THE SPDX WIKI IS NO LONGER ACTIVE. ALL CONTENT HAS BEEN MOVED TO https://github.com/spdx

Difference between revisions of "Technical Team/Use Cases/2.0/Producing valid SPDX files in the face of missing data"

From SPDX Wiki
Jump to: navigation, search
Line 9: Line 9:
 
</ul>
 
</ul>
  
<h2>Main scenario</h2>
+
<h3>Main scenario</h3>
  
 
<ol>
 
<ol>
Line 19: Line 19:
 
</ol>
 
</ol>
  
<h2>Alternate scenario A</h2>
+
<h3>Alternate scenario A</h3>
  
 
<ol>
 
<ol>

Revision as of 15:59, 23 May 2012

Some times the data needed to populate all the fields in SPDX is not available. This can be because the data was collected in the past and before the full requirements of SPDX where known, or because the tools being used to produce the SPDX files are not completely implemented. In these cases the SPDX producer would like to generate an SPDX file with the information that is available and omit any information that is not known and have this file be considered a valid SPDX file. In this situation consumers would be able to consume the partial SPDX file and apply whatever trust metrics are appropriate based on what information is actually available.

Stakeholders and interests

  • SPDX producer:

    The agent that is generating the SPDX file. In this use case this agent does not have all the information required to populate all the mandatory part of an SPDX file.

  • Lax SPDX consumer:

    An agent which is attempting to use the information encoded in the partial SPDX file and can still accomplish its goal in the face of missing information.

  • Strict SPDX consumer:

    An agent which is attempting to use the information encoded in the partial SPDX file but requires a full SPDX file to accomplish its goal.

Main scenario

  1. Long ago (before SPDX 1.0 was complete) SPDX producer analyzed a package using tooling that checksumed files using the SHA-256 algorithm.
  2. SPDX producer does not want to redo the analysis because it is too costly.
  3. SPDX producer generates an SPDX file which is complete and valid except that all checksum properties are omitted.
  4. SPDX producer delivers the SPDX file to Lax SPDX consumer.
  6. Lax SPDX consumer reads SPDX file, noting the lack of checksums, and uses the licensing information to ensure compliance with the packages licensing.

Alternate scenario A

  1. Long ago (before SPDX 1.0 was complete) SPDX producer analyzed a package using tooling that checksumed files using the SHA-256 algorithm.
  2. SPDX producer does not want to redo the analysis because it is too costly.
  3. SPDX producer generates an SPDX file which is complete and valid except that all checksum properties are omitted.
  4. SPDX producer delivers the SPDX file to Strict SPDX consumer.
  6. Strict SPDX consumer reads SPDX file and refuses to accept it because its trust heuristics require checksums be present.
Retrieved from "https://wiki.spdx.org/index.php?title=Technical_Team/Use_Cases/2.0/Producing_valid_SPDX_files_in_the_face_of_missing_data&oldid=1945"