THE SPDX WIKI IS NO LONGER ACTIVE. ALL CONTENT HAS BEEN MOVED TO https://github.com/spdx
Technical Team/Use Cases/2.0
From SPDX Wiki
We have several sources to begin pulling for SPDX Use Cases:
- The Pad from earlier conversations collected at <a href="http://spdx.org/wiki/use-cases-collected-20-discussion">Use Cases For SPDX 2.0 Discussion</a>
- The old <a href="https://fossbazaar.org/wiki/spdx-use-case-1">SPDX 1.0 Use Cases</a> as well as the <a href="http://spdx.org/system/files/ecosystem.jpg">SDPX 1.0 Use Case Picture</a>.
I'd like to propose that we flesh out use cases here by having a brief summary listed here as a link to a more detailed child page. Note, these use cases should be *doable* but in general not *required*. Any item listed here that is not a link, should have a child page created for it.
- <a href="http://spdx.org/wiki/spdx-20-usecase-upstream-maintainer-providing-spdx-data">Upstream maintainer providing SPDX data</a>
- <a href="http://spdx.org/wiki/upstream-maintainer-providing-spdx-data-source-archive">Upstream maintainer providing SPDX data in source archive</a>
- <a href="http://spdx.org/wiki/upstream-maintainer-providing-spdx-data-scm">Upstream maintainer providing SPDX data in SCM</a>
- Upstream maintainer consuming another project
- Upstream maintainer including another project by including source
- Upstream maintainer including another project by reference (think maven, possibly linking cases)
- by static reference (the referenced library is included with a redistribution)
- by dynamic reference (express runtime dependency on the external library, but not redistributing it)
- Upstream maintainer pulling individual files out of another project (subsetting)
- Intermediate packager (rpm, deb, etc) passing on and adding to SPDX Data
- Intermediate packager builds source package from upstream source
- <a href="http://spdx.org/wiki/upstream-maintainer-providing-spdx-data-source-archive">Intermediate packager builds source package from upstream source that provides SPDX data</a>
- Intermediate packager builds source package from upstream source that does not provide SPDX data
- Intermediate packager builds binary package from upstream source
- <a href="http://spdx.org/wiki/intermediate-packager-builds-binary-package-upstream-source-provides-spdx-data">Intermediate packager builds binary package from upstream source that provides SPDX data</a>
- Intermediate packager builds binary package from upstream source that does not provides SPDX data
- Intermediate packager adds patches to upstream source
- Intermediate packager subsetting upstream source
- <a href="http://spdx.org/wiki/intermediate-packager-subsetting-upstream-source-provides-spdx-data">Intermediate packager subsetting upstream source that provides SPDX data</a>
- Intermediate packager subsetting upstream source that does not provide SPDX data
- Yocto [Jack Manbeck]
- Aggregator aggregating many 'copyrightable items' for redistribution
- Linux Distros [Kate Stewart]
- Embedded Images
- SDKs
- <a href="http://spdx.org/wiki/spdx-20-usecase-reference-implementations">Reference implementations </a>[Jack Manbeck]
- Eclipse/OSGI distributions
- <a href="http://spdx.org/wiki/spdx-20-usecase-application-which-ships-documentation-media-software">Application which ships with documentation + media + software</a> [Jack Manbeck]
- <a title="Use case details" href="http://spdx.org/wiki/application-which-ships-contrib-libraries">Application which ships with a contrib libraries</a> [Gary O'Neall]
- <a title="Use case details" href="http://spdx.org/wiki/application-which-ships-development-tools">Application which ships with development tools</a> [Gary O'Neall]
- Aggregators aggregating other aggergations for redistribution
- Asserting corrections to SPDX data provided by others further upstream
- Committers providing, or assenting to SPDX data
- Committers annotating source files with SPDX info
- Consumers receiving SPDX data
- Signoff/multiple signoff on SPDX data
- Contracts with multiple parties requiring signoff by all [Kate Stewart]
- Auditor scenario: given big pile of 'copyrightable items', creating Bill of Materials [Peter Williams]
- Sanity-checking Bill of Material
- outbound: validate that SPDX goes hand in hand with what's being shipped [Kirsten Newcomer]
- inbound: validate that SPDX goes hand in hand with what's being brought in
- Java complications [Richard Fontana]
Cross-cutting concerns:
- Provenance (the need to optionally use signing to validate who said what)
- Handling staleness of data
- Expressing applicable licensing as a function of Usage [Bill Schineller]
- Permissive licensed thing becomes restrictive as function of packaging (e.g. BSD file included in GPL becomes GPL)
Themes:
Looking at these Use Cases, there are some underlying themes:
- Root of data (closer to upstream the better)
- Subsetting of copyrightable things (and their SPDX data) (Note: Subsets of copyrightable things are usually also copyrightable things)
- Aggregation of copyrightable things (and their SPDX data) (Note: Aggregations of copyrightable things are usually also copyrightable things).