THE SPDX WIKI IS NO LONGER ACTIVE. ALL CONTENT HAS BEEN MOVED TO https://github.com/spdx

Difference between revisions of "Technical Team/Old/Use Cases Collected during 1.x timeframe"

From SPDX Wiki
Jump to: navigation, search
(Convert to MediaWiki syntax)
 
Line 1: Line 1:
<div id="magicdomid149" style="padding-right: 1px; font-family: Arial, sans-serif; font-size: 13px; line-height: 17px;"><span class="author-g-sz122z2pgf4uw9k6kz122zz122z6" style="cursor: auto; background-color: #f1e3ff; padding-top: 1px; padding-bottom: 1px;">Use cases from 1.0 discussions</span></div><div style="padding-right: 1px; font-family: Arial, sans-serif; font-size: 13px; line-height: 17px;"><span class="author-g-sz122z2pgf4uw9k6kz122zz122z6" style="cursor: auto; background-color: #f1e3ff; padding-top: 1px; padding-bottom: 1px;"> ===========================================<br /></span></div><div style="padding-right: 1px; font-family: Arial, sans-serif; font-size: 13px; line-height: 17px;"><span class="author-g-sz122z2pgf4uw9k6kz122zz122z6" style="cursor: auto; background-color: #f1e3ff; padding-top: 1px; padding-bottom: 1px;"><br /></span></div><div style="padding-right: 1px; font-family: Arial, sans-serif; font-size: 13px; line-height: 17px;"><span class="author-g-sz122z2pgf4uw9k6kz122zz122z6" style="cursor: auto; background-color: #f1e3ff; padding-top: 1px; padding-bottom: 1px;">http://spdx.org/wiki/spdx/examples<br /></span></div><div style="padding-right: 1px; font-family: Arial, sans-serif; font-size: 13px; line-height: 17px;"><span class="author-g-sz122z2pgf4uw9k6kz122zz122z6" style="cursor: auto; background-color: #f1e3ff; padding-top: 1px; padding-bottom: 1px;"><br /></span></div><div style="padding-right: 1px; font-family: Arial, sans-serif; font-size: 13px; line-height: 17px;"><span class="author-g-sz122z2pgf4uw9k6kz122zz122z6" style="cursor: auto; background-color: #f1e3ff; padding-top: 1px; padding-bottom: 1px;"><br /></span></div><div style="padding-right: 1px; font-family: Arial, sans-serif; font-size: 13px; line-height: 17px;"><span class="author-g-sz122z2pgf4uw9k6kz122zz122z6" style="cursor: auto; background-color: #f1e3ff; padding-top: 1px; padding-bottom: 1px;">Use Cases to consider for SPDX 2.0 - working draft</span></div><div id="magicdomid150" style="padding-right: 1px; font-family: Arial, sans-serif; font-size: 13px; line-height: 17px;"><span class="author-g-sz122z2pgf4uw9k6kz122zz122z6" style="cursor: auto; background-color: #f1e3ff; padding-top: 1px; padding-bottom: 1px;">======================================</span></div><div id="magicdomid151" style="padding-right: 1px; font-family: Arial, sans-serif; font-size: 13px; line-height: 17px;">&nbsp;</div><div id="magicdomid152" style="padding-right: 1px; font-family: Arial, sans-serif; font-size: 13px; line-height: 17px;"><span class="author-g-gr61e6romqg35ji7" style="cursor: auto; background-color: #ecbcbc; padding-top: 1px; padding-bottom: 1px;">Source code for SPDX-tools are available at:&nbsp;</span><span class="author-g-gr61e6romqg35ji7 url" style="cursor: auto; background-color: #ecbcbc; padding-top: 1px; padding-bottom: 1px;"><a style="cursor: pointer !important;" href="https://github.com/goneall/SPDX-Tools">https://github.com/goneall/SPDX-Tools</a></span></div><div id="magicdomid153" style="padding-right: 1px; font-family: Arial, sans-serif; font-size: 13px; line-height: 17px;">&nbsp;</div><div id="magicdomid154" style="padding-right: 1px; font-family: Arial, sans-serif; font-size: 13px; line-height: 17px;"><span style="cursor: auto; padding-top: 1px; padding-bottom: 1px;">Use case details:</span></div><div id="magicdomid155" style="padding-right: 1px; font-family: Arial, sans-serif; font-size: 13px; line-height: 17px;">&nbsp;</div><div id="magicdomid156" style="padding-right: 1px; font-family: Arial, sans-serif; font-size: 13px; line-height: 17px;"><span style="cursor: auto; padding-top: 1px; padding-bottom: 1px;">&nbsp;*&nbsp;</span><span class=" url" style="cursor: auto; padding-top: 1px; padding-bottom: 1px;"><a style="cursor: pointer !important;" href="http://pad.ubuntu.com/spdx-tech--use-case-embedded-java-jar">http://pad.ubuntu.com/spdx-tech--use-case-embedded-java-jar</a></span></div><div id="magicdomid157" style="padding-right: 1px; font-family: Arial, sans-serif; font-size: 13px; line-height: 17px;"><span class="author-g-gr61e6romqg35ji7" style="cursor: auto; background-color: #ecbcbc; padding-top: 1px; padding-bottom: 1px;">&nbsp;</span></div><div id="magicdomid158" style="padding-right: 1px; font-family: Arial, sans-serif; font-size: 13px; line-height: 17px;"><span class="author-g-gr61e6romqg35ji7" style="cursor: auto; background-color: #ecbcbc; padding-top: 1px; padding-bottom: 1px;">&nbsp;[The way I am thinking about the use cases is there are 2 different groups of use cases which I am calling scenarios.&nbsp; From what I can think of the same solutions should work for both scenarios, but there may be value in keeping these 2 scenarios in mind while working through the detailed use cases]</span></div><div id="magicdomid159" style="padding-right: 1px; font-family: Arial, sans-serif; font-size: 13px; line-height: 17px;"><span class="author-g-gr61e6romqg35ji7" style="cursor: auto; background-color: #ecbcbc; padding-top: 1px; padding-bottom: 1px;">&nbsp;</span></div><div id="magicdomid160" style="padding-right: 1px; font-family: Arial, sans-serif; font-size: 13px; line-height: 17px;"><span class="author-g-gr61e6romqg35ji7" style="cursor: auto; background-color: #ecbcbc; padding-top: 1px; padding-bottom: 1px;">&nbsp;High level general use case Scenarios:</span></div><div id="magicdomid161" style="padding-right: 1px; font-family: Arial, sans-serif; font-size: 13px; line-height: 17px;"><span class="author-g-gr61e6romqg35ji7" style="cursor: auto; background-color: #ecbcbc; padding-top: 1px; padding-bottom: 1px;">&nbsp;A: Embedded Packages</span><span class="author-g-ha6r9ljem9yalssm" style="cursor: auto; background-color: #f1ffe3; padding-top: 1px; padding-bottom: 1px;">&nbsp;(a typical "Audit" scenario)</span></div><div id="magicdomid162" style="padding-right: 1px; font-family: Arial, sans-serif; font-size: 13px; line-height: 17px;"><span class="author-g-gr61e6romqg35ji7" style="cursor: auto; background-color: #ecbcbc; padding-top: 1px; padding-bottom: 1px;">&nbsp;- Actors:&nbsp;</span></div><div id="magicdomid163" style="padding-right: 1px; font-family: Arial, sans-serif; font-size: 13px; line-height: 17px;"><span class="author-g-gr61e6romqg35ji7" style="cursor: auto; background-color: #ecbcbc; padding-top: 1px; padding-bottom: 1px;">&nbsp;&nbsp;&nbsp;&nbsp; - Package Supplier: person or entity supplying the package represented by the highest lievel SPDX document</span></div><div id="magicdomid164" style="padding-right: 1px; font-family: Arial, sans-serif; font-size: 13px; line-height: 17px;"><span class="author-g-gr61e6romqg35ji7" style="cursor: auto; background-color: #ecbcbc; padding-top: 1px; padding-bottom: 1px;">&nbsp;&nbsp;&nbsp;&nbsp; - Package Consumer: person or entity using the package represented by the highest level SPDX document</span></div><div id="magicdomid165" style="padding-right: 1px; font-family: Arial, sans-serif; font-size: 13px; line-height: 17px;"><span class="author-g-gr61e6romqg35ji7" style="cursor: auto; background-color: #ecbcbc; padding-top: 1px; padding-bottom: 1px;">Use Cases:&nbsp;</span></div><div id="magicdomid166" style="padding-right: 1px; font-family: Arial, sans-serif; font-size: 13px; line-height: 17px;"><span class="author-g-gr61e6romqg35ji7" style="cursor: auto; background-color: #ecbcbc; padding-top: 1px; padding-bottom: 1px;">- embedded java jar&nbsp;</span></div><div id="magicdomid167" style="padding-right: 1px; font-family: Arial, sans-serif; font-size: 13px; line-height: 17px;"><span class="author-g-gr61e6romqg35ji7" style="cursor: auto; background-color: #ecbcbc; padding-top: 1px; padding-bottom: 1px;">- embedded source distribution</span></div><div id="magicdomid168" style="padding-right: 1px; font-family: Arial, sans-serif; font-size: 13px; line-height: 17px;"><span class="author-g-gr61e6romqg35ji7" style="cursor: auto; background-color: #ecbcbc; padding-top: 1px; padding-bottom: 1px;">- embedded source with unused contrib library&nbsp;</span></div><div id="magicdomid169" style="padding-right: 1px; font-family: Arial, sans-serif; font-size: 13px; line-height: 17px;"><span class="author-g-gr61e6romqg35ji7" style="cursor: auto; background-color: #ecbcbc; padding-top: 1px; padding-bottom: 1px;">- embedded build tools</span></div><div id="magicdomid170" style="padding-right: 1px; font-family: Arial, sans-serif; font-size: 13px; line-height: 17px;">&nbsp;</div><div id="magicdomid171" style="padding-right: 1px; font-family: Arial, sans-serif; font-size: 13px; line-height: 17px;"><span class="author-g-gr61e6romqg35ji7" style="cursor: auto; background-color: #ecbcbc; padding-top: 1px; padding-bottom: 1px;">B: Package Supply Chain</span></div><div id="magicdomid172" style="padding-right: 1px; font-family: Arial, sans-serif; font-size: 13px; line-height: 17px;"><span class="author-g-gr61e6romqg35ji7" style="cursor: auto; background-color: #ecbcbc; padding-top: 1px; padding-bottom: 1px;">- Actors:</span></div><div id="magicdomid173" style="padding-right: 1px; font-family: Arial, sans-serif; font-size: 13px; line-height: 17px;"><span class="author-g-gr61e6romqg35ji7" style="cursor: auto; background-color: #ecbcbc; padding-top: 1px; padding-bottom: 1px;">&nbsp; - Package Originator: Original supplier of a package represented by an SPDX document - likely (but not always) the creator</span></div><div id="magicdomid174" style="padding-right: 1px; font-family: Arial, sans-serif; font-size: 13px; line-height: 17px;"><span class="author-g-gr61e6romqg35ji7" style="cursor: auto; background-color: #ecbcbc; padding-top: 1px; padding-bottom: 1px;">&nbsp; - Intermediate Packager: person or entity that redistributes an original package with its own SPDX document</span></div><div id="magicdomid175" style="padding-right: 1px; font-family: Arial, sans-serif; font-size: 13px; line-height: 17px;"><span class="author-g-gr61e6romqg35ji7" style="cursor: auto; background-color: #ecbcbc; padding-top: 1px; padding-bottom: 1px;">&nbsp; - End Package Consumer: The consumer of the final package in the supply chain - note that the same entity or person can be both an End Package Consumer and an Intermediate Packager</span></div><div id="magicdomid176" style="padding-right: 1px; font-family: Arial, sans-serif; font-size: 13px; line-height: 17px;"><span class="author-g-gr61e6romqg35ji7" style="cursor: auto; background-color: #ecbcbc; padding-top: 1px; padding-bottom: 1px;">- Use Cases:</span></div><div id="magicdomid177" style="padding-right: 1px; font-family: Arial, sans-serif; font-size: 13px; line-height: 17px;"><span class="author-g-gr61e6romqg35ji7" style="cursor: auto; background-color: #ecbcbc; padding-top: 1px; padding-bottom: 1px;">&nbsp; - simple redistribution</span></div><div id="magicdomid178" style="padding-right: 1px; font-family: Arial, sans-serif; font-size: 13px; line-height: 17px;"><span class="author-g-gr61e6romqg35ji7" style="cursor: auto; background-color: #ecbcbc; padding-top: 1px; padding-bottom: 1px;">&nbsp; - package aggregation</span></div><div id="magicdomid179" style="padding-right: 1px; font-family: Arial, sans-serif; font-size: 13px; line-height: 17px;"><span class="author-g-gr61e6romqg35ji7" style="cursor: auto; background-color: #ecbcbc; padding-top: 1px; padding-bottom: 1px;">&nbsp; - modified redistribution</span></div><div id="magicdomid180" style="padding-right: 1px; font-family: Arial, sans-serif; font-size: 13px; line-height: 17px;"><span class="author-g-gr61e6romqg35ji7" style="cursor: auto; background-color: #ecbcbc; padding-top: 1px; padding-bottom: 1px;">&nbsp; - patches provided to existing (already distributed) package</span></div><div id="magicdomid181" style="padding-right: 1px; font-family: Arial, sans-serif; font-size: 13px; line-height: 17px;"><span class="author-g-gr61e6romqg35ji7" style="cursor: auto; background-color: #ecbcbc; padding-top: 1px; padding-bottom: 1px;">&nbsp; - appstore</span></div><div id="magicdomid182" style="padding-right: 1px; font-family: Arial, sans-serif; font-size: 13px; line-height: 17px;">&nbsp;</div><div id="magicdomid183" style="padding-right: 1px; font-family: Arial, sans-serif; font-size: 13px; line-height: 17px;"><span class="author-g-gr61e6romqg35ji7" style="cursor: auto; background-color: #ecbcbc; padding-top: 1px; padding-bottom: 1px;">Use Case: embedded source</span></div><div id="magicdomid184" style="padding-right: 1px; font-family: Arial, sans-serif; font-size: 13px; line-height: 17px;"><span class="author-g-ha6r9ljem9yalssm" style="cursor: auto; background-color: #f1ffe3; padding-top: 1px; padding-bottom: 1px;">Givens:</span></div><div id="magicdomid185" style="padding-right: 1px; font-family: Arial, sans-serif; font-size: 13px; line-height: 17px;"><span class="author-g-ha6r9ljem9yalssm" style="cursor: auto; background-color: #f1ffe3; padding-top: 1px; padding-bottom: 1px;">1) Given a pre-existing source tarball (commons-logging-1.1.1.tar.gz) with an SPDX document is available for re-use</span></div><div id="magicdomid186" style="padding-right: 1px; font-family: Arial, sans-serif; font-size: 13px; line-height: 17px;"><span class="author-g-ha6r9ljem9yalssm" style="cursor: auto; background-color: #f1ffe3; padding-top: 1px; padding-bottom: 1px;">2) Given: To build MyApp which re-uses it, commons-logging-1.1.1.tar.gz gets expanded somewhere into the MyApp source tree</span></div><div id="magicdomid187" style="padding-right: 1px; font-family: Arial, sans-serif; font-size: 13px; line-height: 17px;">&nbsp;</div><div id="magicdomid188" style="padding-right: 1px; font-family: Arial, sans-serif; font-size: 13px; line-height: 17px;"><span class="author-g-ha6r9ljem9yalssm" style="cursor: auto; background-color: #f1ffe3; padding-top: 1px; padding-bottom: 1px;">Problem:</span></div><div id="magicdomid189" style="padding-right: 1px; font-family: Arial, sans-serif; font-size: 13px; line-height: 17px;"><span class="author-g-ha6r9ljem9yalssm" style="cursor: auto; background-color: #f1ffe3; padding-top: 1px; padding-bottom: 1px;">Create an SPDX analysis of MyApp that can reference the pre-existing SPDX document for commons-logging-1.1.1.tar.gz without having to repeat all the info (e.g. every File node...) which was already in the consumed SPDX document.</span></div><div id="magicdomid190" style="padding-right: 1px; font-family: Arial, sans-serif; font-size: 13px; line-height: 17px;">&nbsp;</div><div id="magicdomid191" style="padding-right: 1px; font-family: Arial, sans-serif; font-size: 13px; line-height: 17px;"><span class="author-g-ha6r9ljem9yalssm" style="cursor: auto; background-color: #f1ffe3; padding-top: 1px; padding-bottom: 1px;">Discussion:</span></div><div id="magicdomid192" style="padding-right: 1px; font-family: Arial, sans-serif; font-size: 13px; line-height: 17px;">&nbsp;</div><div id="magicdomid193" style="padding-right: 1px; font-family: Arial, sans-serif; font-size: 13px; line-height: 17px;"><span class="author-g-gr61e6romqg35ji7" style="cursor: auto; background-color: #ecbcbc; padding-top: 1px; padding-bottom: 1px;">&nbsp; A package supplier includes another open source package in source form (e.g. Apache Jakarta Commons Logging).&nbsp; The source code is unmodified and intended to be compiled into the final solution by the Package Consumer.&nbsp; The source code is in a distinct archive file (e.g. commons-logging-1.1.1.tar.gz).&nbsp; The archive source file would be represented as a single file in the highest level SPDX document.&nbsp; The archive file would contain an SPDX document representing the embedded source files.&nbsp;&nbsp;</span></div><div id="magicdomid194" style="padding-right: 1px; font-family: Arial, sans-serif; font-size: 13px; line-height: 17px;"><span class="author-g-gr61e6romqg35ji7" style="cursor: auto; background-color: #ecbcbc; padding-top: 1px; padding-bottom: 1px;">&nbsp; Variation: the source code would be in its own distinct subdirectory (e.g. source/java/org/apache/commons/logging/*).&nbsp; In this variation, the highest level SPDX document would detail all files within the embedded package and the "artifact-of" property would reference the embedded package.</span></div><div id="magicdomid195" style="padding-right: 1px; font-family: Arial, sans-serif; font-size: 13px; line-height: 17px;"><span class="author-g-ha6r9ljem9yalssm" style="cursor: auto; background-color: #f1ffe3; padding-top: 1px; padding-bottom: 1px;">&nbsp; [Comment: (BillSchineller) - the use case of the supplier handing off a tarball with accompanying (inside or 'sidecar'...) SPDX analysis/doc is the Given.&nbsp; But the reality is that the consumer must crack it open and expand its contents into the source tree for the build/compile step.&nbsp;&nbsp;&nbsp;</span></div><div id="magicdomid196" style="padding-right: 1px; font-family: Arial, sans-serif; font-size: 13px; line-height: 17px;">&nbsp;</div><div id="magicdomid197" style="padding-right: 1px; font-family: Arial, sans-serif; font-size: 13px; line-height: 17px;"><span class="author-g-ha6r9ljem9yalssm" style="cursor: auto; background-color: #f1ffe3; padding-top: 1px; padding-bottom: 1px;">=================</span></div><div id="magicdomid198" style="padding-right: 1px; font-family: Arial, sans-serif; font-size: 13px; line-height: 17px;"><span class="author-g-gr61e6romqg35ji7" style="cursor: auto; background-color: #ecbcbc; padding-top: 1px; padding-bottom: 1px;">&nbsp;&nbsp;</span></div><div id="magicdomid199" style="padding-right: 1px; font-family: Arial, sans-serif; font-size: 13px; line-height: 17px;"><span class="author-g-gr61e6romqg35ji7" style="cursor: auto; background-color: #ecbcbc; padding-top: 1px; padding-bottom: 1px;">Use Case: embedded source with unused contrib library</span></div><div id="magicdomid200" style="padding-right: 1px; font-family: Arial, sans-serif; font-size: 13px; line-height: 17px;"><span class="author-g-gr61e6romqg35ji7" style="cursor: auto; background-color: #ecbcbc; padding-top: 1px; padding-bottom: 1px;">&nbsp;Similar to embedded source except there would be source file known to not be compiled into the resultant binaries of the final package, for example the zlib contrib directory.&nbsp; Solution suggestion: the excluded files could be represented in the SPDX documents with an "unused" property and the license properties for the files would still be represented in the SPDX document (exact mechanism TBD)</span></div><div id="magicdomid201" style="padding-right: 1px; font-family: Arial, sans-serif; font-size: 13px; line-height: 17px;">&nbsp;</div><div id="magicdomid202" style="padding-right: 1px; font-family: Arial, sans-serif; font-size: 13px; line-height: 17px;"><span class="author-g-gr61e6romqg35ji7" style="cursor: auto; background-color: #ecbcbc; padding-top: 1px; padding-bottom: 1px;">Use Case: embedded build tools&nbsp; A Package Supplier includes build utilities (source, scripts, or binaries) which are only used to build the resultant packages.&nbsp; The specific build tool files are represented in the SPDX document with the appropriate license and and artifact-of property which points to the origin of the tools.&nbsp; Solution suggestion: A property could designate that this file is used as a tool.</span></div><div id="magicdomid203" style="padding-right: 1px; font-family: Arial, sans-serif; font-size: 13px; line-height: 17px;"><span class="author-g-gr61e6romqg35ji7" style="cursor: auto; background-color: #ecbcbc; padding-top: 1px; padding-bottom: 1px;">&nbsp;</span></div><div id="magicdomid204" style="padding-right: 1px; font-family: Arial, sans-serif; font-size: 13px; line-height: 17px;"><span class="author-g-gr61e6romqg35ji7" style="cursor: auto; background-color: #ecbcbc; padding-top: 1px; padding-bottom: 1px;">Use Case: simple redistribution&nbsp;</span></div><div id="magicdomid205" style="padding-right: 1px; font-family: Arial, sans-serif; font-size: 13px; line-height: 17px;"><span class="author-g-gr61e6romqg35ji7" style="cursor: auto; background-color: #ecbcbc; padding-top: 1px; padding-bottom: 1px;">&nbsp;An Intermediate Packager redistributes an original package without source code modification.&nbsp; Additional meta data may be supplied by the Intermediate Packager.&nbsp; Example - Debian packag</span><span class="author-g-sz122z2pgf4uw9k6kz122zz122z6" style="cursor: auto; background-color: #f1e3ff; padding-top: 1px; padding-bottom: 1px;">ing</span><span class="author-g-gr61e6romqg35ji7" style="cursor: auto; background-color: #ecbcbc; padding-top: 1px; padding-bottom: 1px;">.</span></div><div id="magicdomid206" style="padding-right: 1px; font-family: Arial, sans-serif; font-size: 13px; line-height: 17px;"><span class="author-g-gr61e6romqg35ji7" style="cursor: auto; background-color: #ecbcbc; padding-top: 1px; padding-bottom: 1px;">&nbsp;</span></div><div id="magicdomid207" style="padding-right: 1px; font-family: Arial, sans-serif; font-size: 13px; line-height: 17px;"><span class="author-g-gr61e6romqg35ji7" style="cursor: auto; background-color: #ecbcbc; padding-top: 1px; padding-bottom: 1px;">Use Case: package aggregation&nbsp;</span></div><div id="magicdomid208" style="padding-right: 1px; font-family: Arial, sans-serif; font-size: 13px; line-height: 17px;"><span class="author-g-gr61e6romqg35ji7" style="cursor: auto; background-color: #ecbcbc; padding-top: 1px; padding-bottom: 1px;">&nbsp; An Intermediate Packager aggregates several open source packages into a single distribution.&nbsp; Additional meta data is added.&nbsp; Example - Linux distribution</span><span class="author-g-sz122z2pgf4uw9k6kz122zz122z6" style="cursor: auto; background-color: #f1e3ff; padding-top: 1px; padding-bottom: 1px;">, Android, Ubuntu, Debian</span></div><div id="magicdomid209" style="padding-right: 1px; font-family: Arial, sans-serif; font-size: 13px; line-height: 17px;"><span class="author-g-gr61e6romqg35ji7" style="cursor: auto; background-color: #ecbcbc; padding-top: 1px; padding-bottom: 1px;">&nbsp;</span></div><div id="magicdomid210" style="padding-right: 1px; font-family: Arial, sans-serif; font-size: 13px; line-height: 17px;"><span class="author-g-gr61e6romqg35ji7" style="cursor: auto; background-color: #ecbcbc; padding-top: 1px; padding-bottom: 1px;">Use Case: modified redistribution&nbsp;</span></div><div id="magicdomid211" style="padding-right: 1px; font-family: Arial, sans-serif; font-size: 13px; line-height: 17px;"><span class="author-g-gr61e6romqg35ji7" style="cursor: auto; background-color: #ecbcbc; padding-top: 1px; padding-bottom: 1px;">&nbsp;An Intermediate Package redistributes a package from the Package Originator with some modifications to the original code.&nbsp; These modifications may impact the resultant licensing</span></div><div id="magicdomid212" style="padding-right: 1px; font-family: Arial, sans-serif; font-size: 13px; line-height: 17px;">&nbsp;</div><div id="magicdomid213" style="padding-right: 1px; font-family: Arial, sans-serif; font-size: 13px; line-height: 17px;"><span class="author-g-sz122z2pgf4uw9k6kz122zz122z6" style="cursor: auto; background-color: #f1e3ff; padding-top: 1px; padding-bottom: 1px;">Use Case:&nbsp; application store - how built and manifest, and how products handled</span></div><div id="magicdomid214" style="padding-right: 1px; font-family: Arial, sans-serif; font-size: 13px; line-height: 17px;"><span class="author-g-sz122z2pgf4uw9k6kz122zz122z6" style="cursor: auto; background-color: #f1e3ff; padding-top: 1px; padding-bottom: 1px;">Pass through provider (Android Market Place, Apple Store), Facebook app?</span></div><div id="magicdomid215" style="padding-right: 1px; font-family: Arial, sans-serif; font-size: 13px; line-height: 17px;"><span class="author-g-sz122z2pgf4uw9k6kz122zz122z6" style="cursor: auto; background-color: #f1e3ff; padding-top: 1px; padding-bottom: 1px;">Downloadable components (clients that are downloadable and resident).</span></div><div id="magicdomid216" style="padding-right: 1px; font-family: Arial, sans-serif; font-size: 13px; line-height: 17px;">&nbsp;</div><div id="magicdomid217" style="padding-right: 1px; font-family: Arial, sans-serif; font-size: 13px; line-height: 17px;"><span class="author-g-gr61e6romqg35ji7" style="cursor: auto; background-color: #ecbcbc; padding-top: 1px; padding-bottom: 1px;">Use Case: patches provided to existing (already distributed) package - An existing package with a pre-existing spdx document is patched.&nbsp; The patch may contain additional licensing information</span></div><div><span class="author-g-gr61e6romqg35ji7" style="cursor: auto; background-color: #ecbcbc; padding-top: 1px; padding-bottom: 1px;"><br /></span></div>
+
== Use cases from 1.0 discussions ==
 +
 
 +
[[Technical Team/Old/Sandbox for Sharing Examples]]
 +
 
 +
== Use Cases to consider for SPDX 2.0 - working draft ==
 +
 
 +
Source code for SPDX-tools are available at: https://github.com/goneall/SPDX-Tools
 +
 
 +
Use case details: http://pad.ubuntu.com/spdx-tech--use-case-embedded-java-jar
 +
 
 +
(The way I am thinking about the use cases is there are 2 different groups of use cases which I am calling scenarios.  From what I can think of the same solutions should work for both scenarios, but there may be value in keeping these 2 scenarios in mind while working through the detailed use cases)
 +
 
 +
High level general use case Scenarios:
 +
A: Embedded Packages (a typical "Audit" scenario)
 +
* Actors:
 +
** Package Supplier: person or entity supplying the package represented by the highest lievel SPDX document
 +
** Package Consumer: person or entity using the package represented by the highest level SPDX document
 +
Use Cases:
 +
* embedded java jar
 +
* embedded source distribution
 +
* embedded source with unused contrib library
 +
* embedded build tools
 +
 
 +
B: Package Supply Chain
 +
* Actors:
 +
** Package Originator: Original supplier of a package represented by an SPDX document - likely (but not always) the creator
 +
** Intermediate Packager: person or entity that redistributes an original package with its own SPDX document
 +
** End Package Consumer: The consumer of the final package in the supply chain - note that the same entity or person can be both an End Package Consumer and an Intermediate Packager
 +
* Use Cases:
 +
** simple redistribution
 +
** package aggregation
 +
** modified redistribution
 +
** patches provided to existing (already distributed) package
 +
** appstore
 +
 
 +
Use Case: embedded source
 +
Givens:
 +
# Given a pre-existing source tarball (commons-logging-1.1.1.tar.gz) with an SPDX document is available for re-use
 +
# Given: To build MyApp which re-uses it, commons-logging-1.1.1.tar.gz gets expanded somewhere into the MyApp source tree
 +
 
 +
Problem:
 +
Create an SPDX analysis of MyApp that can reference the pre-existing SPDX document for commons-logging-1.1.1.tar.gz without having to repeat all the info (e.g. every File node...) which was already in the consumed SPDX document.
 +
 
 +
Discussion:
 +
 
 +
A package supplier includes another open source package in source form (e.g. Apache Jakarta Commons Logging).  The source code is unmodified and intended to be compiled into the final solution by the Package Consumer.  The source code is in a distinct archive file (e.g. commons-logging-1.1.1.tar.gz).  The archive source file would be represented as a single file in the highest level SPDX document.  The archive file would contain an SPDX document representing the embedded source files.
 +
 
 +
Variation: the source code would be in its own distinct subdirectory (e.g. source/java/org/apache/commons/logging/*).  In this variation, the highest level SPDX document would detail all files within the embedded package and the "artifact-of" property would reference the embedded package.
 +
 
 +
Comment: (BillSchineller) - the use case of the supplier handing off a tarball with accompanying (inside or 'sidecar'...) SPDX analysis/doc is the Given.  But the reality is that the consumer must crack it open and expand its contents into the source tree for the build/compile step.
 +
 
 +
Use Case: embedded source with unused contrib library
 +
 
 +
Similar to embedded source except there would be source file known to not be compiled into the resultant binaries of the final package, for example the zlib contrib directory.  Solution suggestion: the excluded files could be represented in the SPDX documents with an "unused" property and the license properties for the files would still be represented in the SPDX document (exact mechanism TBD)
 +
 
 +
Use Case: embedded build tools  A Package Supplier includes build utilities (source, scripts, or binaries) which are only used to build the resultant packages.  The specific build tool files are represented in the SPDX document with the appropriate license and and artifact-of property which points to the origin of the tools.  Solution suggestion: A property could designate that this file is used as a tool.
 +
 
 +
Use Case: simple redistribution
 +
 
 +
An Intermediate Packager redistributes an original package without source code modification.  Additional meta data may be supplied by the Intermediate Packager.  Example - Debian packaging.
 +
 
 +
Use Case: package aggregation
 +
 
 +
An Intermediate Packager aggregates several open source packages into a single distribution.  Additional meta data is added.  Example - Linux distribution, Android, Ubuntu, Debian
 +
 
 +
Use Case: modified redistribution
 +
 
 +
An Intermediate Package redistributes a package from the Package Originator with some modifications to the original code.  These modifications may impact the resultant licensing
 +
 
 +
Use Case: application store - how built and manifest, and how products handled
 +
Pass through provider (Android Market Place, Apple Store), Facebook app?
 +
Downloadable components (clients that are downloadable and resident).
 +
 
 +
Use Case: patches provided to existing (already distributed) package - An existing package with a pre-existing spdx document is patched.  The patch may contain additional licensing information
 +
 
 +
[[Category:Technical]]
 +
[[Category:Archived]]

Latest revision as of 15:48, 6 March 2013

Use cases from 1.0 discussions

Technical Team/Old/Sandbox for Sharing Examples

Use Cases to consider for SPDX 2.0 - working draft

Source code for SPDX-tools are available at: https://github.com/goneall/SPDX-Tools

Use case details: http://pad.ubuntu.com/spdx-tech--use-case-embedded-java-jar

(The way I am thinking about the use cases is there are 2 different groups of use cases which I am calling scenarios. From what I can think of the same solutions should work for both scenarios, but there may be value in keeping these 2 scenarios in mind while working through the detailed use cases)

High level general use case Scenarios: A: Embedded Packages (a typical "Audit" scenario)

  • Actors:
    • Package Supplier: person or entity supplying the package represented by the highest lievel SPDX document
    • Package Consumer: person or entity using the package represented by the highest level SPDX document

Use Cases:

  • embedded java jar
  • embedded source distribution
  • embedded source with unused contrib library
  • embedded build tools

B: Package Supply Chain

  • Actors:
    • Package Originator: Original supplier of a package represented by an SPDX document - likely (but not always) the creator
    • Intermediate Packager: person or entity that redistributes an original package with its own SPDX document
    • End Package Consumer: The consumer of the final package in the supply chain - note that the same entity or person can be both an End Package Consumer and an Intermediate Packager
  • Use Cases:
    • simple redistribution
    • package aggregation
    • modified redistribution
    • patches provided to existing (already distributed) package
    • appstore

Use Case: embedded source Givens:

  1. Given a pre-existing source tarball (commons-logging-1.1.1.tar.gz) with an SPDX document is available for re-use
  2. Given: To build MyApp which re-uses it, commons-logging-1.1.1.tar.gz gets expanded somewhere into the MyApp source tree

Problem: Create an SPDX analysis of MyApp that can reference the pre-existing SPDX document for commons-logging-1.1.1.tar.gz without having to repeat all the info (e.g. every File node...) which was already in the consumed SPDX document.

Discussion:

A package supplier includes another open source package in source form (e.g. Apache Jakarta Commons Logging). The source code is unmodified and intended to be compiled into the final solution by the Package Consumer. The source code is in a distinct archive file (e.g. commons-logging-1.1.1.tar.gz). The archive source file would be represented as a single file in the highest level SPDX document. The archive file would contain an SPDX document representing the embedded source files.

Variation: the source code would be in its own distinct subdirectory (e.g. source/java/org/apache/commons/logging/*). In this variation, the highest level SPDX document would detail all files within the embedded package and the "artifact-of" property would reference the embedded package.

Comment: (BillSchineller) - the use case of the supplier handing off a tarball with accompanying (inside or 'sidecar'...) SPDX analysis/doc is the Given. But the reality is that the consumer must crack it open and expand its contents into the source tree for the build/compile step.

Use Case: embedded source with unused contrib library

Similar to embedded source except there would be source file known to not be compiled into the resultant binaries of the final package, for example the zlib contrib directory. Solution suggestion: the excluded files could be represented in the SPDX documents with an "unused" property and the license properties for the files would still be represented in the SPDX document (exact mechanism TBD)

Use Case: embedded build tools A Package Supplier includes build utilities (source, scripts, or binaries) which are only used to build the resultant packages. The specific build tool files are represented in the SPDX document with the appropriate license and and artifact-of property which points to the origin of the tools. Solution suggestion: A property could designate that this file is used as a tool.

Use Case: simple redistribution

An Intermediate Packager redistributes an original package without source code modification. Additional meta data may be supplied by the Intermediate Packager. Example - Debian packaging.

Use Case: package aggregation

An Intermediate Packager aggregates several open source packages into a single distribution. Additional meta data is added. Example - Linux distribution, Android, Ubuntu, Debian

Use Case: modified redistribution

An Intermediate Package redistributes a package from the Package Originator with some modifications to the original code. These modifications may impact the resultant licensing

Use Case: application store - how built and manifest, and how products handled Pass through provider (Android Market Place, Apple Store), Facebook app? Downloadable components (clients that are downloadable and resident).

Use Case: patches provided to existing (already distributed) package - An existing package with a pre-existing spdx document is patched. The patch may contain additional licensing information

Retrieved from "https://wiki.spdx.org/index.php?title=Technical_Team/Old/Use_Cases_Collected_during_1.x_timeframe&oldid=1489"