if some data is missing</a> 
  9. Intermediate packager (rpm, deb, etc) passing on and adding to SPDX Data
    1. Intermediate packager builds source package from upstream source
      1. <a href="http://spdx.org/wiki/intermediate-packager-builds-source-package-upstream-source-provides-spdx-data">Intermediate packager builds source package from upstream source that provides SPDX data</a>
      2. <a href="http://spdx.org/wiki/intermediate-packager-builds-source-package-upstream-source-does-not-provide-spdx-data">Intermediate packager builds source package from upstream source that does not provide SPDX data</a>
    2. Intermediate packager builds binary package from upstream source
      1. <a href="http://spdx.org/wiki/intermediate-packager-builds-binary-package-upstream-source-provides-spdx-data">Intermediate packager builds binary package from upstream source that provides SPDX data</a>
      2. <a href="http://spdx.org/wiki/intermediate-packager-builds-binary-package-upstream-source-does-not-provides-spdx-data">Intermediate packager builds binary package from upstream source that does not provides SPDX data</a>
    3. Intermediate packager adds patches to upstream source 
      1. <a href="http://spdx.org/wiki/intermediate-packager-adds-patches-upstream-source-provides-spdx-data">Intermediate packager adds patches to upstream source that provides SPDX data</a>
      2. <a href="http://spdx.org/wiki/intermediate-packager-adds-patches-upstream-source-does-not-provide-spdx-data">Intermediate packager adds patches to upstream source that does not provide SPDX data</a>
    4. Intermediate packager adds someone else's patches to upstream source
      1. <a href="http://spdx.org/wiki/intermediate-packager-adds-someone-elses-patches-upstream-source-provides-spdx-data">Intermediate packager adds someone else's patches to upstream source that provides SPDX data</a>
      2. <a href="http://spdx.org/wiki/intermediate-packager-adds-someone-elses-patches-upstream-source-does-not-provide-spdx-data">Intermediate packager adds someone else's patches to upstream source that does not provide SPDX data</a>
    5. Intermediate packager subsetting upstream source
      1. <a href="http://spdx.org/wiki/intermediate-packager-subsetting-upstream-source-provides-spdx-data">Intermediate packager subsetting upstream source that provides SPDX data</a>
      2. <a href="http://spdx.org/wiki/intermediate-packager-subsetting-upstream-source-does-not-provide-spdx-data">Intermediate packager subsetting upstream source that does not provide SPDX data</a>
    6. Intermediate packager chooses to distribute one of multiple available under licenses provided for by upstream (check with legal team)
    7. Intermediate packager reviews SPDX data provided by upstream.
  10. Build systems (build systems want to pass on SPDX data for the thing they are building)
    1. <a href="http://www.spdx.org/wiki/spdx-use-case-build-systems-yocto">Yocto </a>
      1. How does SPDX work in an environment where the sources aren't there, but are pulled from git or a mirror and patched.
    2. Maven [ Brian Fox ]
      1. Rolling into release artifacts things only referenced in the POM file
      2. Shading (subsetting) portions of a transitive dependency for inclusion in your artifact
    3. Continuous integration around SPDX files (fixing SPDX files for commits coming in etc).
    4. Linking
      1. <a href="http://spdx.org/wiki/debian-has-interest-only-building-things-are-linking-license-compatible">Debian has an interest in only building things that are linking license compatible</a>
        1. If a tool is consuming SPDX data to interact with heuristics.
    5. Java complications [Richard Fontana]
      1. What to do about installers that download JDK directly from sun.
    6. I just made a binary out of some source
      1. <a href="http://spdx.org/wiki/spdx-data-indicating-subset-source-made-it-particular-binary-or-binary-package">SPDX data indicating subset of the source that made it into a particular binary or binary package</a>
    7. Tool used to produce software infecting distribution license of the software itself [Kevin Fleming] (e.g. code-generator? Bison? ..)
  11. Aggregator aggregating many 'copyrightable items' for redistribution
    1. <a title="Linux Distro" href="https://spdx.org/wiki/linux-distro">Linux Distros</a>
    2. <a href="http://spdx.org/wiki/embedded-images-eg-router-images-switch-images">Embedded Images (e.g. router images, switch images)</a>
    3. SDKs [Jack Manbeck]
    4. <a href="http://spdx.org/wiki/spdx-20-usecase-reference-implementations">Reference implementations </a>[Jack Manbeck]
    5. Eclipse/OSGI distributions
    6. <a href="http://spdx.org/wiki/spdx-20-usecase-application-which-ships-documentation-media-software">Application which ships with documentation +  media + software</a> [Jack Manbeck]
    7. <a title="Use case details" href="http://spdx.org/wiki/application-which-ships-contrib-libraries">Application which ships with a contrib libraries</a>
    8. <a title="Use case details" href="http://spdx.org/wiki/application-which-ships-development-tools">Application which ships with development tools</a>
    9. Receiving what appears to be commercial software but that commercial software contains Open Source
    10. Receiving what appears to be opensource software but that opensource software contains commercial software
    11. <a href="http://spdx.org/wiki/subsetting-out-only-shippable-bits-stuff-coming-sdk">Subsetting out only the shippable bits of stuff coming from an SDK</a>
    12. <a href="http://spdx.org/wiki/aggregators-aggregating-other-aggregations-redistribution">Aggregators aggregating other aggregations for redistribution</a>
  12. Consumers receiving SPDX data
    1. Procurement needs to view it and review it
    2. Legal department needs to review
    3. Comply with licensing when there are multiple rights holders each with licensing use under a different license
    4. <a href="http://spdx.org/wiki/provide-sufficient-data-allow-consumer-comply-licenses-redistribution">Provide sufficient data to allow consumer to comply with licenses on redistribution</a>
    5. Bradley want to extract all rights holders for a particular file
    6. Multiple SPDX files you need to reconcile
    7. Recognizing the same SPDX data for the same code coming from multiple supply chain paths
    8. Flagging potential issues revealed by the SPDX
      1. License conflicts
      2. Listing out obligations
    9. Helping to meet the obligations of the licenses (Given that I receive an SPDX file, does the info in SPDX file allow me to extract what I need to meet basic kinds of obligations)
      1. How to capture attribution information for binaries
      2. Help with redistribution obligations
    10. Equivalence classes of binaries and tracking back to the same source and source SPDX data.
      1. Consider what to do about license metafiles
      2. COPYING files
      3. LICENSE.* files
      4. README.*
      5. Think about how to handle NOTICE files and Apache
  13. <a href="http://spdx.org/wiki/consuming-code-snippets">Consuming code snippets </a>(God help us all) (subfile pieces of code not originally intended for the project)
    1. Make sure that the license and copyright information for a snippet is reflected in the SPDX data for the file
    2. Track differently licensed snippets explicitly
    3. Handle the case where code is copied and pasted through online forums etc.
  14. Signoff/multiple signoff on SPDX data
    1. Contracts with multiple parties requiring signoff by all [Kate Stewart]
    2. Signing off on only a subset of the SPDX data (of an SPDX document in progress?)
  15. Third party does licensing analysis
    1. <a href="http://spdx.org/wiki/third-party-produces-bill-materials-software-package">Third party generates license analysis</a>
    2. Actual usage communicated
    3. Did the code that I shipped (the binaries) match the copyrightable items? i.e. be able to produce an SPDX file that applies to binary code
    4. <a href="http://spdx.org/wiki/collecting-enough-information-allow-auditor-make-recommendations-remove-or-not-component">Collecting enough information to allow auditor to make recommendations to remove or not a component</a>
    5. Tooling to assist with copyright (change copyright date and list of contributors/copyright holders, even as license and most of code remains unchanged) for changes between versions
    6. Unaffiliated third party provides SPDX data for a project
  16. Auditor Analyzing/Sanity-checking/correcting Bill of Material he's handed
    1. outbound: validate that SPDX goes hand in hand with what's being shipped [Kirsten Newcomer]
      1. <a href="http://spdx.org/wiki/check-see-if-spdx-data-provided-matches-files-provided">Check to see if the SPDX data provided matches the files provided</a>
      2. Check to see if the SPDX file is internally consistent (do I have a license refs to match licenses)
      3. Did the code that I shipped (the binaries) match the copyrightable items.
    2. inbound:  validate that SPDX goes hand in hand with what's being brought in [Kirsten Newcomer]
      1. Chcek to see if the SPDX data matches the files you are shipping [Kirsten Newcomer]
      2. Check to see if the SPDX file is internally consistent (do I have a license refs to match licenses)
    3. SPDX lint
    4. Incomplete SPDX data you may need to complete
    5. Asserting corrections to SPDX data provided by others further upstream
  17. Migrating from one version of the SPDX spec to another (moving a file from SPDX 1.0 to 2.0 for example)
    1. e.g. knit together a bunch of 1.0 files into a 2.0...
  18. Extensions:
    1. <a href="http://spdx.org/wiki/communicate-data-beyond-what-described-spec">Communicate data beyond what is described in spec between consenting parties w/o breaking consumers that are not in the know</a>
    2. Experimental improvements to SDPX files w/o breaking consumers that are not in the know. [Peter Williams]
    3. <a href="http://spdx.org/wiki/license-list-extension">License list extensions, how do you handle folks who have more licenses than SPDX</a>
    4. <a href="http://spdx.org/wiki/decorating-already-produces-and-signed-spdx-dataset-extension-data">Decorating an already produces and signed SPDX dataset with extension data</a> [Bill Schineller]
    5. Recording per ExtractedLicenseText a comment detailing exactly which pattern matching technique / string found that Extracted License Text (so that SPDX file doesn't need to repeat in every matched File instance) [D. M. German]
    6. Recording free-form tribal knowledge about a file which is not otherwise visible in the text of the file itself (e.g. commit history from git repo, origin information such as scanning against a knowledge base of open source could provide) [Mark Gisi]
    7. Conveying Encryption content (Export Control implications) of a package/file in a package [someone at collab summit]
    8. Conveying Security Vulnerability information [Jianshen O.- Huawei]
  19. Look at a 'pingback' (URL string similar for blogs)kind of mechanism for original providers of SPDX (to allow them to figure out where it's used) [Andrew Hsu]
  20. Cloud
    1. Materializing a VM and making sure it's OK from a licensing mechanism
    2. SugarCRM case, obligation by virtue of using web service interface
  21. Legal Use Cases:
    1. Allow the NDA status of an SPDX document to be communicated in a machine readable way (not just a comment) for organizations that don't want the SPDX document to be publicly released [Mark Baushke from Juniper]
    2. How are we going to handle Public Domain (not in license list... region specific...)
 

Cross-cutting concerns:

  1. Provenance (the need to optionally use signing to validate who said what)
  2. Trust
  3. Handling staleness of data
  4. Composite licensing
  5. Ease of sharing information
    1. Collecting tribal knowledge along the way 
  6. Guarding against file bloat
  7. Simple simple simple
  8. SPDX-Lite:
  9. Clarity
  10. Automation/toolifiability
  11. Regionality

Themes:

 
Looking at these Use Cases, there are some underlying themes:
  1. Root of data (closer to upstream the better)
  2. Subsetting of copyrightable things (and their SPDX data) (Note: Subsets of copyrightable things are usually also copyrightable things)
  3. Aggregation of copyrightable things (and their SPDX data) (Note: Aggregations of copyrightable things are usually also copyrightable things).