Technical Team/Proposals/Yet another rough proposal for conceptual model of SPDX 2
This is conceptual model is an attempt to incrementally add hierarchy and provenance capabilities to the existing SPDX model. Many of the <a href="http://spdx.org/wiki/spdx-20-use-cases">use cases</a> have been considered but further analysis is necessary to ensure that this model covers all scenario.
This model supports hierarchy by allowing the assertion that a file in one package is the same entity as, or was built from, a another package or a file or file set in another package. Reuse is supported by allowing an SPDX file in including other SPDX files verbatim. Provenance of the files is supported by allowing explicit statements about who possesses right for a files and under what licenses they allow copying.
Reuce by inclusion of other SPDX files means that an SPDX file would contain an rdf or tag-value coded dataset for the package(s) it directly describes, and additionally any number of other SPDX files for components it contains. Those sub-packages might, in turn, include other SPDX files.
Provenance of the SPDX data is supported by allowing each SPDX dataset to be cryptographically signed. Those signed datasets are included verbatim so their sources are easily identified. Datasets are signed at each level and those signatures enclose all the sub datasets so all the analysis is covered by the signature.<p>