THE SPDX WIKI IS NO LONGER ACTIVE. ALL CONTENT HAS BEEN MOVED TO https://github.com/spdx
Technical Team/Use Cases/2.0/Downstream consumers contributing patches to provide SPDX data to an upstream that doesnt have it
From SPDX Wiki
- Title: Downstream consumers contributing patches to provide SPDX data to an upstream that doesn't have it.
- Primary Actor: Downstream consumer
- Goal in Context: The downstream consumer would like to provide SPDX data to an upstream that doesn't have it such that upstream will accept it as representing their licensing and incorporate it into their source base.
- Preconditions:
- Downstream consumer has analyzed upstream and assembled SPDX data matching what can be discovered about it.
- Downstreams analysis is acceptable to upstream.
- Stakeholders and Interests:
- Downstream Consumer providing patch:
- To move their analysis of the licensing information of the software into the upstream so that it can be shared from the root of the software
- To gain legitimacy for their analysis by its acceptance by upstream.
- Upstream maintainers:
- To be able to document the license information for their project.
- To have their licenses respected
- Third party patch appliers (think Yocto):
- To be able to know whether or not they have licensing issues when they apply a patch to upstream.
- Consumers of upstream source:
- To receive accurate and clear information of licensing of upstream source
- To be able to comply easily with licenses for upstream source
- To be able to subset, extend, or aggregate artifacts and pass on clear authoritative verifiable license for the resulting new copyrightable artifacts.
- Downstream Consumer providing patch:
- Main Success Senario: Patch supplier communicates that their patch is licensed matching the SPDX data specified for the project.
- Failed End Condition: Patch supplier doesn't communicates inaccurate incomplete licensing information for their patch.
- Trigger:
- Creation of a patch