THE SPDX WIKI IS NO LONGER ACTIVE. ALL CONTENT HAS BEEN MOVED TO https://github.com/spdx
Difference between revisions of "Technical Team/Use Cases/2.0/Graveyard"
From SPDX Wiki
Bschineller (Talk | contribs) |
(Convert to MediaWiki syntax) |
||
(One intermediate revision by one other user not shown) | |||
Line 1: | Line 1: | ||
− | + | We had several sources to begin pulling for SPDX Use Cases: | |
+ | |||
+ | # The Pad from earlier conversations collected at [[Technical_Team/Old/Use_Cases_Collected_during_1.x_timeframe|Use Cases For SPDX 2.0 Discussion]] | ||
+ | # The old [[Technical_Team/Old/Sandbox_for_Sharing_Examples/SPDX_Use_Case_1|SPDX 1.0 Use Cases]] as well as the [[:File:ecosystem.jpg|SDPX 1.0 Use Case Picture]]. | ||
+ | # Soliciting use cases in 2012 (especially at Linux Collab Summit in April) | ||
+ | |||
+ | '''NOTE''': On May 29, 2012, we removed use cases which were not yet fleshed out. A snapshot of 'all' the use cases was saved in child page SPDX 2.0 Use Cases Graveyard. The process followed was to flesh out use cases here by having a brief summary listed here as a link to a more detailed child page. Note, these use cases should be *'''doable'''* but in general not *'''required'''*. Any item listed here that is not a link, should have a child page created for it. | ||
+ | |||
+ | # Code commits (original work intended for the project) | ||
+ | ## [[Technical_Team/Use_Cases/2.0/Committers_provides_SPDX_data_for_a_code_being_committed|Committer provides SPDX data]] | ||
+ | ## [[Technical_Team/Use_Cases/2.0/Contributor_makes_commit_subject_to_existing_SPDX_data_of_project|Contributor makes commit subject to existing SPDX data of project]] | ||
+ | ## Contributor makes commit subject to existing SPDX data of a dual licensed project and selects one license | ||
+ | # [[Technical_Team/Use_Cases/2.0/Committer_annotates_source_files_with_SPDX_data|Committer annotates source files with SPDX data]] | ||
+ | # Patches (original work intended for the project) | ||
+ | ## [[Technical_Team/Use_Cases/2.0/Patch_provider_provides_SPDX_data_for_the_patch|Patch provider provides SPDX data for the patch]] | ||
+ | ## [[Technical_Team/Use_Cases/2.0/Patch_provider_provides_SPDX_data_for_the_patch_indicating_it_is_licensed_however_the_hell_its_applied|Patch provider provides SPDX data for the patch indicating it is licensed however the hell its applied]] | ||
+ | ## [[Technical_Team/Use_Cases/2.0/Patch_provider_provides_patch_subject_to_existing_SPDX_data_of_project|Patch provider provides patch subject to existing SPDX data of project]] | ||
+ | # Patch provider provides a patch that modifies existing SPDX data of project | ||
+ | ## [[Technical_Team/Use_Cases/2.0/Downstream_consumers_contributing_patches_to_provide_SPDX_data_to_an_upstream_that_doesnt_have_it|Downstream consumers contributing patches to provide SPDX data to an upstream that doesn't have it.]] | ||
+ | ## [[Technical_Team/Use_Cases/2.0/Downstream_consumers_contributing_patches_to_provide_corrections_to_SPDX_data_for_an_upstream_that_does_have_it|Downstream consumers contributing patches to provide corrections to SPDX data for an upstream that does have it.]] | ||
+ | # [[Technical_Team/Use_Cases/2.0/Upstream_maintainer_providing_SPDX_data|Upstream maintainer providing SPDX data]] | ||
+ | ## [[Technical_Team/Use_Cases/2.0/Upstream_maintainer_providing_SPDX_data_in_source_archive|Upstream maintainer providing SPDX data in source archive]] | ||
+ | ## [[Technical_Team/Use_Cases/2.0/Upstream_maintainer_providing_SPDX_data_in_SCM|Upstream maintainer providing SPDX data in SCM]] | ||
+ | ## [[Technical_Team/Use_Cases/2.0/Upstream_maintainer_providing_SPDX_data_at_a_URL|Upstream maintainer providing SPDX data at a URL]] | ||
+ | ## [[Technical_Team/Use_Cases/2.0/Downstream_consumers_contributing_patches_to_provide_SPDX_data_to_an_upstream_that_doesnt_have_it|Upstream maintainer preparing release artifacts (including SPDX data).]] | ||
+ | ## Intended usage communicated by the auditee (how/will the audited item get included in delivered/deployed bits) [Bill Schineller]] | ||
+ | # Project maintainer incorporates another project | ||
+ | ## [[Technical_Team/Use_Cases/2.0/Project_maintainer_incorporates_another_project_by_including_source|Project maintainer incorporates another project by including source]] | ||
+ | ## [[Technical_Team/Use_Cases/2.0/Project_maintainer_incorporates_another_project_by_including_binary|Project maintainer incorporates another project by including binary]] | ||
+ | ## [[Technical_Team/Use_Cases/2.0/Project_maintainer_pulling_individual_files_out_of_another_project_(subsetting)|Project maintainer pulling individual files out of another project (subsetting)]] | ||
+ | # Project maintainer incorporates another copyrightable artifact by reference (think maven, possibly linking cases) | ||
+ | ## by static reference (the referenced library is included with a redistribution) | ||
+ | ## by dynamic reference (express runtime dependency on the external library, but not redistributing it) | ||
+ | ## Maven case | ||
+ | # SPDX-Lite: | ||
+ | ## [[Technical_Team/Use_Cases/2.0/Low_cost_SPDX_file|Allow a low investment SPDX producer to produce valid SPDX data]] | ||
+ | ## [[Technical_Team/Use_Cases/2.0/Producing_valid_SPDX_files_in_the_face_of_missing_data|Produce a valid SPDX dataset even if some data is missing]] | ||
+ | # Intermediate packager (rpm, deb, etc) passing on and adding to SPDX Data | ||
+ | ## Intermediate packager builds source package from upstream source | ||
+ | ### [[Technical_Team/Use_Cases/2.0/Intermediate_packager_builds_source_package_from_upstream_source_that_provides_SPDX_data|Intermediate packager builds source package from upstream source that provides SPDX data]] | ||
+ | ### [[Technical_Team/Use_Cases/2.0/Intermediate_packager_builds_source_package_from_upstream_source_that_does_not_provide_SPDX_data|Intermediate packager builds source package from upstream source that does not provide SPDX data]] | ||
+ | ## Intermediate packager builds binary package from upstream source | ||
+ | ### [[Technical_Team/Use_Cases/2.0/Intermediate_packager_builds_binary_package_from_upstream_source_that_provides_SPDX_data|Intermediate packager builds binary package from upstream source that provides SPDX data]] | ||
+ | ### [[Technical_Team/Use_Cases/2.0/Intermediate_packager_builds_binary_package_from_upstream_source_that_does_not_provides_SPDX_data|Intermediate packager builds binary package from upstream source that does not provides SPDX data]] | ||
+ | ## Intermediate packager adds patches to upstream source | ||
+ | ### [[Technical_Team/Use_Cases/2.0/Intermediate_packager_adds_patches_to_upstream_source_that_provides_SPDX_data|Intermediate packager adds patches to upstream source that provides SPDX data]] | ||
+ | ### [[Technical_Team/Use_Cases/2.0/Intermediate_packager_adds_patches_to_upstream_source_that_does_not_provide_SPDX_data|Intermediate packager adds patches to upstream source that does not provide SPDX data]] | ||
+ | ## Intermediate packager adds someone else's patches to upstream source | ||
+ | ### [[Technical_Team/Use_Cases/2.0/Intermediate_packager_adds_someone_elses_patches_to_upstream_source_that_provides_SPDX_data|Intermediate packager adds someone else's patches to upstream source that provides SPDX data]] | ||
+ | ### [[Technical_Team/Use_Cases/2.0/Intermediate_packager_adds_someone_elses_patches_to_upstream_source_that_does_not_provide_SPDX_data|Intermediate packager adds someone else's patches to upstream source that does not provide SPDX data]] | ||
+ | ## Intermediate packager subsetting upstream source | ||
+ | ### [[Technical_Team/Use_Cases/2.0/Intermediate_packager_subsetting_upstream_source_that_provides_SPDX_data|Intermediate packager subsetting upstream source that provides SPDX data]] | ||
+ | ### [[Technical_Team/Use_Cases/2.0/Intermediate_packager_subsetting_upstream_source_that_does_not_provide_SPDX_data|Intermediate packager subsetting upstream source that does not provide SPDX data]] | ||
+ | ## Intermediate packager chooses to distribute one of multiple available under licenses provided for by upstream (check with legal team) | ||
+ | ## Intermediate packager reviews SPDX data provided by upstream. | ||
+ | # Build systems (build systems want to pass on SPDX data for the thing they are building) | ||
+ | ## [[Technical_Team/Use_Cases/2.0/Build_System_Yocto|Yocto]] | ||
+ | ### How does SPDX work in an environment where the sources aren't there, but are pulled from git or a mirror and patched. | ||
+ | ## Maven [Brian Fox] | ||
+ | ### Rolling into release artifacts things only referenced in the POM file | ||
+ | ### Shading (subsetting) portions of a transitive dependency for inclusion in your artifact | ||
+ | ## Continuous integration around SPDX files (fixing SPDX files for commits coming in etc). | ||
+ | ## Linking | ||
+ | ### [[Technical_Team/Use_Cases/2.0/Debian_has_an_interest_in_only_building_things_that_are_linking_license_compatible|Debian has an interest in only building things that are linking license compatible]] | ||
+ | #### If a tool is consuming SPDX data to interact with heuristics. | ||
+ | ## Java complications [Richard Fontana]] | ||
+ | ### What to do about installers that download JDK directly from sun. | ||
+ | ## I just made a binary out of some source | ||
+ | ### [[Technical_Team/Use_Cases/2.0/SPDX_data_indicating_subset_of_the_source_that_made_it_into_a_particular_binary_or_binary_package|SPDX data indicating subset of the source that made it into a particular binary or binary package]] | ||
+ | ## Tool used to produce software infecting distribution license of the software itself [Kevin Fleming] (e.g. code-generator? Bison? ..) | ||
+ | # Aggregator aggregating many 'copyrightable items' for redistribution | ||
+ | ## [[Technical_Team/Use_Cases/2.0/Linux_Distros|Linux Distros]] | ||
+ | ## [[Technical_Team/Use_Cases/2.0/Embedded_Images_(e.g._router_images,_switch_images)|Embedded Images (e.g. router images, switch images)]] | ||
+ | ## SDKs [Jack Manbeck] | ||
+ | ## [[Technical_Team/Use_Cases/2.0/Reference_Implementations|Reference implementations] [Jack Manbeck] | ||
+ | ## Eclipse/OSGI distributions | ||
+ | ## [[Technical_Team/Use_Cases/2.0/Application_which_ships_with_documentation_and_media_and_software|Application which ships with documentation + media + software]] [Jack Manbeck] | ||
+ | ## [[Technical_Team/Use_Cases/2.0/Application_which_ships_with_a_contrib_libraries|Application which ships with a contrib libraries]] | ||
+ | ## [[Technical_Team/Use_Cases/2.0/Application_which_ships_with_development_tools|Application which ships with development tools]] | ||
+ | ## Receiving what appears to be commercial software but that commercial software contains Open Source | ||
+ | ## Receiving what appears to be opensource software but that opensource software contains commercial software | ||
+ | ## [[Technical_Team/Use_Cases/2.0/Subsetting_out_only_the_shippable_bits_of_stuff_coming_from_an_SDK|Subsetting out only the shippable bits of stuff coming from an SDK]] | ||
+ | ## [[Technical_Team/Use_Cases/2.0/Aggregators_aggregating_other_aggregations_for_redistribution|Aggregators aggregating other aggregations for redistribution]] | ||
+ | # Consumers receiving SPDX data | ||
+ | ## Procurement needs to view it and review it | ||
+ | ## Legal department needs to review | ||
+ | ## Comply with licensing when there are multiple rights holders each with licensing use under a different license | ||
+ | ## [[Technical_Team/Use_Cases/2.0/Provide_sufficient_data_to_allow_consumer_to_comply_with_licenses_on_redistribution|Provide sufficient data to allow consumer to comply with licenses on redistribution]] | ||
+ | ## Bradley want to extract all rights holders for a particular file | ||
+ | ## Multiple SPDX files you need to reconcile | ||
+ | ## Recognizing the same SPDX data for the same code coming from multiple supply chain paths | ||
+ | ## Flagging potential issues revealed by the SPDX | ||
+ | ### License conflicts | ||
+ | ### Listing out obligations | ||
+ | ## Helping to meet the obligations of the licenses (Given that I receive an SPDX file, does the info in SPDX file allow me to extract what I need to meet basic kinds of obligations) | ||
+ | ### How to capture attribution information for binaries | ||
+ | ### Help with redistribution obligations | ||
+ | ## Equivalence classes of binaries and tracking back to the same source and source SPDX data. | ||
+ | ### Consider what to do about license metafiles | ||
+ | ### COPYING files | ||
+ | ### LICENSE.* files | ||
+ | ### README.* | ||
+ | ### Think about how to handle NOTICE files and Apache | ||
+ | # [[Technical_Team/Use_Cases/2.0/Consuming_code_snippets|Consuming code snippets]] (God help us all) (subfile pieces of code not originally intended for the project) | ||
+ | ## Make sure that the license and copyright information for a snippet is reflected in the SPDX data for the file | ||
+ | ## Track differently licensed snippets explicitly | ||
+ | ## Handle the case where code is copied and pasted through online forums etc. | ||
+ | # Signoff/multiple signoff on SPDX data | ||
+ | ## [[Technical_Team/Use_Cases/2.0/Contracts_with_multiple_parties_requiring_signoff_by_all|Contracts with multiple parties requiring signoff by all]] [Kate Stewart] | ||
+ | ## Signing off on only a subset of the SPDX data (of an SPDX document in progress?) | ||
+ | # Third party does licensing analysis | ||
+ | ## [[Technical_Team/Use_Cases/2.0/Third_party_produces_bill_of_materials_for_software_package|Third party generates license analysis]] | ||
+ | ## Actual usage communicated | ||
+ | ## Did the code that I shipped (the binaries) match the copyrightable items? i.e. be able to produce an SPDX file that applies to binary code | ||
+ | ## [[Technical_Team/Use_Cases/2.0/Collecting_enough_information_to_allow_auditor_to_make_recommendations_to_remove_or_not_a_component|Collecting enough information to allow auditor to make recommendations to remove or not a component]] | ||
+ | ## Tooling to assist with copyright (change copyright date and list of contributors/copyright holders, even as license and most of code remains unchanged) for changes between versions | ||
+ | ## Unaffiliated third party provides SPDX data for a project | ||
+ | # Auditor Analyzing/Sanity-checking/correcting Bill of Material he's handed | ||
+ | ## [[Technical_Team/Use_Cases/2.0/Backtrack_from_binary_to_source_files|Backtrack from compiled/binary file to constituent files]] | ||
+ | ## outbound: validate that SPDX goes hand in hand with what's being shipped [Kirsten Newcomer] | ||
+ | ### [[Technical_Team/Use_Cases/2.0/Check_to_see_if_the_SPDX_data_provided_matches_the_files_provided_and_is_trustworthy_and_most_current_for_package|Check to see if the SPDX data provided matches the files provided]] | ||
+ | ### Check to see if the SPDX file is internally consistent (do I have a license refs to match licenses) | ||
+ | ### Did the code that I shipped (the binaries) match the copyrightable items. | ||
+ | ## inbound: validate that SPDX goes hand in hand with what's being brought in [Kirsten Newcomer] | ||
+ | ### Chcek to see if the SPDX data matches the files you are shipping [Kirsten Newcomer] | ||
+ | ### Check to see if the SPDX file is internally consistent (do I have a license refs to match licenses) | ||
+ | ## SPDX lint | ||
+ | ## Incomplete SPDX data you may need to complete | ||
+ | ## Asserting corrections to SPDX data provided by others further upstream | ||
+ | # Migrating from one version of the SPDX spec to another (moving a file from SPDX 1.0 to 2.0 for example) | ||
+ | ## e.g. knit together a bunch of 1.0 files into a 2.0... | ||
+ | # Extensions: | ||
+ | ## [[Technical_Team/Use_Cases/2.0/Communicate_data_beyond_what_is_described_in_spec|Communicate data beyond what is described in spec between consenting parties w/o breaking consumers that are not in the know]] | ||
+ | ## Experimental improvements to SDPX files w/o breaking consumers that are not in the know. [Peter Williams] | ||
+ | ## [[Technical_Team/Use_Cases/2.0/License_list_extension|License list extensions, how do you handle folks who have more licenses than SPDX]] | ||
+ | ## [[Technical_Team/Use_Cases/2.0/Decorating_an_already_produces_and_signed_SPDX_dataset_with_extension_data|Decorating an already produces and signed SPDX dataset with extension data]] [Bill Schineller] | ||
+ | ## Recording per ExtractedLicenseText a comment detailing exactly which pattern matching technique / string found that Extracted License Text (so that SPDX file doesn't need to repeat in every matched File instance) [D. M. German] | ||
+ | ## Recording free-form tribal knowledge about a file which is not otherwise visible in the text of the file itself (e.g. commit history from git repo, origin information such as scanning against a knowledge base of open source could provide) [Mark Gisi] | ||
+ | ## Conveying Encryption content (Export Control implications) of a package/file in a package [someone at collab summit] | ||
+ | ## Conveying Security Vulnerability information [Jianshen O.- Huawei] | ||
+ | # Look at a 'pingback' (URL string similar for blogs)kind of mechanism for original providers of SPDX (to allow them to figure out where it's used) [Andrew Hsu] | ||
+ | # Cloud | ||
+ | ## Materializing a VM and making sure it's OK from a licensing mechanism | ||
+ | ## SugarCRM case, obligation by virtue of using web service interface | ||
+ | # Legal Use Cases: | ||
+ | ## Allow the NDA status of an SPDX document to be communicated in a machine readable way (not just a comment) for organizations that don't want the SPDX document to be publicly released [Mark Baushke from Juniper] | ||
+ | ## How are we going to handle Public Domain (not in license list... region specific...) | ||
+ | |||
+ | ==Cross-cutting concerns== | ||
+ | |||
+ | # Provenance (the need to optionally use signing to validate who said what) | ||
+ | # Trust | ||
+ | # Handling staleness of data | ||
+ | # Composite licensing | ||
+ | # Ease of sharing information | ||
+ | ## Collecting tribal knowledge along the way | ||
+ | # Guarding against file bloat | ||
+ | # Simple simple simple | ||
+ | # SPDX-Lite: | ||
+ | # Clarity | ||
+ | # Automation/toolifiability | ||
+ | # Regionality | ||
+ | |||
+ | ==Themes:== | ||
+ | |||
+ | Looking at these Use Cases, there are some underlying themes: | ||
+ | |||
+ | # Root of data (closer to upstream the better) | ||
+ | # Subsetting of copyrightable things (and their SPDX data) ('''Note''': Subsets of copyrightable things are usually also copyrightable things) | ||
+ | # Aggregation of copyrightable things (and their SPDX data) ('''Note''': Aggregations of copyrightable things are usually also copyrightable things). | ||
+ | |||
+ | [[Category:Technical]] | ||
+ | [[Category:Archived]] |
Latest revision as of 18:42, 10 April 2013
We had several sources to begin pulling for SPDX Use Cases:
- The Pad from earlier conversations collected at Use Cases For SPDX 2.0 Discussion
- The old SPDX 1.0 Use Cases as well as the SDPX 1.0 Use Case Picture.
- Soliciting use cases in 2012 (especially at Linux Collab Summit in April)
NOTE: On May 29, 2012, we removed use cases which were not yet fleshed out. A snapshot of 'all' the use cases was saved in child page SPDX 2.0 Use Cases Graveyard. The process followed was to flesh out use cases here by having a brief summary listed here as a link to a more detailed child page. Note, these use cases should be *doable* but in general not *required*. Any item listed here that is not a link, should have a child page created for it.
- Code commits (original work intended for the project)
- Committer provides SPDX data
- Contributor makes commit subject to existing SPDX data of project
- Contributor makes commit subject to existing SPDX data of a dual licensed project and selects one license
- Committer annotates source files with SPDX data
- Patches (original work intended for the project)
- Patch provider provides a patch that modifies existing SPDX data of project
- Upstream maintainer providing SPDX data
- Upstream maintainer providing SPDX data in source archive
- Upstream maintainer providing SPDX data in SCM
- Upstream maintainer providing SPDX data at a URL
- Upstream maintainer preparing release artifacts (including SPDX data).
- Intended usage communicated by the auditee (how/will the audited item get included in delivered/deployed bits) [Bill Schineller]]
- Project maintainer incorporates another project
- Project maintainer incorporates another copyrightable artifact by reference (think maven, possibly linking cases)
- by static reference (the referenced library is included with a redistribution)
- by dynamic reference (express runtime dependency on the external library, but not redistributing it)
- Maven case
- SPDX-Lite:
- Intermediate packager (rpm, deb, etc) passing on and adding to SPDX Data
- Intermediate packager builds source package from upstream source
- Intermediate packager builds binary package from upstream source
- Intermediate packager adds patches to upstream source
- Intermediate packager adds someone else's patches to upstream source
- Intermediate packager subsetting upstream source
- Intermediate packager chooses to distribute one of multiple available under licenses provided for by upstream (check with legal team)
- Intermediate packager reviews SPDX data provided by upstream.
- Build systems (build systems want to pass on SPDX data for the thing they are building)
- Yocto
- How does SPDX work in an environment where the sources aren't there, but are pulled from git or a mirror and patched.
- Maven [Brian Fox]
- Rolling into release artifacts things only referenced in the POM file
- Shading (subsetting) portions of a transitive dependency for inclusion in your artifact
- Continuous integration around SPDX files (fixing SPDX files for commits coming in etc).
- Linking
- Debian has an interest in only building things that are linking license compatible
- If a tool is consuming SPDX data to interact with heuristics.
- Debian has an interest in only building things that are linking license compatible
- Java complications [Richard Fontana]]
- What to do about installers that download JDK directly from sun.
- I just made a binary out of some source
- Tool used to produce software infecting distribution license of the software itself [Kevin Fleming] (e.g. code-generator? Bison? ..)
- Yocto
- Aggregator aggregating many 'copyrightable items' for redistribution
- Linux Distros
- Embedded Images (e.g. router images, switch images)
- SDKs [Jack Manbeck]
- [[Technical_Team/Use_Cases/2.0/Reference_Implementations|Reference implementations] [Jack Manbeck]
- Eclipse/OSGI distributions
- Application which ships with documentation + media + software [Jack Manbeck]
- Application which ships with a contrib libraries
- Application which ships with development tools
- Receiving what appears to be commercial software but that commercial software contains Open Source
- Receiving what appears to be opensource software but that opensource software contains commercial software
- Subsetting out only the shippable bits of stuff coming from an SDK
- Aggregators aggregating other aggregations for redistribution
- Consumers receiving SPDX data
- Procurement needs to view it and review it
- Legal department needs to review
- Comply with licensing when there are multiple rights holders each with licensing use under a different license
- Provide sufficient data to allow consumer to comply with licenses on redistribution
- Bradley want to extract all rights holders for a particular file
- Multiple SPDX files you need to reconcile
- Recognizing the same SPDX data for the same code coming from multiple supply chain paths
- Flagging potential issues revealed by the SPDX
- License conflicts
- Listing out obligations
- Helping to meet the obligations of the licenses (Given that I receive an SPDX file, does the info in SPDX file allow me to extract what I need to meet basic kinds of obligations)
- How to capture attribution information for binaries
- Help with redistribution obligations
- Equivalence classes of binaries and tracking back to the same source and source SPDX data.
- Consider what to do about license metafiles
- COPYING files
- LICENSE.* files
- README.*
- Think about how to handle NOTICE files and Apache
- Consuming code snippets (God help us all) (subfile pieces of code not originally intended for the project)
- Make sure that the license and copyright information for a snippet is reflected in the SPDX data for the file
- Track differently licensed snippets explicitly
- Handle the case where code is copied and pasted through online forums etc.
- Signoff/multiple signoff on SPDX data
- Contracts with multiple parties requiring signoff by all [Kate Stewart]
- Signing off on only a subset of the SPDX data (of an SPDX document in progress?)
- Third party does licensing analysis
- Third party generates license analysis
- Actual usage communicated
- Did the code that I shipped (the binaries) match the copyrightable items? i.e. be able to produce an SPDX file that applies to binary code
- Collecting enough information to allow auditor to make recommendations to remove or not a component
- Tooling to assist with copyright (change copyright date and list of contributors/copyright holders, even as license and most of code remains unchanged) for changes between versions
- Unaffiliated third party provides SPDX data for a project
- Auditor Analyzing/Sanity-checking/correcting Bill of Material he's handed
- Backtrack from compiled/binary file to constituent files
- outbound: validate that SPDX goes hand in hand with what's being shipped [Kirsten Newcomer]
- Check to see if the SPDX data provided matches the files provided
- Check to see if the SPDX file is internally consistent (do I have a license refs to match licenses)
- Did the code that I shipped (the binaries) match the copyrightable items.
- inbound: validate that SPDX goes hand in hand with what's being brought in [Kirsten Newcomer]
- Chcek to see if the SPDX data matches the files you are shipping [Kirsten Newcomer]
- Check to see if the SPDX file is internally consistent (do I have a license refs to match licenses)
- SPDX lint
- Incomplete SPDX data you may need to complete
- Asserting corrections to SPDX data provided by others further upstream
- Migrating from one version of the SPDX spec to another (moving a file from SPDX 1.0 to 2.0 for example)
- e.g. knit together a bunch of 1.0 files into a 2.0...
- Extensions:
- Communicate data beyond what is described in spec between consenting parties w/o breaking consumers that are not in the know
- Experimental improvements to SDPX files w/o breaking consumers that are not in the know. [Peter Williams]
- License list extensions, how do you handle folks who have more licenses than SPDX
- Decorating an already produces and signed SPDX dataset with extension data [Bill Schineller]
- Recording per ExtractedLicenseText a comment detailing exactly which pattern matching technique / string found that Extracted License Text (so that SPDX file doesn't need to repeat in every matched File instance) [D. M. German]
- Recording free-form tribal knowledge about a file which is not otherwise visible in the text of the file itself (e.g. commit history from git repo, origin information such as scanning against a knowledge base of open source could provide) [Mark Gisi]
- Conveying Encryption content (Export Control implications) of a package/file in a package [someone at collab summit]
- Conveying Security Vulnerability information [Jianshen O.- Huawei]
- Look at a 'pingback' (URL string similar for blogs)kind of mechanism for original providers of SPDX (to allow them to figure out where it's used) [Andrew Hsu]
- Cloud
- Materializing a VM and making sure it's OK from a licensing mechanism
- SugarCRM case, obligation by virtue of using web service interface
- Legal Use Cases:
- Allow the NDA status of an SPDX document to be communicated in a machine readable way (not just a comment) for organizations that don't want the SPDX document to be publicly released [Mark Baushke from Juniper]
- How are we going to handle Public Domain (not in license list... region specific...)
Cross-cutting concerns
- Provenance (the need to optionally use signing to validate who said what)
- Trust
- Handling staleness of data
- Composite licensing
- Ease of sharing information
- Collecting tribal knowledge along the way
- Guarding against file bloat
- Simple simple simple
- SPDX-Lite:
- Clarity
- Automation/toolifiability
- Regionality
Themes:
Looking at these Use Cases, there are some underlying themes:
- Root of data (closer to upstream the better)
- Subsetting of copyrightable things (and their SPDX data) (Note: Subsets of copyrightable things are usually also copyrightable things)
- Aggregation of copyrightable things (and their SPDX data) (Note: Aggregations of copyrightable things are usually also copyrightable things).