Difference between revisions of "Technical Team/Use Cases/2.0/Intermediate packager builds source package from upstream source that provides SPDX data"

<ol><li style="color: #4d4d4d; font-family: Arial, Helvetica, sans-serif; font-size: 13px;"><strong>Title:</strong>&nbsp;Intermediate packager builds source package from upstream source that provides SPDX data</li><li style="color: #4d4d4d; font-family: Arial, Helvetica, sans-serif; font-size: 13px;"><strong>Primary Actor:</strong>&nbsp;Intermediate packager (someone building a rpm, deb, etc from upstream source)</li><li style="color: #4d4d4d; font-family: Arial, Helvetica, sans-serif; font-size: 13px;"><strong>Goal in Context:</strong>&nbsp;To include in the package SPDX data describing the packages licensing information for the package base upon the SPDX data provided by the upstream source in a way that allows the packager to verifiably reference the upstream packagers SPDX data.</li><li><strong style="color: #4d4d4d; font-family: Arial, Helvetica, sans-serif; font-size: 13px;">Stakeholders and Interests:</strong><span style="color: #4d4d4d; font-family: Arial, Helvetica, sans-serif; font-size: small;">&nbsp;</span><ol><li><strong style="color: #4d4d4d; font-family: Arial, Helvetica, sans-serif; font-size: 13px;">Upstream maintainers:&nbsp;</strong><ol style="color: #4d4d4d; font-family: Arial, Helvetica, sans-serif; font-size: 13px;"><li>To communicate the licensing information for their copyrightable artifacts. &nbsp;</li><li>To have their licenses respected</li></ol></li><li><span style="color: #4d4d4d; font-family: Arial, Helvetica, sans-serif; font-size: small;"><strong>Intermediate Packager:</strong><br /></span></li><ol><li><span style="color: #4d4d4d; font-family: Arial, Helvetica, sans-serif; font-size: small;">To communicate the licensing information for their package</span></li><li><span style="color: #4d4d4d; font-family: Arial, Helvetica, sans-serif; font-size: small;">To communicate the licensing information provided by the upstream maintainer.</span></li><li><span style="color: #4d4d4d; font-family: Arial, Helvetica, sans-serif; font-size: small;">To respect the licenses of the upstream maintainer</span></li></ol><li style="color: #4d4d4d; font-family: Arial, Helvetica, sans-serif; font-size: 13px;"><strong>Consumers of upstreams copyrightable artifacts:</strong><ol><li>To receive accurate and clear information of licensing of packages</li><li>To be able to comply easily with licenses for packages</li><li>To be able to trust that the package SPDX data is in alignment with the upstream maintainers license assertions.</li><li>To be able to subset, extend, or aggregate artifacts and pass on clear authoritative verifiable license for the resulting new copyrightable artifacts.</li></ol></li></ol></li><li style="color: #4d4d4d; font-family: Arial, Helvetica, sans-serif; font-size: 13px;"><strong>Preconditions:</strong>&nbsp;<ol><li>Upstream maintainer has provided SPDX data</li></ol></li><li style="color: #4d4d4d; font-family: Arial, Helvetica, sans-serif; font-size: 13px;"><strong>Main Success Senario:</strong>&nbsp;Packager communicates accurate complete licensing information for their package in an SPDX data format in the package archive.</li><li style="color: #4d4d4d; font-family: Arial, Helvetica, sans-serif; font-size: 13px;"><strong>Failed End Condition:</strong>&nbsp;Package maintainer communicates inaccurate incomplete licensing information for their package.</li><li style="color: #4d4d4d; font-family: Arial, Helvetica, sans-serif; font-size: 13px;"><strong>Trigger:</strong><ol><li>Release of a new package</li></ol></li><li style="color: #4d4d4d; font-family: Arial, Helvetica, sans-serif; font-size: 13px;"><strong>Notes:</strong>&nbsp; This is a base case, it is well understood that packagers both add to the upstream source, but also subset it.</li></ol>