THE SPDX WIKI IS NO LONGER ACTIVE. ALL CONTENT HAS BEEN MOVED TO https://github.com/spdx
Technical Team/Use Cases/2.0/Intermediate packager builds source package from upstream source that does not provide SPDX data
From SPDX Wiki
- Title: Intermediate packager builds source package from upstream source that does not provide SPDX data
- Primary Actor: Intermediate packager (someone building a rpm, deb, etc from upstream source)
- Goal in Context: To include in the package SPDX data describing the packages licensing information for the package base even though the upstream project is not providing SPDX data.
- Stakeholders and Interests:
- Upstream maintainers:
- To communicate the licensing information for their copyrightable artifacts.
- To have their licenses respected
- Intermediate Packager:
- To communicate the licensing information for their package
- To communicate the licensing information provided by the upstream maintainer.
- To respect the licenses of the upstream maintainer
- Consumers of packages:
- To receive accurate and clear information of licensing of packages
- To be able to comply easily with licenses for packages
- To be able to trust that the package SPDX data is in alignment with the upstream maintainers license assertions.
- To be able to subset, extend, or aggregate artifacts and pass on clear authoritative verifiable license for the resulting new copyrightable artifacts.
- Upstream maintainers:
- Preconditions:
- Packager has some means to understand the licensing information from the upstream source.
- Main Success Senario: Packager communicates accurate complete licensing information for their package in an SPDX data format in the package archive.
- Failed End Condition: Package maintainer communicates inaccurate incomplete licensing information for their package.
- Trigger:
- Release of a new package
- Notes: This is a base case, it is well understood that packagers both add to the upstream source, but also subset it.