THE SPDX WIKI IS NO LONGER ACTIVE. ALL CONTENT HAS BEEN MOVED TO https://github.com/spdx
Difference between revisions of "Technical Team/Use Cases/2.0/Third party produces bill of materials for software package"
From SPDX Wiki
Line 3: | Line 3: | ||
<h3>Stackholders and Interests</h3> | <h3>Stackholders and Interests</h3> | ||
− | < | + | <ul> |
− | < | + | <li><strong>Developer</strong> |
− | < | + | <p>The organization developing (or in possession of) the code that wants to understand the licensing and rights holders of that code.</p></li> |
− | < | + | <li><strong>Compliance office</strong> |
− | < | + | <p>The organization that is responsible for ensuring that the licensing of the code is complied with.</p></li> |
− | </ | + | <li><strong>Analyzer</strong> |
+ | <p>Third party that need to analyze the codebase and inform the auditee of what the licensing is and who the rights holders are.</p></li> | ||
+ | |||
+ | </ul> | ||
<h2>Main Success Scenario</h2> | <h2>Main Success Scenario</h2> | ||
<ol> | <ol> | ||
− | <li> | + | <li>Developers delivers code to analyzer</li> |
− | <li> | + | <li>Analyzer extracts licensing and copyright information from files</li> |
− | <li> | + | <li>Analyzer identifies sub-components for which SPDX files already exists</li> |
+ | <li>Analyzer imports/embeds SPDX data for pre-analyized sub-components</li> | ||
+ | <li>Analyzer determines the following for every remaining file in code base: | ||
+ | <ul> | ||
+ | <li>Rights holders</li> | ||
+ | <li>Licensing terms</li> | ||
+ | <li>membership in a package/component which is included in the codebase</li> | ||
+ | </ul> | ||
+ | </li> | ||
+ | <li>Analyzer provides above data to auditee</li> | ||
+ | <li>Compliance office looks at concluded licensing and right holder and take any necessary actions to comply with the licenses</li> | ||
+ | </ol> | ||
+ | |||
+ | <h2>Alternate Scenario A</h2> | ||
+ | |||
+ | <ol> | ||
+ | <li>Developer delivers code to analyzer</li> | ||
+ | <li>Analyzer extracts licensing and copyright information from files</li> | ||
+ | <li>Analyzer identifies sub-components for which SPDX files already exists</li> | ||
+ | <li>Analyzer imports/embeds SPDX data for pre-analyized sub-components</li> | ||
+ | <li>Analyzer determines the following for every remaining file in code base: | ||
<ul> | <ul> | ||
<li>Rights holders</li> | <li>Rights holders</li> | ||
Line 24: | Line 47: | ||
</ul> | </ul> | ||
</li> | </li> | ||
− | <li> | + | <li>Analyzer provides above data to Compliance office.</li> |
− | <li> | + | <li>Compliance office looks at concluded licensing and right holder and determines that certain sub-components are unacceptable.</li> |
+ | <li>Developer removes the offending sub-components.</li> | ||
+ | <li>Developer delivers modified code to analyzer.</li> | ||
+ | <li>Analyzer redoes analysis and provide new SPDX data to Compliance office.</li> | ||
+ | <li>Compliance office looks at concluded licensing and right holder and take any necessary actions to comply with the licenses</li> | ||
</ol> | </ol> |
Revision as of 18:19, 25 May 2012
An organization desires to understand the legal obligations associated with their intended use of a software package. To gain insight the organization requests a third party to audit their entire codebase to determine all rights holders and licenses for every file in the codebase.
Stackholders and Interests
- Developer
The organization developing (or in possession of) the code that wants to understand the licensing and rights holders of that code.
- Compliance office
The organization that is responsible for ensuring that the licensing of the code is complied with.
- Analyzer
Third party that need to analyze the codebase and inform the auditee of what the licensing is and who the rights holders are.
Main Success Scenario
- Developers delivers code to analyzer
- Analyzer extracts licensing and copyright information from files
- Analyzer identifies sub-components for which SPDX files already exists
- Analyzer imports/embeds SPDX data for pre-analyized sub-components
- Analyzer determines the following for every remaining file in code base:
- Rights holders
- Licensing terms
- membership in a package/component which is included in the codebase
- Analyzer provides above data to auditee
- Compliance office looks at concluded licensing and right holder and take any necessary actions to comply with the licenses
Alternate Scenario A
- Developer delivers code to analyzer
- Analyzer extracts licensing and copyright information from files
- Analyzer identifies sub-components for which SPDX files already exists
- Analyzer imports/embeds SPDX data for pre-analyized sub-components
- Analyzer determines the following for every remaining file in code base:
- Rights holders
- Licensing terms
- membership in a package/component which is included in the codebase
- Analyzer provides above data to Compliance office.
- Compliance office looks at concluded licensing and right holder and determines that certain sub-components are unacceptable.
- Developer removes the offending sub-components.
- Developer delivers modified code to analyzer.
- Analyzer redoes analysis and provide new SPDX data to Compliance office.
- Compliance office looks at concluded licensing and right holder and take any necessary actions to comply with the licenses