THE SPDX WIKI IS NO LONGER ACTIVE. ALL CONTENT HAS BEEN MOVED TO https://github.com/spdx
Technical Team/Use Cases/2.0/Backtrack from binary to source files
From SPDX Wiki
< Technical Team | Use Cases/2.0
Revision as of 18:28, 2 October 2012 by Bschineller (Talk | contribs)
As an <a href="../stakeholders#auditor">auditor</a> in order to be certain that the licensing and provenance information regarding a binary, or compiled, file is correct i want a manifest of the files used to create it.
Stakeholders and interests
- Auditor
The person or organization performing an audit on the licensing and provenance information of a package.
- Project maintainer
The person pr organization which maintains the open source software in question.
- Developer
The person or organization using the software package provided by Project maintainer.
Main Scenario
- Project maintainer builds binary files keeping track of which source files are included in the binary.
- Project maintainer publishes package with SPDX that provides references to every source used to create each compiled file in the package.
- Developer downloads binary/compiled package from Package maintainer.
- Developer requests audit of code base before shipping.
- Auditor wants to verify that provided licensing and provenance info for compiled files are actually what the provided SPDX file claims.
- Auditor uses the built from file list for the compiled file to narrow the analysis to particular files and specific versions of those files.
- Auditor performs deep analysis to ensure the that the licensing and provenance of the files are indeed as claimed
- Auditor provides clean bill of health
Alternate Scenario A
- Project maintainer builds binary files keeping track of which source files are included in the binary.
- Project maintainer publishes package with SPDX that provides references to every source used to create each compiled file in the package.
- Developer downloads binary/compiled package from Package maintainer.
- Developer requests audit of code base before shipping.
- Auditor wants to verify that provided licensing and provenance info for compiled files are actually what the provided SPDX file claims.
- Auditor uses the built from package list for the compiled file to narrow the analysis to particular packages and specific versions of those packages.
- Auditor performs deep analysis to ensure the that the licensing and provenance of the files are indeed as claimed
- Auditor provides clean bill of health
NOTES: on 2012-10-02 having difficulty understanding the distinction between Main Scenario and Alternate A. versions of files vs. versions of Packages? (step 6)
