Difference between revisions of "Technical Team/Old/Use Cases Collected during 1.x timeframe"

From SPDX Wiki
Jump to: navigation, search
Line 1: Line 1:
<div id="magicdomid149" style="padding-right: 1px; font-family: Arial, sans-serif; font-size: 13px; line-height: 17px;"><span class="author-g-sz122z2pgf4uw9k6kz122zz122z6" style="cursor: auto; background-color: #f1e3ff; padding-top: 1px; padding-bottom: 1px;">Use cases from fossbazaar site from pre-1.0 discussions</span></div><div style="padding-right: 1px; font-family: Arial, sans-serif; font-size: 13px; line-height: 17px;"><span class="author-g-sz122z2pgf4uw9k6kz122zz122z6" style="cursor: auto; background-color: #f1e3ff; padding-top: 1px; padding-bottom: 1px;"> ===========================================<br /></span></div><div style="padding-right: 1px; font-family: Arial, sans-serif; font-size: 13px; line-height: 17px;"><span class="author-g-sz122z2pgf4uw9k6kz122zz122z6" style="cursor: auto; background-color: #f1e3ff; padding-top: 1px; padding-bottom: 1px;"><br /></span></div><div style="padding-right: 1px; font-family: Arial, sans-serif; font-size: 13px; line-height: 17px;"><span class="author-g-sz122z2pgf4uw9k6kz122zz122z6" style="cursor: auto; background-color: #f1e3ff; padding-top: 1px; padding-bottom: 1px;">https://fossbazaar.org/wiki/spdx-use-case-1</span></div><div style="padding-right: 1px; font-family: Arial, sans-serif; font-size: 13px; line-height: 17px;"></div><div style="padding-right: 1px; font-family: Arial, sans-serif; font-size: 13px; line-height: 17px;"><span class="author-g-sz122z2pgf4uw9k6kz122zz122z6" style="cursor: auto; background-color: #f1e3ff; padding-top: 1px; padding-bottom: 1px;">some of these taken from&nbsp;http://pad.ubuntu.com/spdx-tech &nbsp;</span></div><div style="padding-right: 1px; font-family: Arial, sans-serif; font-size: 13px; line-height: 17px;"><span class="author-g-sz122z2pgf4uw9k6kz122zz122z6" style="cursor: auto; background-color: #f1e3ff; padding-top: 1px; padding-bottom: 1px;"><br /></span></div><div style="padding-right: 1px; font-family: Arial, sans-serif; font-size: 13px; line-height: 17px;"><span class="author-g-sz122z2pgf4uw9k6kz122zz122z6" style="cursor: auto; background-color: #f1e3ff; padding-top: 1px; padding-bottom: 1px;"><br /></span></div><div style="padding-right: 1px; font-family: Arial, sans-serif; font-size: 13px; line-height: 17px;"><span class="author-g-sz122z2pgf4uw9k6kz122zz122z6" style="cursor: auto; background-color: #f1e3ff; padding-top: 1px; padding-bottom: 1px;">Use Cases to consider for SPDX 2.0 - working draft</span></div><div id="magicdomid150" style="padding-right: 1px; font-family: Arial, sans-serif; font-size: 13px; line-height: 17px;"><span class="author-g-sz122z2pgf4uw9k6kz122zz122z6" style="cursor: auto; background-color: #f1e3ff; padding-top: 1px; padding-bottom: 1px;">======================================</span></div><div id="magicdomid151" style="padding-right: 1px; font-family: Arial, sans-serif; font-size: 13px; line-height: 17px;">&nbsp;</div><div id="magicdomid152" style="padding-right: 1px; font-family: Arial, sans-serif; font-size: 13px; line-height: 17px;"><span class="author-g-gr61e6romqg35ji7" style="cursor: auto; background-color: #ecbcbc; padding-top: 1px; padding-bottom: 1px;">Source code for SPDX-tools are available at:&nbsp;</span><span class="author-g-gr61e6romqg35ji7 url" style="cursor: auto; background-color: #ecbcbc; padding-top: 1px; padding-bottom: 1px;"><a style="cursor: pointer !important;" href="https://github.com/goneall/SPDX-Tools">https://github.com/goneall/SPDX-Tools</a></span></div><div id="magicdomid153" style="padding-right: 1px; font-family: Arial, sans-serif; font-size: 13px; line-height: 17px;">&nbsp;</div><div id="magicdomid154" style="padding-right: 1px; font-family: Arial, sans-serif; font-size: 13px; line-height: 17px;"><span style="cursor: auto; padding-top: 1px; padding-bottom: 1px;">Use case details:</span></div><div id="magicdomid155" style="padding-right: 1px; font-family: Arial, sans-serif; font-size: 13px; line-height: 17px;">&nbsp;</div><div id="magicdomid156" style="padding-right: 1px; font-family: Arial, sans-serif; font-size: 13px; line-height: 17px;"><span style="cursor: auto; padding-top: 1px; padding-bottom: 1px;">&nbsp;*&nbsp;</span><span class=" url" style="cursor: auto; padding-top: 1px; padding-bottom: 1px;"><a style="cursor: pointer !important;" href="http://pad.ubuntu.com/spdx-tech--use-case-embedded-java-jar">http://pad.ubuntu.com/spdx-tech--use-case-embedded-java-jar</a></span></div><div id="magicdomid157" style="padding-right: 1px; font-family: Arial, sans-serif; font-size: 13px; line-height: 17px;"><span class="author-g-gr61e6romqg35ji7" style="cursor: auto; background-color: #ecbcbc; padding-top: 1px; padding-bottom: 1px;">&nbsp;</span></div><div id="magicdomid158" style="padding-right: 1px; font-family: Arial, sans-serif; font-size: 13px; line-height: 17px;"><span class="author-g-gr61e6romqg35ji7" style="cursor: auto; background-color: #ecbcbc; padding-top: 1px; padding-bottom: 1px;">&nbsp;[The way I am thinking about the use cases is there are 2 different groups of use cases which I am calling scenarios.&nbsp; From what I can think of the same solutions should work for both scenarios, but there may be value in keeping these 2 scenarios in mind while working through the detailed use cases]</span></div><div id="magicdomid159" style="padding-right: 1px; font-family: Arial, sans-serif; font-size: 13px; line-height: 17px;"><span class="author-g-gr61e6romqg35ji7" style="cursor: auto; background-color: #ecbcbc; padding-top: 1px; padding-bottom: 1px;">&nbsp;</span></div><div id="magicdomid160" style="padding-right: 1px; font-family: Arial, sans-serif; font-size: 13px; line-height: 17px;"><span class="author-g-gr61e6romqg35ji7" style="cursor: auto; background-color: #ecbcbc; padding-top: 1px; padding-bottom: 1px;">&nbsp;High level general use case Scenarios:</span></div><div id="magicdomid161" style="padding-right: 1px; font-family: Arial, sans-serif; font-size: 13px; line-height: 17px;"><span class="author-g-gr61e6romqg35ji7" style="cursor: auto; background-color: #ecbcbc; padding-top: 1px; padding-bottom: 1px;">&nbsp;A: Embedded Packages</span><span class="author-g-ha6r9ljem9yalssm" style="cursor: auto; background-color: #f1ffe3; padding-top: 1px; padding-bottom: 1px;">&nbsp;(a typical "Audit" scenario)</span></div><div id="magicdomid162" style="padding-right: 1px; font-family: Arial, sans-serif; font-size: 13px; line-height: 17px;"><span class="author-g-gr61e6romqg35ji7" style="cursor: auto; background-color: #ecbcbc; padding-top: 1px; padding-bottom: 1px;">&nbsp;- Actors:&nbsp;</span></div><div id="magicdomid163" style="padding-right: 1px; font-family: Arial, sans-serif; font-size: 13px; line-height: 17px;"><span class="author-g-gr61e6romqg35ji7" style="cursor: auto; background-color: #ecbcbc; padding-top: 1px; padding-bottom: 1px;">&nbsp;&nbsp;&nbsp;&nbsp; - Package Supplier: person or entity supplying the package represented by the highest lievel SPDX document</span></div><div id="magicdomid164" style="padding-right: 1px; font-family: Arial, sans-serif; font-size: 13px; line-height: 17px;"><span class="author-g-gr61e6romqg35ji7" style="cursor: auto; background-color: #ecbcbc; padding-top: 1px; padding-bottom: 1px;">&nbsp;&nbsp;&nbsp;&nbsp; - Package Consumer: person or entity using the package represented by the highest level SPDX document</span></div><div id="magicdomid165" style="padding-right: 1px; font-family: Arial, sans-serif; font-size: 13px; line-height: 17px;"><span class="author-g-gr61e6romqg35ji7" style="cursor: auto; background-color: #ecbcbc; padding-top: 1px; padding-bottom: 1px;">Use Cases:&nbsp;</span></div><div id="magicdomid166" style="padding-right: 1px; font-family: Arial, sans-serif; font-size: 13px; line-height: 17px;"><span class="author-g-gr61e6romqg35ji7" style="cursor: auto; background-color: #ecbcbc; padding-top: 1px; padding-bottom: 1px;">- embedded java jar&nbsp;</span></div><div id="magicdomid167" style="padding-right: 1px; font-family: Arial, sans-serif; font-size: 13px; line-height: 17px;"><span class="author-g-gr61e6romqg35ji7" style="cursor: auto; background-color: #ecbcbc; padding-top: 1px; padding-bottom: 1px;">- embedded source distribution</span></div><div id="magicdomid168" style="padding-right: 1px; font-family: Arial, sans-serif; font-size: 13px; line-height: 17px;"><span class="author-g-gr61e6romqg35ji7" style="cursor: auto; background-color: #ecbcbc; padding-top: 1px; padding-bottom: 1px;">- embedded source with unused contrib library&nbsp;</span></div><div id="magicdomid169" style="padding-right: 1px; font-family: Arial, sans-serif; font-size: 13px; line-height: 17px;"><span class="author-g-gr61e6romqg35ji7" style="cursor: auto; background-color: #ecbcbc; padding-top: 1px; padding-bottom: 1px;">- embedded build tools</span></div><div id="magicdomid170" style="padding-right: 1px; font-family: Arial, sans-serif; font-size: 13px; line-height: 17px;">&nbsp;</div><div id="magicdomid171" style="padding-right: 1px; font-family: Arial, sans-serif; font-size: 13px; line-height: 17px;"><span class="author-g-gr61e6romqg35ji7" style="cursor: auto; background-color: #ecbcbc; padding-top: 1px; padding-bottom: 1px;">B: Package Supply Chain</span></div><div id="magicdomid172" style="padding-right: 1px; font-family: Arial, sans-serif; font-size: 13px; line-height: 17px;"><span class="author-g-gr61e6romqg35ji7" style="cursor: auto; background-color: #ecbcbc; padding-top: 1px; padding-bottom: 1px;">- Actors:</span></div><div id="magicdomid173" style="padding-right: 1px; font-family: Arial, sans-serif; font-size: 13px; line-height: 17px;"><span class="author-g-gr61e6romqg35ji7" style="cursor: auto; background-color: #ecbcbc; padding-top: 1px; padding-bottom: 1px;">&nbsp; - Package Originator: Original supplier of a package represented by an SPDX document - likely (but not always) the creator</span></div><div id="magicdomid174" style="padding-right: 1px; font-family: Arial, sans-serif; font-size: 13px; line-height: 17px;"><span class="author-g-gr61e6romqg35ji7" style="cursor: auto; background-color: #ecbcbc; padding-top: 1px; padding-bottom: 1px;">&nbsp; - Intermediate Packager: person or entity that redistributes an original package with its own SPDX document</span></div><div id="magicdomid175" style="padding-right: 1px; font-family: Arial, sans-serif; font-size: 13px; line-height: 17px;"><span class="author-g-gr61e6romqg35ji7" style="cursor: auto; background-color: #ecbcbc; padding-top: 1px; padding-bottom: 1px;">&nbsp; - End Package Consumer: The consumer of the final package in the supply chain - note that the same entity or person can be both an End Package Consumer and an Intermediate Packager</span></div><div id="magicdomid176" style="padding-right: 1px; font-family: Arial, sans-serif; font-size: 13px; line-height: 17px;"><span class="author-g-gr61e6romqg35ji7" style="cursor: auto; background-color: #ecbcbc; padding-top: 1px; padding-bottom: 1px;">- Use Cases:</span></div><div id="magicdomid177" style="padding-right: 1px; font-family: Arial, sans-serif; font-size: 13px; line-height: 17px;"><span class="author-g-gr61e6romqg35ji7" style="cursor: auto; background-color: #ecbcbc; padding-top: 1px; padding-bottom: 1px;">&nbsp; - simple redistribution</span></div><div id="magicdomid178" style="padding-right: 1px; font-family: Arial, sans-serif; font-size: 13px; line-height: 17px;"><span class="author-g-gr61e6romqg35ji7" style="cursor: auto; background-color: #ecbcbc; padding-top: 1px; padding-bottom: 1px;">&nbsp; - package aggregation</span></div><div id="magicdomid179" style="padding-right: 1px; font-family: Arial, sans-serif; font-size: 13px; line-height: 17px;"><span class="author-g-gr61e6romqg35ji7" style="cursor: auto; background-color: #ecbcbc; padding-top: 1px; padding-bottom: 1px;">&nbsp; - modified redistribution</span></div><div id="magicdomid180" style="padding-right: 1px; font-family: Arial, sans-serif; font-size: 13px; line-height: 17px;"><span class="author-g-gr61e6romqg35ji7" style="cursor: auto; background-color: #ecbcbc; padding-top: 1px; padding-bottom: 1px;">&nbsp; - patches provided to existing (already distributed) package</span></div><div id="magicdomid181" style="padding-right: 1px; font-family: Arial, sans-serif; font-size: 13px; line-height: 17px;"><span class="author-g-gr61e6romqg35ji7" style="cursor: auto; background-color: #ecbcbc; padding-top: 1px; padding-bottom: 1px;">&nbsp; - appstore</span></div><div id="magicdomid182" style="padding-right: 1px; font-family: Arial, sans-serif; font-size: 13px; line-height: 17px;">&nbsp;</div><div id="magicdomid183" style="padding-right: 1px; font-family: Arial, sans-serif; font-size: 13px; line-height: 17px;"><span class="author-g-gr61e6romqg35ji7" style="cursor: auto; background-color: #ecbcbc; padding-top: 1px; padding-bottom: 1px;">Use Case: embedded source</span></div><div id="magicdomid184" style="padding-right: 1px; font-family: Arial, sans-serif; font-size: 13px; line-height: 17px;"><span class="author-g-ha6r9ljem9yalssm" style="cursor: auto; background-color: #f1ffe3; padding-top: 1px; padding-bottom: 1px;">Givens:</span></div><div id="magicdomid185" style="padding-right: 1px; font-family: Arial, sans-serif; font-size: 13px; line-height: 17px;"><span class="author-g-ha6r9ljem9yalssm" style="cursor: auto; background-color: #f1ffe3; padding-top: 1px; padding-bottom: 1px;">1) Given a pre-existing source tarball (commons-logging-1.1.1.tar.gz) with an SPDX document is available for re-use</span></div><div id="magicdomid186" style="padding-right: 1px; font-family: Arial, sans-serif; font-size: 13px; line-height: 17px;"><span class="author-g-ha6r9ljem9yalssm" style="cursor: auto; background-color: #f1ffe3; padding-top: 1px; padding-bottom: 1px;">2) Given: To build MyApp which re-uses it, commons-logging-1.1.1.tar.gz gets expanded somewhere into the MyApp source tree</span></div><div id="magicdomid187" style="padding-right: 1px; font-family: Arial, sans-serif; font-size: 13px; line-height: 17px;">&nbsp;</div><div id="magicdomid188" style="padding-right: 1px; font-family: Arial, sans-serif; font-size: 13px; line-height: 17px;"><span class="author-g-ha6r9ljem9yalssm" style="cursor: auto; background-color: #f1ffe3; padding-top: 1px; padding-bottom: 1px;">Problem:</span></div><div id="magicdomid189" style="padding-right: 1px; font-family: Arial, sans-serif; font-size: 13px; line-height: 17px;"><span class="author-g-ha6r9ljem9yalssm" style="cursor: auto; background-color: #f1ffe3; padding-top: 1px; padding-bottom: 1px;">Create an SPDX analysis of MyApp that can reference the pre-existing SPDX document for commons-logging-1.1.1.tar.gz without having to repeat all the info (e.g. every File node...) which was already in the consumed SPDX document.</span></div><div id="magicdomid190" style="padding-right: 1px; font-family: Arial, sans-serif; font-size: 13px; line-height: 17px;">&nbsp;</div><div id="magicdomid191" style="padding-right: 1px; font-family: Arial, sans-serif; font-size: 13px; line-height: 17px;"><span class="author-g-ha6r9ljem9yalssm" style="cursor: auto; background-color: #f1ffe3; padding-top: 1px; padding-bottom: 1px;">Discussion:</span></div><div id="magicdomid192" style="padding-right: 1px; font-family: Arial, sans-serif; font-size: 13px; line-height: 17px;">&nbsp;</div><div id="magicdomid193" style="padding-right: 1px; font-family: Arial, sans-serif; font-size: 13px; line-height: 17px;"><span class="author-g-gr61e6romqg35ji7" style="cursor: auto; background-color: #ecbcbc; padding-top: 1px; padding-bottom: 1px;">&nbsp; A package supplier includes another open source package in source form (e.g. Apache Jakarta Commons Logging).&nbsp; The source code is unmodified and intended to be compiled into the final solution by the Package Consumer.&nbsp; The source code is in a distinct archive file (e.g. commons-logging-1.1.1.tar.gz).&nbsp; The archive source file would be represented as a single file in the highest level SPDX document.&nbsp; The archive file would contain an SPDX document representing the embedded source files.&nbsp;&nbsp;</span></div><div id="magicdomid194" style="padding-right: 1px; font-family: Arial, sans-serif; font-size: 13px; line-height: 17px;"><span class="author-g-gr61e6romqg35ji7" style="cursor: auto; background-color: #ecbcbc; padding-top: 1px; padding-bottom: 1px;">&nbsp; Variation: the source code would be in its own distinct subdirectory (e.g. source/java/org/apache/commons/logging/*).&nbsp; In this variation, the highest level SPDX document would detail all files within the embedded package and the "artifact-of" property would reference the embedded package.</span></div><div id="magicdomid195" style="padding-right: 1px; font-family: Arial, sans-serif; font-size: 13px; line-height: 17px;"><span class="author-g-ha6r9ljem9yalssm" style="cursor: auto; background-color: #f1ffe3; padding-top: 1px; padding-bottom: 1px;">&nbsp; [Comment: (BillSchineller) - the use case of the supplier handing off a tarball with accompanying (inside or 'sidecar'...) SPDX analysis/doc is the Given.&nbsp; But the reality is that the consumer must crack it open and expand its contents into the source tree for the build/compile step.&nbsp;&nbsp;&nbsp;</span></div><div id="magicdomid196" style="padding-right: 1px; font-family: Arial, sans-serif; font-size: 13px; line-height: 17px;">&nbsp;</div><div id="magicdomid197" style="padding-right: 1px; font-family: Arial, sans-serif; font-size: 13px; line-height: 17px;"><span class="author-g-ha6r9ljem9yalssm" style="cursor: auto; background-color: #f1ffe3; padding-top: 1px; padding-bottom: 1px;">=================</span></div><div id="magicdomid198" style="padding-right: 1px; font-family: Arial, sans-serif; font-size: 13px; line-height: 17px;"><span class="author-g-gr61e6romqg35ji7" style="cursor: auto; background-color: #ecbcbc; padding-top: 1px; padding-bottom: 1px;">&nbsp;&nbsp;</span></div><div id="magicdomid199" style="padding-right: 1px; font-family: Arial, sans-serif; font-size: 13px; line-height: 17px;"><span class="author-g-gr61e6romqg35ji7" style="cursor: auto; background-color: #ecbcbc; padding-top: 1px; padding-bottom: 1px;">Use Case: embedded source with unused contrib library</span></div><div id="magicdomid200" style="padding-right: 1px; font-family: Arial, sans-serif; font-size: 13px; line-height: 17px;"><span class="author-g-gr61e6romqg35ji7" style="cursor: auto; background-color: #ecbcbc; padding-top: 1px; padding-bottom: 1px;">&nbsp;Similar to embedded source except there would be source file known to not be compiled into the resultant binaries of the final package, for example the zlib contrib directory.&nbsp; Solution suggestion: the excluded files could be represented in the SPDX documents with an "unused" property and the license properties for the files would still be represented in the SPDX document (exact mechanism TBD)</span></div><div id="magicdomid201" style="padding-right: 1px; font-family: Arial, sans-serif; font-size: 13px; line-height: 17px;">&nbsp;</div><div id="magicdomid202" style="padding-right: 1px; font-family: Arial, sans-serif; font-size: 13px; line-height: 17px;"><span class="author-g-gr61e6romqg35ji7" style="cursor: auto; background-color: #ecbcbc; padding-top: 1px; padding-bottom: 1px;">Use Case: embedded build tools&nbsp; A Package Supplier includes build utilities (source, scripts, or binaries) which are only used to build the resultant packages.&nbsp; The specific build tool files are represented in the SPDX document with the appropriate license and and artifact-of property which points to the origin of the tools.&nbsp; Solution suggestion: A property could designate that this file is used as a tool.</span></div><div id="magicdomid203" style="padding-right: 1px; font-family: Arial, sans-serif; font-size: 13px; line-height: 17px;"><span class="author-g-gr61e6romqg35ji7" style="cursor: auto; background-color: #ecbcbc; padding-top: 1px; padding-bottom: 1px;">&nbsp;</span></div><div id="magicdomid204" style="padding-right: 1px; font-family: Arial, sans-serif; font-size: 13px; line-height: 17px;"><span class="author-g-gr61e6romqg35ji7" style="cursor: auto; background-color: #ecbcbc; padding-top: 1px; padding-bottom: 1px;">Use Case: simple redistribution&nbsp;</span></div><div id="magicdomid205" style="padding-right: 1px; font-family: Arial, sans-serif; font-size: 13px; line-height: 17px;"><span class="author-g-gr61e6romqg35ji7" style="cursor: auto; background-color: #ecbcbc; padding-top: 1px; padding-bottom: 1px;">&nbsp;An Intermediate Packager redistributes an original package without source code modification.&nbsp; Additional meta data may be supplied by the Intermediate Packager.&nbsp; Example - Debian packag</span><span class="author-g-sz122z2pgf4uw9k6kz122zz122z6" style="cursor: auto; background-color: #f1e3ff; padding-top: 1px; padding-bottom: 1px;">ing</span><span class="author-g-gr61e6romqg35ji7" style="cursor: auto; background-color: #ecbcbc; padding-top: 1px; padding-bottom: 1px;">.</span></div><div id="magicdomid206" style="padding-right: 1px; font-family: Arial, sans-serif; font-size: 13px; line-height: 17px;"><span class="author-g-gr61e6romqg35ji7" style="cursor: auto; background-color: #ecbcbc; padding-top: 1px; padding-bottom: 1px;">&nbsp;</span></div><div id="magicdomid207" style="padding-right: 1px; font-family: Arial, sans-serif; font-size: 13px; line-height: 17px;"><span class="author-g-gr61e6romqg35ji7" style="cursor: auto; background-color: #ecbcbc; padding-top: 1px; padding-bottom: 1px;">Use Case: package aggregation&nbsp;</span></div><div id="magicdomid208" style="padding-right: 1px; font-family: Arial, sans-serif; font-size: 13px; line-height: 17px;"><span class="author-g-gr61e6romqg35ji7" style="cursor: auto; background-color: #ecbcbc; padding-top: 1px; padding-bottom: 1px;">&nbsp; An Intermediate Packager aggregates several open source packages into a single distribution.&nbsp; Additional meta data is added.&nbsp; Example - Linux distribution</span><span class="author-g-sz122z2pgf4uw9k6kz122zz122z6" style="cursor: auto; background-color: #f1e3ff; padding-top: 1px; padding-bottom: 1px;">, Android, Ubuntu, Debian</span></div><div id="magicdomid209" style="padding-right: 1px; font-family: Arial, sans-serif; font-size: 13px; line-height: 17px;"><span class="author-g-gr61e6romqg35ji7" style="cursor: auto; background-color: #ecbcbc; padding-top: 1px; padding-bottom: 1px;">&nbsp;</span></div><div id="magicdomid210" style="padding-right: 1px; font-family: Arial, sans-serif; font-size: 13px; line-height: 17px;"><span class="author-g-gr61e6romqg35ji7" style="cursor: auto; background-color: #ecbcbc; padding-top: 1px; padding-bottom: 1px;">Use Case: modified redistribution&nbsp;</span></div><div id="magicdomid211" style="padding-right: 1px; font-family: Arial, sans-serif; font-size: 13px; line-height: 17px;"><span class="author-g-gr61e6romqg35ji7" style="cursor: auto; background-color: #ecbcbc; padding-top: 1px; padding-bottom: 1px;">&nbsp;An Intermediate Package redistributes a package from the Package Originator with some modifications to the original code.&nbsp; These modifications may impact the resultant licensing</span></div><div id="magicdomid212" style="padding-right: 1px; font-family: Arial, sans-serif; font-size: 13px; line-height: 17px;">&nbsp;</div><div id="magicdomid213" style="padding-right: 1px; font-family: Arial, sans-serif; font-size: 13px; line-height: 17px;"><span class="author-g-sz122z2pgf4uw9k6kz122zz122z6" style="cursor: auto; background-color: #f1e3ff; padding-top: 1px; padding-bottom: 1px;">Use Case:&nbsp; application store - how built and manifest, and how products handled</span></div><div id="magicdomid214" style="padding-right: 1px; font-family: Arial, sans-serif; font-size: 13px; line-height: 17px;"><span class="author-g-sz122z2pgf4uw9k6kz122zz122z6" style="cursor: auto; background-color: #f1e3ff; padding-top: 1px; padding-bottom: 1px;">Pass through provider (Android Market Place, Apple Store), Facebook app?</span></div><div id="magicdomid215" style="padding-right: 1px; font-family: Arial, sans-serif; font-size: 13px; line-height: 17px;"><span class="author-g-sz122z2pgf4uw9k6kz122zz122z6" style="cursor: auto; background-color: #f1e3ff; padding-top: 1px; padding-bottom: 1px;">Downloadable components (clients that are downloadable and resident).</span></div><div id="magicdomid216" style="padding-right: 1px; font-family: Arial, sans-serif; font-size: 13px; line-height: 17px;">&nbsp;</div><div id="magicdomid217" style="padding-right: 1px; font-family: Arial, sans-serif; font-size: 13px; line-height: 17px;"><span class="author-g-gr61e6romqg35ji7" style="cursor: auto; background-color: #ecbcbc; padding-top: 1px; padding-bottom: 1px;">Use Case: patches provided to existing (already distributed) package - An existing package with a pre-existing spdx document is patched.&nbsp; The patch may contain additional licensing information</span></div><div><span class="author-g-gr61e6romqg35ji7" style="cursor: auto; background-color: #ecbcbc; padding-top: 1px; padding-bottom: 1px;"><br /></span></div>
+
<div id="magicdomid149" style="padding-right: 1px; font-family: Arial, sans-serif; font-size: 13px; line-height: 17px;"><span class="author-g-sz122z2pgf4uw9k6kz122zz122z6" style="cursor: auto; background-color: #f1e3ff; padding-top: 1px; padding-bottom: 1px;">Use cases from 1.0 discussions</span></div><div style="padding-right: 1px; font-family: Arial, sans-serif; font-size: 13px; line-height: 17px;"><span class="author-g-sz122z2pgf4uw9k6kz122zz122z6" style="cursor: auto; background-color: #f1e3ff; padding-top: 1px; padding-bottom: 1px;"> ===========================================<br /></span></div><div style="padding-right: 1px; font-family: Arial, sans-serif; font-size: 13px; line-height: 17px;"><span class="author-g-sz122z2pgf4uw9k6kz122zz122z6" style="cursor: auto; background-color: #f1e3ff; padding-top: 1px; padding-bottom: 1px;"><br /></span></div><div style="padding-right: 1px; font-family: Arial, sans-serif; font-size: 13px; line-height: 17px;"><span class="author-g-sz122z2pgf4uw9k6kz122zz122z6" style="cursor: auto; background-color: #f1e3ff; padding-top: 1px; padding-bottom: 1px;">http://spdx.org/wiki/spdx/examples<br /></span></div><div style="padding-right: 1px; font-family: Arial, sans-serif; font-size: 13px; line-height: 17px;"><span class="author-g-sz122z2pgf4uw9k6kz122zz122z6" style="cursor: auto; background-color: #f1e3ff; padding-top: 1px; padding-bottom: 1px;"><br /></span></div><div style="padding-right: 1px; font-family: Arial, sans-serif; font-size: 13px; line-height: 17px;"><span class="author-g-sz122z2pgf4uw9k6kz122zz122z6" style="cursor: auto; background-color: #f1e3ff; padding-top: 1px; padding-bottom: 1px;"><br /></span></div><div style="padding-right: 1px; font-family: Arial, sans-serif; font-size: 13px; line-height: 17px;"><span class="author-g-sz122z2pgf4uw9k6kz122zz122z6" style="cursor: auto; background-color: #f1e3ff; padding-top: 1px; padding-bottom: 1px;">Use Cases to consider for SPDX 2.0 - working draft</span></div><div id="magicdomid150" style="padding-right: 1px; font-family: Arial, sans-serif; font-size: 13px; line-height: 17px;"><span class="author-g-sz122z2pgf4uw9k6kz122zz122z6" style="cursor: auto; background-color: #f1e3ff; padding-top: 1px; padding-bottom: 1px;">======================================</span></div><div id="magicdomid151" style="padding-right: 1px; font-family: Arial, sans-serif; font-size: 13px; line-height: 17px;">&nbsp;</div><div id="magicdomid152" style="padding-right: 1px; font-family: Arial, sans-serif; font-size: 13px; line-height: 17px;"><span class="author-g-gr61e6romqg35ji7" style="cursor: auto; background-color: #ecbcbc; padding-top: 1px; padding-bottom: 1px;">Source code for SPDX-tools are available at:&nbsp;</span><span class="author-g-gr61e6romqg35ji7 url" style="cursor: auto; background-color: #ecbcbc; padding-top: 1px; padding-bottom: 1px;"><a style="cursor: pointer !important;" href="https://github.com/goneall/SPDX-Tools">https://github.com/goneall/SPDX-Tools</a></span></div><div id="magicdomid153" style="padding-right: 1px; font-family: Arial, sans-serif; font-size: 13px; line-height: 17px;">&nbsp;</div><div id="magicdomid154" style="padding-right: 1px; font-family: Arial, sans-serif; font-size: 13px; line-height: 17px;"><span style="cursor: auto; padding-top: 1px; padding-bottom: 1px;">Use case details:</span></div><div id="magicdomid155" style="padding-right: 1px; font-family: Arial, sans-serif; font-size: 13px; line-height: 17px;">&nbsp;</div><div id="magicdomid156" style="padding-right: 1px; font-family: Arial, sans-serif; font-size: 13px; line-height: 17px;"><span style="cursor: auto; padding-top: 1px; padding-bottom: 1px;">&nbsp;*&nbsp;</span><span class=" url" style="cursor: auto; padding-top: 1px; padding-bottom: 1px;"><a style="cursor: pointer !important;" href="http://pad.ubuntu.com/spdx-tech--use-case-embedded-java-jar">http://pad.ubuntu.com/spdx-tech--use-case-embedded-java-jar</a></span></div><div id="magicdomid157" style="padding-right: 1px; font-family: Arial, sans-serif; font-size: 13px; line-height: 17px;"><span class="author-g-gr61e6romqg35ji7" style="cursor: auto; background-color: #ecbcbc; padding-top: 1px; padding-bottom: 1px;">&nbsp;</span></div><div id="magicdomid158" style="padding-right: 1px; font-family: Arial, sans-serif; font-size: 13px; line-height: 17px;"><span class="author-g-gr61e6romqg35ji7" style="cursor: auto; background-color: #ecbcbc; padding-top: 1px; padding-bottom: 1px;">&nbsp;[The way I am thinking about the use cases is there are 2 different groups of use cases which I am calling scenarios.&nbsp; From what I can think of the same solutions should work for both scenarios, but there may be value in keeping these 2 scenarios in mind while working through the detailed use cases]</span></div><div id="magicdomid159" style="padding-right: 1px; font-family: Arial, sans-serif; font-size: 13px; line-height: 17px;"><span class="author-g-gr61e6romqg35ji7" style="cursor: auto; background-color: #ecbcbc; padding-top: 1px; padding-bottom: 1px;">&nbsp;</span></div><div id="magicdomid160" style="padding-right: 1px; font-family: Arial, sans-serif; font-size: 13px; line-height: 17px;"><span class="author-g-gr61e6romqg35ji7" style="cursor: auto; background-color: #ecbcbc; padding-top: 1px; padding-bottom: 1px;">&nbsp;High level general use case Scenarios:</span></div><div id="magicdomid161" style="padding-right: 1px; font-family: Arial, sans-serif; font-size: 13px; line-height: 17px;"><span class="author-g-gr61e6romqg35ji7" style="cursor: auto; background-color: #ecbcbc; padding-top: 1px; padding-bottom: 1px;">&nbsp;A: Embedded Packages</span><span class="author-g-ha6r9ljem9yalssm" style="cursor: auto; background-color: #f1ffe3; padding-top: 1px; padding-bottom: 1px;">&nbsp;(a typical "Audit" scenario)</span></div><div id="magicdomid162" style="padding-right: 1px; font-family: Arial, sans-serif; font-size: 13px; line-height: 17px;"><span class="author-g-gr61e6romqg35ji7" style="cursor: auto; background-color: #ecbcbc; padding-top: 1px; padding-bottom: 1px;">&nbsp;- Actors:&nbsp;</span></div><div id="magicdomid163" style="padding-right: 1px; font-family: Arial, sans-serif; font-size: 13px; line-height: 17px;"><span class="author-g-gr61e6romqg35ji7" style="cursor: auto; background-color: #ecbcbc; padding-top: 1px; padding-bottom: 1px;">&nbsp;&nbsp;&nbsp;&nbsp; - Package Supplier: person or entity supplying the package represented by the highest lievel SPDX document</span></div><div id="magicdomid164" style="padding-right: 1px; font-family: Arial, sans-serif; font-size: 13px; line-height: 17px;"><span class="author-g-gr61e6romqg35ji7" style="cursor: auto; background-color: #ecbcbc; padding-top: 1px; padding-bottom: 1px;">&nbsp;&nbsp;&nbsp;&nbsp; - Package Consumer: person or entity using the package represented by the highest level SPDX document</span></div><div id="magicdomid165" style="padding-right: 1px; font-family: Arial, sans-serif; font-size: 13px; line-height: 17px;"><span class="author-g-gr61e6romqg35ji7" style="cursor: auto; background-color: #ecbcbc; padding-top: 1px; padding-bottom: 1px;">Use Cases:&nbsp;</span></div><div id="magicdomid166" style="padding-right: 1px; font-family: Arial, sans-serif; font-size: 13px; line-height: 17px;"><span class="author-g-gr61e6romqg35ji7" style="cursor: auto; background-color: #ecbcbc; padding-top: 1px; padding-bottom: 1px;">- embedded java jar&nbsp;</span></div><div id="magicdomid167" style="padding-right: 1px; font-family: Arial, sans-serif; font-size: 13px; line-height: 17px;"><span class="author-g-gr61e6romqg35ji7" style="cursor: auto; background-color: #ecbcbc; padding-top: 1px; padding-bottom: 1px;">- embedded source distribution</span></div><div id="magicdomid168" style="padding-right: 1px; font-family: Arial, sans-serif; font-size: 13px; line-height: 17px;"><span class="author-g-gr61e6romqg35ji7" style="cursor: auto; background-color: #ecbcbc; padding-top: 1px; padding-bottom: 1px;">- embedded source with unused contrib library&nbsp;</span></div><div id="magicdomid169" style="padding-right: 1px; font-family: Arial, sans-serif; font-size: 13px; line-height: 17px;"><span class="author-g-gr61e6romqg35ji7" style="cursor: auto; background-color: #ecbcbc; padding-top: 1px; padding-bottom: 1px;">- embedded build tools</span></div><div id="magicdomid170" style="padding-right: 1px; font-family: Arial, sans-serif; font-size: 13px; line-height: 17px;">&nbsp;</div><div id="magicdomid171" style="padding-right: 1px; font-family: Arial, sans-serif; font-size: 13px; line-height: 17px;"><span class="author-g-gr61e6romqg35ji7" style="cursor: auto; background-color: #ecbcbc; padding-top: 1px; padding-bottom: 1px;">B: Package Supply Chain</span></div><div id="magicdomid172" style="padding-right: 1px; font-family: Arial, sans-serif; font-size: 13px; line-height: 17px;"><span class="author-g-gr61e6romqg35ji7" style="cursor: auto; background-color: #ecbcbc; padding-top: 1px; padding-bottom: 1px;">- Actors:</span></div><div id="magicdomid173" style="padding-right: 1px; font-family: Arial, sans-serif; font-size: 13px; line-height: 17px;"><span class="author-g-gr61e6romqg35ji7" style="cursor: auto; background-color: #ecbcbc; padding-top: 1px; padding-bottom: 1px;">&nbsp; - Package Originator: Original supplier of a package represented by an SPDX document - likely (but not always) the creator</span></div><div id="magicdomid174" style="padding-right: 1px; font-family: Arial, sans-serif; font-size: 13px; line-height: 17px;"><span class="author-g-gr61e6romqg35ji7" style="cursor: auto; background-color: #ecbcbc; padding-top: 1px; padding-bottom: 1px;">&nbsp; - Intermediate Packager: person or entity that redistributes an original package with its own SPDX document</span></div><div id="magicdomid175" style="padding-right: 1px; font-family: Arial, sans-serif; font-size: 13px; line-height: 17px;"><span class="author-g-gr61e6romqg35ji7" style="cursor: auto; background-color: #ecbcbc; padding-top: 1px; padding-bottom: 1px;">&nbsp; - End Package Consumer: The consumer of the final package in the supply chain - note that the same entity or person can be both an End Package Consumer and an Intermediate Packager</span></div><div id="magicdomid176" style="padding-right: 1px; font-family: Arial, sans-serif; font-size: 13px; line-height: 17px;"><span class="author-g-gr61e6romqg35ji7" style="cursor: auto; background-color: #ecbcbc; padding-top: 1px; padding-bottom: 1px;">- Use Cases:</span></div><div id="magicdomid177" style="padding-right: 1px; font-family: Arial, sans-serif; font-size: 13px; line-height: 17px;"><span class="author-g-gr61e6romqg35ji7" style="cursor: auto; background-color: #ecbcbc; padding-top: 1px; padding-bottom: 1px;">&nbsp; - simple redistribution</span></div><div id="magicdomid178" style="padding-right: 1px; font-family: Arial, sans-serif; font-size: 13px; line-height: 17px;"><span class="author-g-gr61e6romqg35ji7" style="cursor: auto; background-color: #ecbcbc; padding-top: 1px; padding-bottom: 1px;">&nbsp; - package aggregation</span></div><div id="magicdomid179" style="padding-right: 1px; font-family: Arial, sans-serif; font-size: 13px; line-height: 17px;"><span class="author-g-gr61e6romqg35ji7" style="cursor: auto; background-color: #ecbcbc; padding-top: 1px; padding-bottom: 1px;">&nbsp; - modified redistribution</span></div><div id="magicdomid180" style="padding-right: 1px; font-family: Arial, sans-serif; font-size: 13px; line-height: 17px;"><span class="author-g-gr61e6romqg35ji7" style="cursor: auto; background-color: #ecbcbc; padding-top: 1px; padding-bottom: 1px;">&nbsp; - patches provided to existing (already distributed) package</span></div><div id="magicdomid181" style="padding-right: 1px; font-family: Arial, sans-serif; font-size: 13px; line-height: 17px;"><span class="author-g-gr61e6romqg35ji7" style="cursor: auto; background-color: #ecbcbc; padding-top: 1px; padding-bottom: 1px;">&nbsp; - appstore</span></div><div id="magicdomid182" style="padding-right: 1px; font-family: Arial, sans-serif; font-size: 13px; line-height: 17px;">&nbsp;</div><div id="magicdomid183" style="padding-right: 1px; font-family: Arial, sans-serif; font-size: 13px; line-height: 17px;"><span class="author-g-gr61e6romqg35ji7" style="cursor: auto; background-color: #ecbcbc; padding-top: 1px; padding-bottom: 1px;">Use Case: embedded source</span></div><div id="magicdomid184" style="padding-right: 1px; font-family: Arial, sans-serif; font-size: 13px; line-height: 17px;"><span class="author-g-ha6r9ljem9yalssm" style="cursor: auto; background-color: #f1ffe3; padding-top: 1px; padding-bottom: 1px;">Givens:</span></div><div id="magicdomid185" style="padding-right: 1px; font-family: Arial, sans-serif; font-size: 13px; line-height: 17px;"><span class="author-g-ha6r9ljem9yalssm" style="cursor: auto; background-color: #f1ffe3; padding-top: 1px; padding-bottom: 1px;">1) Given a pre-existing source tarball (commons-logging-1.1.1.tar.gz) with an SPDX document is available for re-use</span></div><div id="magicdomid186" style="padding-right: 1px; font-family: Arial, sans-serif; font-size: 13px; line-height: 17px;"><span class="author-g-ha6r9ljem9yalssm" style="cursor: auto; background-color: #f1ffe3; padding-top: 1px; padding-bottom: 1px;">2) Given: To build MyApp which re-uses it, commons-logging-1.1.1.tar.gz gets expanded somewhere into the MyApp source tree</span></div><div id="magicdomid187" style="padding-right: 1px; font-family: Arial, sans-serif; font-size: 13px; line-height: 17px;">&nbsp;</div><div id="magicdomid188" style="padding-right: 1px; font-family: Arial, sans-serif; font-size: 13px; line-height: 17px;"><span class="author-g-ha6r9ljem9yalssm" style="cursor: auto; background-color: #f1ffe3; padding-top: 1px; padding-bottom: 1px;">Problem:</span></div><div id="magicdomid189" style="padding-right: 1px; font-family: Arial, sans-serif; font-size: 13px; line-height: 17px;"><span class="author-g-ha6r9ljem9yalssm" style="cursor: auto; background-color: #f1ffe3; padding-top: 1px; padding-bottom: 1px;">Create an SPDX analysis of MyApp that can reference the pre-existing SPDX document for commons-logging-1.1.1.tar.gz without having to repeat all the info (e.g. every File node...) which was already in the consumed SPDX document.</span></div><div id="magicdomid190" style="padding-right: 1px; font-family: Arial, sans-serif; font-size: 13px; line-height: 17px;">&nbsp;</div><div id="magicdomid191" style="padding-right: 1px; font-family: Arial, sans-serif; font-size: 13px; line-height: 17px;"><span class="author-g-ha6r9ljem9yalssm" style="cursor: auto; background-color: #f1ffe3; padding-top: 1px; padding-bottom: 1px;">Discussion:</span></div><div id="magicdomid192" style="padding-right: 1px; font-family: Arial, sans-serif; font-size: 13px; line-height: 17px;">&nbsp;</div><div id="magicdomid193" style="padding-right: 1px; font-family: Arial, sans-serif; font-size: 13px; line-height: 17px;"><span class="author-g-gr61e6romqg35ji7" style="cursor: auto; background-color: #ecbcbc; padding-top: 1px; padding-bottom: 1px;">&nbsp; A package supplier includes another open source package in source form (e.g. Apache Jakarta Commons Logging).&nbsp; The source code is unmodified and intended to be compiled into the final solution by the Package Consumer.&nbsp; The source code is in a distinct archive file (e.g. commons-logging-1.1.1.tar.gz).&nbsp; The archive source file would be represented as a single file in the highest level SPDX document.&nbsp; The archive file would contain an SPDX document representing the embedded source files.&nbsp;&nbsp;</span></div><div id="magicdomid194" style="padding-right: 1px; font-family: Arial, sans-serif; font-size: 13px; line-height: 17px;"><span class="author-g-gr61e6romqg35ji7" style="cursor: auto; background-color: #ecbcbc; padding-top: 1px; padding-bottom: 1px;">&nbsp; Variation: the source code would be in its own distinct subdirectory (e.g. source/java/org/apache/commons/logging/*).&nbsp; In this variation, the highest level SPDX document would detail all files within the embedded package and the "artifact-of" property would reference the embedded package.</span></div><div id="magicdomid195" style="padding-right: 1px; font-family: Arial, sans-serif; font-size: 13px; line-height: 17px;"><span class="author-g-ha6r9ljem9yalssm" style="cursor: auto; background-color: #f1ffe3; padding-top: 1px; padding-bottom: 1px;">&nbsp; [Comment: (BillSchineller) - the use case of the supplier handing off a tarball with accompanying (inside or 'sidecar'...) SPDX analysis/doc is the Given.&nbsp; But the reality is that the consumer must crack it open and expand its contents into the source tree for the build/compile step.&nbsp;&nbsp;&nbsp;</span></div><div id="magicdomid196" style="padding-right: 1px; font-family: Arial, sans-serif; font-size: 13px; line-height: 17px;">&nbsp;</div><div id="magicdomid197" style="padding-right: 1px; font-family: Arial, sans-serif; font-size: 13px; line-height: 17px;"><span class="author-g-ha6r9ljem9yalssm" style="cursor: auto; background-color: #f1ffe3; padding-top: 1px; padding-bottom: 1px;">=================</span></div><div id="magicdomid198" style="padding-right: 1px; font-family: Arial, sans-serif; font-size: 13px; line-height: 17px;"><span class="author-g-gr61e6romqg35ji7" style="cursor: auto; background-color: #ecbcbc; padding-top: 1px; padding-bottom: 1px;">&nbsp;&nbsp;</span></div><div id="magicdomid199" style="padding-right: 1px; font-family: Arial, sans-serif; font-size: 13px; line-height: 17px;"><span class="author-g-gr61e6romqg35ji7" style="cursor: auto; background-color: #ecbcbc; padding-top: 1px; padding-bottom: 1px;">Use Case: embedded source with unused contrib library</span></div><div id="magicdomid200" style="padding-right: 1px; font-family: Arial, sans-serif; font-size: 13px; line-height: 17px;"><span class="author-g-gr61e6romqg35ji7" style="cursor: auto; background-color: #ecbcbc; padding-top: 1px; padding-bottom: 1px;">&nbsp;Similar to embedded source except there would be source file known to not be compiled into the resultant binaries of the final package, for example the zlib contrib directory.&nbsp; Solution suggestion: the excluded files could be represented in the SPDX documents with an "unused" property and the license properties for the files would still be represented in the SPDX document (exact mechanism TBD)</span></div><div id="magicdomid201" style="padding-right: 1px; font-family: Arial, sans-serif; font-size: 13px; line-height: 17px;">&nbsp;</div><div id="magicdomid202" style="padding-right: 1px; font-family: Arial, sans-serif; font-size: 13px; line-height: 17px;"><span class="author-g-gr61e6romqg35ji7" style="cursor: auto; background-color: #ecbcbc; padding-top: 1px; padding-bottom: 1px;">Use Case: embedded build tools&nbsp; A Package Supplier includes build utilities (source, scripts, or binaries) which are only used to build the resultant packages.&nbsp; The specific build tool files are represented in the SPDX document with the appropriate license and and artifact-of property which points to the origin of the tools.&nbsp; Solution suggestion: A property could designate that this file is used as a tool.</span></div><div id="magicdomid203" style="padding-right: 1px; font-family: Arial, sans-serif; font-size: 13px; line-height: 17px;"><span class="author-g-gr61e6romqg35ji7" style="cursor: auto; background-color: #ecbcbc; padding-top: 1px; padding-bottom: 1px;">&nbsp;</span></div><div id="magicdomid204" style="padding-right: 1px; font-family: Arial, sans-serif; font-size: 13px; line-height: 17px;"><span class="author-g-gr61e6romqg35ji7" style="cursor: auto; background-color: #ecbcbc; padding-top: 1px; padding-bottom: 1px;">Use Case: simple redistribution&nbsp;</span></div><div id="magicdomid205" style="padding-right: 1px; font-family: Arial, sans-serif; font-size: 13px; line-height: 17px;"><span class="author-g-gr61e6romqg35ji7" style="cursor: auto; background-color: #ecbcbc; padding-top: 1px; padding-bottom: 1px;">&nbsp;An Intermediate Packager redistributes an original package without source code modification.&nbsp; Additional meta data may be supplied by the Intermediate Packager.&nbsp; Example - Debian packag</span><span class="author-g-sz122z2pgf4uw9k6kz122zz122z6" style="cursor: auto; background-color: #f1e3ff; padding-top: 1px; padding-bottom: 1px;">ing</span><span class="author-g-gr61e6romqg35ji7" style="cursor: auto; background-color: #ecbcbc; padding-top: 1px; padding-bottom: 1px;">.</span></div><div id="magicdomid206" style="padding-right: 1px; font-family: Arial, sans-serif; font-size: 13px; line-height: 17px;"><span class="author-g-gr61e6romqg35ji7" style="cursor: auto; background-color: #ecbcbc; padding-top: 1px; padding-bottom: 1px;">&nbsp;</span></div><div id="magicdomid207" style="padding-right: 1px; font-family: Arial, sans-serif; font-size: 13px; line-height: 17px;"><span class="author-g-gr61e6romqg35ji7" style="cursor: auto; background-color: #ecbcbc; padding-top: 1px; padding-bottom: 1px;">Use Case: package aggregation&nbsp;</span></div><div id="magicdomid208" style="padding-right: 1px; font-family: Arial, sans-serif; font-size: 13px; line-height: 17px;"><span class="author-g-gr61e6romqg35ji7" style="cursor: auto; background-color: #ecbcbc; padding-top: 1px; padding-bottom: 1px;">&nbsp; An Intermediate Packager aggregates several open source packages into a single distribution.&nbsp; Additional meta data is added.&nbsp; Example - Linux distribution</span><span class="author-g-sz122z2pgf4uw9k6kz122zz122z6" style="cursor: auto; background-color: #f1e3ff; padding-top: 1px; padding-bottom: 1px;">, Android, Ubuntu, Debian</span></div><div id="magicdomid209" style="padding-right: 1px; font-family: Arial, sans-serif; font-size: 13px; line-height: 17px;"><span class="author-g-gr61e6romqg35ji7" style="cursor: auto; background-color: #ecbcbc; padding-top: 1px; padding-bottom: 1px;">&nbsp;</span></div><div id="magicdomid210" style="padding-right: 1px; font-family: Arial, sans-serif; font-size: 13px; line-height: 17px;"><span class="author-g-gr61e6romqg35ji7" style="cursor: auto; background-color: #ecbcbc; padding-top: 1px; padding-bottom: 1px;">Use Case: modified redistribution&nbsp;</span></div><div id="magicdomid211" style="padding-right: 1px; font-family: Arial, sans-serif; font-size: 13px; line-height: 17px;"><span class="author-g-gr61e6romqg35ji7" style="cursor: auto; background-color: #ecbcbc; padding-top: 1px; padding-bottom: 1px;">&nbsp;An Intermediate Package redistributes a package from the Package Originator with some modifications to the original code.&nbsp; These modifications may impact the resultant licensing</span></div><div id="magicdomid212" style="padding-right: 1px; font-family: Arial, sans-serif; font-size: 13px; line-height: 17px;">&nbsp;</div><div id="magicdomid213" style="padding-right: 1px; font-family: Arial, sans-serif; font-size: 13px; line-height: 17px;"><span class="author-g-sz122z2pgf4uw9k6kz122zz122z6" style="cursor: auto; background-color: #f1e3ff; padding-top: 1px; padding-bottom: 1px;">Use Case:&nbsp; application store - how built and manifest, and how products handled</span></div><div id="magicdomid214" style="padding-right: 1px; font-family: Arial, sans-serif; font-size: 13px; line-height: 17px;"><span class="author-g-sz122z2pgf4uw9k6kz122zz122z6" style="cursor: auto; background-color: #f1e3ff; padding-top: 1px; padding-bottom: 1px;">Pass through provider (Android Market Place, Apple Store), Facebook app?</span></div><div id="magicdomid215" style="padding-right: 1px; font-family: Arial, sans-serif; font-size: 13px; line-height: 17px;"><span class="author-g-sz122z2pgf4uw9k6kz122zz122z6" style="cursor: auto; background-color: #f1e3ff; padding-top: 1px; padding-bottom: 1px;">Downloadable components (clients that are downloadable and resident).</span></div><div id="magicdomid216" style="padding-right: 1px; font-family: Arial, sans-serif; font-size: 13px; line-height: 17px;">&nbsp;</div><div id="magicdomid217" style="padding-right: 1px; font-family: Arial, sans-serif; font-size: 13px; line-height: 17px;"><span class="author-g-gr61e6romqg35ji7" style="cursor: auto; background-color: #ecbcbc; padding-top: 1px; padding-bottom: 1px;">Use Case: patches provided to existing (already distributed) package - An existing package with a pre-existing spdx document is patched.&nbsp; The patch may contain additional licensing information</span></div><div><span class="author-g-gr61e6romqg35ji7" style="cursor: auto; background-color: #ecbcbc; padding-top: 1px; padding-bottom: 1px;"><br /></span></div>

Revision as of 18:30, 31 July 2012

Use cases from 1.0 discussions
===========================================

http://spdx.org/wiki/spdx/examples


Use Cases to consider for SPDX 2.0 - working draft
======================================
 
Source code for SPDX-tools are available at: <a style="cursor: pointer !important;" href="https://github.com/goneall/SPDX-Tools">https://github.com/goneall/SPDX-Tools</a>
 
Use case details:
 
 
 [The way I am thinking about the use cases is there are 2 different groups of use cases which I am calling scenarios.  From what I can think of the same solutions should work for both scenarios, but there may be value in keeping these 2 scenarios in mind while working through the detailed use cases]
 
 High level general use case Scenarios:
 A: Embedded Packages (a typical "Audit" scenario)
 - Actors: 
     - Package Supplier: person or entity supplying the package represented by the highest lievel SPDX document
     - Package Consumer: person or entity using the package represented by the highest level SPDX document
Use Cases: 
- embedded java jar 
- embedded source distribution
- embedded source with unused contrib library 
- embedded build tools
 
B: Package Supply Chain
- Actors:
  - Package Originator: Original supplier of a package represented by an SPDX document - likely (but not always) the creator
  - Intermediate Packager: person or entity that redistributes an original package with its own SPDX document
  - End Package Consumer: The consumer of the final package in the supply chain - note that the same entity or person can be both an End Package Consumer and an Intermediate Packager
- Use Cases:
  - simple redistribution
  - package aggregation
  - modified redistribution
  - patches provided to existing (already distributed) package
  - appstore
 
Use Case: embedded source
Givens:
1) Given a pre-existing source tarball (commons-logging-1.1.1.tar.gz) with an SPDX document is available for re-use
2) Given: To build MyApp which re-uses it, commons-logging-1.1.1.tar.gz gets expanded somewhere into the MyApp source tree
 
Problem:
Create an SPDX analysis of MyApp that can reference the pre-existing SPDX document for commons-logging-1.1.1.tar.gz without having to repeat all the info (e.g. every File node...) which was already in the consumed SPDX document.
 
Discussion:
 
  A package supplier includes another open source package in source form (e.g. Apache Jakarta Commons Logging).  The source code is unmodified and intended to be compiled into the final solution by the Package Consumer.  The source code is in a distinct archive file (e.g. commons-logging-1.1.1.tar.gz).  The archive source file would be represented as a single file in the highest level SPDX document.  The archive file would contain an SPDX document representing the embedded source files.  
  Variation: the source code would be in its own distinct subdirectory (e.g. source/java/org/apache/commons/logging/*).  In this variation, the highest level SPDX document would detail all files within the embedded package and the "artifact-of" property would reference the embedded package.
  [Comment: (BillSchineller) - the use case of the supplier handing off a tarball with accompanying (inside or 'sidecar'...) SPDX analysis/doc is the Given.  But the reality is that the consumer must crack it open and expand its contents into the source tree for the build/compile step.   
 
=================
  
Use Case: embedded source with unused contrib library
 Similar to embedded source except there would be source file known to not be compiled into the resultant binaries of the final package, for example the zlib contrib directory.  Solution suggestion: the excluded files could be represented in the SPDX documents with an "unused" property and the license properties for the files would still be represented in the SPDX document (exact mechanism TBD)
 
Use Case: embedded build tools  A Package Supplier includes build utilities (source, scripts, or binaries) which are only used to build the resultant packages.  The specific build tool files are represented in the SPDX document with the appropriate license and and artifact-of property which points to the origin of the tools.  Solution suggestion: A property could designate that this file is used as a tool.
 
Use Case: simple redistribution 
 An Intermediate Packager redistributes an original package without source code modification.  Additional meta data may be supplied by the Intermediate Packager.  Example - Debian packaging.
 
Use Case: package aggregation 
  An Intermediate Packager aggregates several open source packages into a single distribution.  Additional meta data is added.  Example - Linux distribution, Android, Ubuntu, Debian
 
Use Case: modified redistribution 
 An Intermediate Package redistributes a package from the Package Originator with some modifications to the original code.  These modifications may impact the resultant licensing
 
Use Case:  application store - how built and manifest, and how products handled
Pass through provider (Android Market Place, Apple Store), Facebook app?
Downloadable components (clients that are downloadable and resident).
 
Use Case: patches provided to existing (already distributed) package - An existing package with a pre-existing spdx document is patched.  The patch may contain additional licensing information