THE SPDX WIKI IS NO LONGER ACTIVE. ALL CONTENT HAS BEEN MOVED TO https://github.com/spdx
Technical Team/Use Cases/2.0
From SPDX Wiki
We have several sources to begin pulling for SPDX Use Cases:
- The Pad from earlier conversations collected at <a href="http://spdx.org/wiki/use-cases-collected-20-discussion">Use Cases For SPDX 2.0 Discussion</a>
- The old <a href="http://spdx.org/wiki/spdx-use-case-1">SPDX 1.0 Use Cases</a> as well as the <a href="http://spdx.org/system/files/ecosystem.jpg">SDPX 1.0 Use Case Picture</a>.
I'd like to propose that we flesh out use cases here by having a brief summary listed here as a link to a more detailed child page. Note, these use cases should be *doable* but in general not *required*. Any item listed here that is not a link, should have a child page created for it.
- Code commits (original work intended for the project)
- <a href="http://spdx.org/wiki/committers-provides-spdx-data-code-being-committed">Committer provides SPDX data</a> [OK]
- <a href="http://spdx.org/wiki/contributor-makes-commit-subject-existing-spdx-data-project">Contributor makes commit subject to existing SPDX data of project</a> [OK]
- <a href="http://spdx.org/wiki/committer-annotates-source-files-spdx-data">Committer annotates source files with SPDX data</a> [OK]
- Patches (original work intended for the project)
- <a href="http://spdx.org/wiki/patch-provider-provides-spdx-data-patch">Patch provider provides SPDX data for the patch</a> [OK]
- <a href="http://spdx.org/wiki/patch-provider-provides-spdx-data-patch-indicating-it-licensed-however-hell-its-applied">Patch provider provides SPDX data for the patch indicating it is licensed however the hell its applied</a> [OK]
- <a href="http://spdx.org/wiki/patch-provider-provides-patch-subject-existing-spdx-data-project">Patch provider provides patch subject to existing SPDX data of project</a> [OK]
- Patch provider provides a patch that modifies existing SPDX data of project
- <a href="http://spdx.org/wiki/downstream-consumers-contributing-patches-provide-spdx-data-upstream-doesnt-have-it">Downstream consumers contributing patches to provide SPDX data to an upstream that doesn't have it.</a>[OK]
- <a href="http://spdx.org/wiki/downstream-consumers-contributing-patches-provide-corrections-spdx-data-upstream-does-have-it">Downstream consumers contributing patches to provide corrections to SPDX data for an upstream that does have it.</a> [OK]
- <a href="http://spdx.org/wiki/spdx-20-usecase-upstream-maintainer-providing-spdx-data">Upstream maintainer providing SPDX data</a>
- <a href="http://spdx.org/wiki/upstream-maintainer-providing-spdx-data-source-archive">Upstream maintainer providing SPDX data in source archive</a>[OK]
- <a href="http://spdx.org/wiki/upstream-maintainer-providing-spdx-data-scm">Upstream maintainer providing SPDX data in SCM</a> [OK]
- <a href="http://spdx.org/wiki/upstream-maintainer-providing-spdx-data-url">Upstream maintainer providing SPDX data at a URL</a> [OK]
- <a href="http://spdx.org/wiki/upstream-maintainer-preparing-release-artifacts-including-spdx-data">Upstream maintainer preparing release artifacts (including SPDX data).</a> [OK]
- Project maintainer incorporates another project
- <a href="http://spdx.org/wiki/project-maintainer-incorporates-another-project-including-source">Project maintainer incorporates another project by including source</a> [OK]
- <a href="http://spdx.org/wiki/project-maintainer-incorporates-another-project-including-binary">Project maintainer incorporates another project by including binary</a> [OK]
- <a href="http://spdx.org/wiki/project-maintainer-pulling-individual-files-out-another-project-subsetting">Project maintainer pulling individual files out of another project (subsetting)</a> [OK]
- Ease adoption
- <a href="http://spdx.org/wiki/low-cost-spdx-file">Allow a low investment SPDX producer to produce valid SPDX data</a> [OK-fathomed but not Approved for Implementation]
- <a href="http://spdx.org/wiki/producing-valid-spdx-files-face-missing-data">Produce a valid SPDX dataset even if some data is missing</a> [OK]
- Intermediate packager (rpm, deb, etc) passing on and adding to SPDX Data
- Intermediate packager builds source package from upstream source
- <a href="http://spdx.org/wiki/intermediate-packager-builds-source-package-upstream-source-provides-spdx-data">Intermediate packager builds source package from upstream source that provides SPDX data</a> [OK]
- <a href="http://spdx.org/wiki/intermediate-packager-builds-source-package-upstream-source-does-not-provide-spdx-data">Intermediate packager builds source package from upstream source that does not provide SPDX data</a> [OK]
- Intermediate packager builds binary package from upstream source
- <a href="http://spdx.org/wiki/intermediate-packager-builds-binary-package-upstream-source-provides-spdx-data">Intermediate packager builds binary package from upstream source that provides SPDX data</a> [OK]
- <a href="http://spdx.org/wiki/intermediate-packager-builds-binary-package-upstream-source-does-not-provides-spdx-data">Intermediate packager builds binary package from upstream source that does not provides SPDX data [OK]</a>
- Intermediate packager adds patches to upstream source
- <a href="http://spdx.org/wiki/intermediate-packager-adds-patches-upstream-source-provides-spdx-data">Intermediate packager adds patches to upstream source that provides SPDX data</a> [OK]
- <a href="http://spdx.org/wiki/intermediate-packager-adds-patches-upstream-source-does-not-provide-spdx-data">Intermediate packager adds patches to upstream source that does not provide SPDX data [OK]</a>
- Intermediate packager adds someone else's patches to upstream source
- <a href="http://spdx.org/wiki/intermediate-packager-adds-someone-elses-patches-upstream-source-provides-spdx-data">Intermediate packager adds someone else's patches to upstream source that provides SPDX data</a> [OK]
- <a href="http://spdx.org/wiki/intermediate-packager-adds-someone-elses-patches-upstream-source-does-not-provide-spdx-data">Intermediate packager adds someone else's patches to upstream source that does not provide SPDX data</a> [OK]
- Intermediate packager subsetting upstream source
- <a href="http://spdx.org/wiki/intermediate-packager-subsetting-upstream-source-provides-spdx-data">Intermediate packager subsetting upstream source that provides SPDX data</a> [OK]
- <a href="http://spdx.org/wiki/intermediate-packager-subsetting-upstream-source-does-not-provide-spdx-data">Intermediate packager subsetting upstream source that does not provide SPDX data [OK]</a>
- Build systems (build systems want to pass on SPDX data for the thing they are building)
- <a href="http://www.spdx.org/wiki/spdx-use-case-build-systems-yocto">Yocto</a> [OK]
- Linking
- <a href="http://spdx.org/wiki/debian-has-interest-only-building-things-are-linking-license-compatible">Debian has an interest in only building things that are linking license compatible</a> [OK]
- I just made a binary out of some source
- <a href="http://spdx.org/wiki/spdx-data-indicating-subset-source-made-it-particular-binary-or-binary-package">SPDX data indicating subset of the source that made it into a particular binary or binary package</a> [OK]
- Aggregator aggregating many 'copyrightable items' for redistribution
- <a title="Linux Distro" href="https://spdx.org/wiki/linux-distro">Linux Distros</a> [OK]
- <a href="http://spdx.org/wiki/embedded-images-eg-router-images-switch-images">Embedded Images (e.g. router images, switch images)</a> [OK]
- <a href="http://spdx.org/wiki/spdx-20-usecase-reference-implementations">Reference implementations </a>[OK]
- <a href="http://spdx.org/wiki/spdx-20-usecase-application-which-ships-documentation-media-software">Application which ships with documentation + media + software</a> [OK]
- <a title="Use case details" href="http://spdx.org/wiki/application-which-ships-contrib-libraries">Application which ships with a contrib libraries</a> [OK]
- <a title="Use case details" href="http://spdx.org/wiki/application-which-ships-development-tools">Application which ships with development tools</a> [OK]
- <a href="http://spdx.org/wiki/subsetting-out-only-shippable-bits-stuff-coming-sdk">Subsetting out only the shippable bits of stuff coming from an SDK</a> [OK]
- <a href="http://spdx.org/wiki/aggregators-aggregating-other-aggregations-redistribution">Aggregators aggregating other aggregations for redistribution</a> [OK]
- Consumers receiving SPDX data
- <a href="http://spdx.org/wiki/provide-sufficient-data-allow-consumer-comply-licenses-redistribution">Provide sufficient data to allow consumer to comply with licenses on redistribution</a> Alcatel-Lucent requirements attached [OK]
- <a href="http://spdx.org/wiki/consuming-code-snippets">Consuming code snippets </a>(God help us all) (subfile pieces of code not originally intended for the project) [OK]
- Signoff/multiple signoff on SPDX data
- <a target="_blank" title="Contracts with multiple parties requiring signoff by all" href="https://spdx.org/wiki/multi-party-contracts">Contracts with multiple parties requiring signoff by al</a>l [MORE INFO REQUESTED Kate Stewart]
- Third party does licensing analysis
- <a href="http://spdx.org/wiki/third-party-produces-bill-materials-software-package">Third party generates license analysis</a> [OK]
- <a href="http://spdx.org/wiki/collecting-enough-information-allow-auditor-make-recommendations-remove-or-not-component">Collecting enough information to allow auditor to make recommendations to remove or not a component</a> [MORE INFO REQUESTED]
- Auditor Analyzing/Sanity-checking/correcting Bill of Material he's handed
- <a href="http://spdx.org/wiki/use-case-backtrack-binary-source-files">Backtrack from compiled/binary file to constituent files</a> [MORE STUDY NEEDED]
- outbound: validate that SPDX goes hand in hand with what's being shipped [Kirsten Newcomer]
- <a href="http://spdx.org/wiki/check-see-if-spdx-data-provided-matches-files-provided" title="Check to see if the SPDX data provided matches the files provided and is trustworthy and most current for package">Check to see if the SPDX data provided matches the files provided</a> [OK larger scope]
- Extensions:
- <a href="http://spdx.org/wiki/communicate-data-beyond-what-described-spec">Communicate data beyond what is described in spec between consenting parties w/o breaking consumers that are not in the know</a>
- <a href="http://spdx.org/wiki/license-list-extension">License list extensions, how do you handle folks who have more licenses than SPDX</a>
- <a href="http://spdx.org/wiki/decorating-already-produces-and-signed-spdx-dataset-extension-data">Decorating an already produces and signed SPDX dataset with extension data</a> [Bill Schineller]
- Other arising during vetting...
- Given 2 SPDX files about the same codebase from the same source, be able to tell which is the later rev / more current and correct one.
Cross-cutting concerns:
- Provenance (the need to optionally use signing to validate who said what)
- Trust
- Handling staleness of data
- Composite licensing
- Ease of sharing information
- Collecting tribal knowledge along the way
- Guarding against file bloat
- Simple simple simple
- SPDX-Lite:
- Clarity
- Automation/toolifiability
- Regionality
Themes:
Looking at these Use Cases, there are some underlying themes:
- Root of data (closer to upstream the better)
- Subsetting of copyrightable things (and their SPDX data) (Note: Subsets of copyrightable things are usually also copyrightable things)
- Aggregation of copyrightable things (and their SPDX data) (Note: Aggregations of copyrightable things are usually also copyrightable things).