THE SPDX WIKI IS NO LONGER ACTIVE. ALL CONTENT HAS BEEN MOVED TO https://github.com/spdx

Technical Team/Use Cases/2.0/Producing valid SPDX files in the face of missing data

From SPDX Wiki
Jump to: navigation, search

Some times the data needed to populate all the fields in SPDX is not available. This can be because the data was collected before the full requirements of SPDX where known, or because the tools being used to produce the SPDX files are not completely implemented. In these cases the SPDX producer would like to generate an SPDX file with the information that is available and omit any information that is not known and have this file be considered a valid SPDX file. In this situation consumers would be able to consume the partial SPDX file and apply whatever trust metrics are appropriate based on what information is actually available.

Stakeholders and interests

  • SPDX producer

    The agent that is generating the SPDX file. In this use case this agent does not have all the information required to populate all the mandatory part of an SPDX file.

  • Lax SPDX consumer

    An agent which is attempting to use the information encoded in the partial SPDX file and can still accomplish its goal in the face of missing information.

  • Strict SPDX consumer

    An agent which is attempting to use the information encoded in the partial SPDX file but requires a full SPDX file to accomplish its goal.

Main scenario

  1. Long ago (before SPDX 1.0 was complete) SPDX producer analyzed a package using tooling that checksumed files using the SHA-256 algorithm.
  2. SPDX producer does not want to redo the analysis because it is too costly.
  3. SPDX producer generates an SPDX file which is complete and valid except that all checksum properties are omitted.
  4. SPDX producer delivers the SPDX file to Lax SPDX consumer.
  5. Lax SPDX consumer reads SPDX file, noting the lack of checksums, and uses the licensing information to ensure compliance with the packages licensing.

Alternate scenario A

  1. Long ago (before SPDX 1.0 was complete) SPDX producer analyzed a package using tooling that checksumed files using the SHA-256 algorithm.
  2. SPDX producer does not want to redo the analysis because it is too costly.
  3. SPDX producer generates an SPDX file which is complete and valid except that all checksum properties are omitted.
  4. SPDX producer delivers the SPDX file to Strict SPDX consumer.
  5. Strict SPDX consumer reads SPDX file and refuses to accept it because its trust heuristics require checksums be present.
  6. Strict SPDX consumer either procedes without SPDX info for this package or requests that SPDX producer produce an SPDX file with checksums.
Retrieved from "https://wiki.spdx.org/index.php?title=Technical_Team/Use_Cases/2.0/Producing_valid_SPDX_files_in_the_face_of_missing_data&oldid=1948"