THE SPDX WIKI IS NO LONGER ACTIVE. ALL CONTENT HAS BEEN MOVED TO https://github.com/spdx
Difference between revisions of "Technical Team/Use Cases/2.0/Backtrack from binary to source files"
From SPDX Wiki
(Convert to MediaWiki syntax) |
|||
| (One intermediate revision by one other user not shown) | |||
| Line 1: | Line 1: | ||
| − | + | As an [http://spdx.org/stakeholders#auditor auditor] in order to be certain that the licensing and provenance information regarding a binary, or compiled, file is correct i want a manifest of the files used to create it. | |
| − | in order to be certain that the licensing and provenance information regarding a binary, or compiled, file is correct | + | |
| − | i want a manifest of the files used to create it. | + | |
| − | + | ==Stakeholders and interests== | |
| − | + | * '''Auditor:''' The person or organization performing an audit on the licensing and provenance information of a package. | |
| − | + | * '''Project maintainer:''' The person pr organization which maintains the open source software in question. | |
| − | + | * '''Developer:''' The person or organization using the software package provided by Project maintainer. | |
| − | + | ==Main Scenario== | |
| − | + | ||
| − | + | # Project maintainer builds binary files keeping track of which source files are included in the binary. | |
| − | + | # Project maintainer publishes package with SPDX that provides references to every source used to create each compiled file in the package. | |
| − | + | # Developer downloads binary/compiled package from Package maintainer. | |
| + | # Developer requests audit of code base before shipping. | ||
| + | # Auditor wants to verify that provided licensing and provenance info for compiled files are actually what the provided SPDX file claims. | ||
| + | # Auditor uses the built from file list for the compiled file to narrow the analysis to particular files and specific versions of those files. | ||
| + | # Auditor performs deep analysis to ensure the that the licensing and provenance of the files are indeed as claimed | ||
| + | # Auditor provides clean bill of health | ||
| − | + | ==Alternate Scenario A== | |
| − | + | # Project maintainer builds binary files keeping track of which source files are included in the binary. | |
| − | + | # Project maintainer publishes package with SPDX that provides references to every source used to create each compiled file in the package. | |
| − | + | # Developer downloads binary/compiled package from Package maintainer. | |
| − | + | # Developer requests audit of code base before shipping. | |
| − | + | # Auditor wants to verify that provided licensing and provenance info for compiled files are actually what the provided SPDX file claims. | |
| − | + | # Auditor uses the built from package list for the compiled file to narrow the analysis to particular packages and specific versions of those packages. | |
| − | + | # Auditor performs deep analysis to ensure the that the licensing and provenance of the files are indeed as claimed | |
| − | + | # Auditor provides clean bill of health | |
| − | + | ||
| − | + | ||
| − | + | '''NOTES: on 2012-10-02 having difficulty understanding the distinction between Main Scenario and Alternate A. versions of files vs. versions of Packages? (step 6)''' | |
| − | + | [[Category:Technical]] | |
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
Latest revision as of 13:23, 7 March 2013
As an auditor in order to be certain that the licensing and provenance information regarding a binary, or compiled, file is correct i want a manifest of the files used to create it.
Stakeholders and interests
- Auditor: The person or organization performing an audit on the licensing and provenance information of a package.
- Project maintainer: The person pr organization which maintains the open source software in question.
- Developer: The person or organization using the software package provided by Project maintainer.
Main Scenario
- Project maintainer builds binary files keeping track of which source files are included in the binary.
- Project maintainer publishes package with SPDX that provides references to every source used to create each compiled file in the package.
- Developer downloads binary/compiled package from Package maintainer.
- Developer requests audit of code base before shipping.
- Auditor wants to verify that provided licensing and provenance info for compiled files are actually what the provided SPDX file claims.
- Auditor uses the built from file list for the compiled file to narrow the analysis to particular files and specific versions of those files.
- Auditor performs deep analysis to ensure the that the licensing and provenance of the files are indeed as claimed
- Auditor provides clean bill of health
Alternate Scenario A
- Project maintainer builds binary files keeping track of which source files are included in the binary.
- Project maintainer publishes package with SPDX that provides references to every source used to create each compiled file in the package.
- Developer downloads binary/compiled package from Package maintainer.
- Developer requests audit of code base before shipping.
- Auditor wants to verify that provided licensing and provenance info for compiled files are actually what the provided SPDX file claims.
- Auditor uses the built from package list for the compiled file to narrow the analysis to particular packages and specific versions of those packages.
- Auditor performs deep analysis to ensure the that the licensing and provenance of the files are indeed as claimed
- Auditor provides clean bill of health
NOTES: on 2012-10-02 having difficulty understanding the distinction between Main Scenario and Alternate A. versions of files vs. versions of Packages? (step 6)
