THE SPDX WIKI IS NO LONGER ACTIVE. ALL CONTENT HAS BEEN MOVED TO https://github.com/spdx

Difference between revisions of "Technical Team/Use Cases/2.0/Low cost SPDX file"

From SPDX Wiki
Jump to: navigation, search
Line 1: Line 1:
<p>As a maintainer of an open source project in order to make complying with my licensing easier i want to publish the licensing in a machine readable format but i am not willing to "waste" much effort on such administrivia. Maintaining data for each and every file in every package ever produced sounds like a lot of work because those files change a lot. An SPDX file that describes the package but omits all the file level information sounds just about right.</p><h3>Stakeholders and interests</h3><ul><li><strong>Project maintainer</strong><p>Wants to produce machine readable licensing information so that users can more easily adopt the package but does not want to "waste" valuable time creating that data rather than implementing features.</p></li><li><strong>Lax SPDX consumer</strong><p>A person or organization that uses SPDX data to accomplish goals that do not require exhaustive file by file data.</p></li><li><strong>Strict SPDX consumer</strong><p>A person or organization that uses SPDX data to accomplish goals that require exhaustive data on every file.</p></li></ul><h3>Main scenario</h3><ol><li>Project maintainer hears about SPDX and decides to implement it for his project.</li><li>Project maintainer creates SPDX file that describes his package (name, description, licenseDeclared, licenseConcluded, checksum, etc) but does not included information about the files in package and does not generate packageVerificationCode.</li><li>Project maintainer publishes limited SPDX data for the project (package)</li><li>Lax SPDX consumer downloads project and its SPDX data.</li><li>Lax SPDX consumer uses the package level licensing information to ensure they are in compliance with the licensing of the package.</li></ol><h3>Alternate scenario A</h3><ol><li>Project maintainer hears about SPDX and decides to implement it for his project.</li><li>Project maintainer creates SPDX file that describes his package (name, description, licenseDeclared, licenseConcluded, checksum, etc) but does not included information about the files in package and does not generate packageVerificationCode.</li><li>Project maintainer publishes limited SPDX file along side the tar ball.</li><li>Strict SPDX consumer downloads tar ball and its SPDX file.</li><li>Strict SPDX consumer reads the SPDX file and notes its incompleteness.</li><li>Strict SPDX consumer initiates procedures to do a deeper analysis on the package so that its goals can be accomplished.</li></ol><h3>Success Scenario</h3><ol><li>Wider adoption of SPDX by project maintainers providing licensing information in a standard&nbsp;(albeit non-exhaustive)&nbsp;format</li><li>Consumers obtain licensing intentions of project maintainers in a standard (albeit non-exhaustive) format</li><li>Consumers are able to contribute / build upon the initial low cost SPDX data to flesh it out</li></ol>
+
<p>As a maintainer of an open source project in order to make complying with my licensing easier i want to publish the licensing in a machine readable format but i am not willing to "waste" much effort on such administrivia. Maintaining data for each and every file in every package ever produced sounds like a lot of work because those files change a lot. An SPDX file that describes the package but omits all the file level information sounds just about right.</p><p><strong>NOTE:&nbsp;</strong>Potential conflict between this Use Case and&nbsp;http://spdx.org/wiki/check-see-if-spdx-data-provided-matches-files-provided &nbsp;(if SPDX Lite doesn't involve any checksumming...)</p><p><strong>Note 2:&nbsp;</strong>Still uncertain if the Use Case is about "package" or "project" (and the definition of package vs. project in th context of this Use Case). Hence " copyrightable artifact"</p><h3>Stakeholders and interests</h3><ul><li><strong>Project maintainer</strong><p>Wants to produce machine readable licensing information so that users can more easily adopt the package but does not want to "waste" valuable time creating that data rather than implementing features.</p></li><li><strong>Lax SPDX consumer</strong><p>A person or organization that uses SPDX data to accomplish goals that do not require exhaustive file by file data.</p></li><li><strong>Strict SPDX consumer</strong><p>A person or organization that uses SPDX data to accomplish goals that require exhaustive data on every file.</p></li></ul><h3>Main scenario</h3><ol><li>Project maintainer hears about SPDX and decides to implement it for his project.</li><li>Project maintainer creates SPDX file that describes his package (e.g. name, description, licenseDeclared, licenseConcluded, checksum (optional??), etc) but does not included information about the files in package and does not generate packageVerificationCode.</li><li>Project maintainer publishes limited SPDX data for the&nbsp;&nbsp;copyrightable artifact</li><li>Lax SPDX consumer downloads&nbsp;&nbsp;copyrightable artifact&nbsp;and its SPDX data.</li><li>Lax SPDX consumer uses the package level licensing information to ensure they are in compliance with the licensing of the package.</li></ol><h3>Alternate scenario A</h3><ol><li>Project maintainer hears about SPDX and decides to implement it for his project.</li><li>Project maintainer creates SPDX file that describes his package (name, description, licenseDeclared, licenseConcluded, checksum, etc) but does not included information about the files in package and does not generate packageVerificationCode.</li><li>Project maintainer publishes&nbsp;limited SPDX data for the copyrightable artifact</li><li>Strict SPDX consumer downloads&nbsp;&nbsp;copyrightable artifact&nbsp;and its SPDX file.</li><li>Strict SPDX consumer reads the SPDX file and notes its incompleteness.</li><li>Strict SPDX consumer initiates procedures to do a deeper analysis on the package so that its goals can be accomplished.</li></ol><h3>Success Scenario</h3><ol><li>Wider adoption of SPDX by project maintainers providing licensing information in a standard&nbsp;(albeit non-exhaustive)&nbsp;format</li><li>Consumers obtain licensing intentions of project maintainers in a standard (albeit non-exhaustive) format</li><li>Consumers are able to contribute / build upon the initial low cost SPDX data to flesh it out</li></ol><h3>&nbsp;</h3>

Revision as of 18:58, 17 July 2012

As a maintainer of an open source project in order to make complying with my licensing easier i want to publish the licensing in a machine readable format but i am not willing to "waste" much effort on such administrivia. Maintaining data for each and every file in every package ever produced sounds like a lot of work because those files change a lot. An SPDX file that describes the package but omits all the file level information sounds just about right.

NOTE: Potential conflict between this Use Case and http://spdx.org/wiki/check-see-if-spdx-data-provided-matches-files-provided  (if SPDX Lite doesn't involve any checksumming...)

Note 2: Still uncertain if the Use Case is about "package" or "project" (and the definition of package vs. project in th context of this Use Case). Hence " copyrightable artifact"

Stakeholders and interests

  • Project maintainer

    Wants to produce machine readable licensing information so that users can more easily adopt the package but does not want to "waste" valuable time creating that data rather than implementing features.

  • Lax SPDX consumer

    A person or organization that uses SPDX data to accomplish goals that do not require exhaustive file by file data.

  • Strict SPDX consumer

    A person or organization that uses SPDX data to accomplish goals that require exhaustive data on every file.

Main scenario

  1. Project maintainer hears about SPDX and decides to implement it for his project.
  2. Project maintainer creates SPDX file that describes his package (e.g. name, description, licenseDeclared, licenseConcluded, checksum (optional??), etc) but does not included information about the files in package and does not generate packageVerificationCode.
  3. Project maintainer publishes limited SPDX data for the  copyrightable artifact
  4. Lax SPDX consumer downloads  copyrightable artifact and its SPDX data.
  5. Lax SPDX consumer uses the package level licensing information to ensure they are in compliance with the licensing of the package.

Alternate scenario A

  1. Project maintainer hears about SPDX and decides to implement it for his project.
  2. Project maintainer creates SPDX file that describes his package (name, description, licenseDeclared, licenseConcluded, checksum, etc) but does not included information about the files in package and does not generate packageVerificationCode.
  3. Project maintainer publishes limited SPDX data for the copyrightable artifact
  4. Strict SPDX consumer downloads  copyrightable artifact and its SPDX file.
  5. Strict SPDX consumer reads the SPDX file and notes its incompleteness.
  6. Strict SPDX consumer initiates procedures to do a deeper analysis on the package so that its goals can be accomplished.

Success Scenario

  1. Wider adoption of SPDX by project maintainers providing licensing information in a standard (albeit non-exhaustive) format
  2. Consumers obtain licensing intentions of project maintainers in a standard (albeit non-exhaustive) format
  3. Consumers are able to contribute / build upon the initial low cost SPDX data to flesh it out