THE SPDX WIKI IS NO LONGER ACTIVE. ALL CONTENT HAS BEEN MOVED TO https://github.com/spdx

Technical Team/Use Cases/2.0

From SPDX Wiki
Jump to: navigation, search

We have several sources to begin pulling for SPDX Use Cases:

  1. The Pad from earlier conversations collected at Use Cases For SPDX 2.0 Discussion
  2. The old SPDX 1.0 Use Cases as well as the SDPX 1.0 Use Case Picture.

Use Cases

I'd like to propose that we flesh out use cases here by having a brief summary listed here as a link to a more detailed child page. Note, these use cases should be doable but in general not required. Any item listed here that is not a link, should have a child page created for it.

  1. Code commits (original work intended for the project)
    1. Committer provides SPDX data [OK]
    2. Contributor makes commit subject to existing SPDX data of project [OK]
  2. Committer annotates source files with SPDX data [OK]
  3. Patches (original work intended for the project)
    1. Patch provider provides SPDX data for the patch [OK]
    2. Patch provider provides SPDX data for the patch indicating it is licensed however the hell its applied [OK]
    3. Patch provider provides patch subject to existing SPDX data of project [OK]
  4. Patch provider provides a patch that modifies existing SPDX data of project
    1. Downstream consumers contributing patches to provide SPDX data to an upstream that doesn't have it. [OK]
    2. Downstream consumers contributing patches to provide corrections to SPDX data for an upstream that does have it. [OK]
  5. Upstream maintainer providing SPDX data
    1. Upstream maintainer providing SPDX data in source archive [OK]
    2. Upstream maintainer providing SPDX data in SCM [OK]
    3. Upstream maintainer providing SPDX data at a URL [OK]
    4. Upstream maintainer preparing release artifacts (including SPDX data). [OK]
  6. Project maintainer incorporates another project
    1. Project maintainer incorporates another project by including source [OK]
    2. Project maintainer incorporates another project by including binary [OK]
    3. Project maintainer pulling individual files out of another project (subsetting) [OK]
  7. Ease adoption
    1. Allow a low investment SPDX producer to produce valid SPDX data [OK-fathomed but not Approved for Implementation]
    2. Produce a valid SPDX dataset even if some data is missing [OK]
  8. Intermediate packager (rpm, deb, etc) passing on and adding to SPDX Data
    1. Intermediate packager builds source package from upstream source
      1. Intermediate packager builds source package from upstream source that provides SPDX data [OK]
      2. Intermediate packager builds source package from upstream source that does not provide SPDX data [OK]
    2. Intermediate packager builds binary package from upstream source
      1. Intermediate packager builds binary package from upstream source that provides SPDX data [OK]
      2. Intermediate packager builds binary package from upstream source that does not provides SPDX data [OK
    3. Intermediate packager adds patches to upstream source
      1. Intermediate packager adds patches to upstream source that provides SPDX data [OK]
      2. Intermediate packager adds patches to upstream source that does not provide SPDX data [OK
    4. Intermediate packager adds someone else's patches to upstream source
      1. Intermediate packager adds someone else's patches to upstream source that provides SPDX data [OK]
      2. Intermediate packager adds someone else's patches to upstream source that does not provide SPDX data [OK]
    5. Intermediate packager subsetting upstream source
      1. Intermediate packager subsetting upstream source that provides SPDX data [OK]
      2. Intermediate packager subsetting upstream source that does not provide SPDX data [OK
  9. Build systems (build systems want to pass on SPDX data for the thing they are building)
    1. Yocto [OK]
    2. Linking
      1. Debian has an interest in only building things that are linking license compatible [OK]
    3. I just made a binary out of some source
      1. SPDX data indicating subset of the source that made it into a particular binary or binary package [OK]
  10. Aggregator aggregating many 'copyrightable items' for redistribution
    1. Linux Distros [OK]
    2. Embedded Images (e.g. router images, switch images) [OK]
    3. Reference implementations [OK]
    4. Application which ships with documentation + media + software [OK]
    5. Application which ships with a contrib libraries [OK]
    6. Application which ships with development tools [OK]
    7. Subsetting out only the shippable bits of stuff coming from an SDK [OK]
    8. Aggregators aggregating other aggregations for redistribution [OK]
  11. Consumers receiving SPDX data
    1. Provide sufficient data to allow consumer to comply with licenses on redistribution Alcatel-Lucent requirements attached [OK]
  12. Consuming code snippets (God help us all) (subfile pieces of code not originally intended for the project) [OK]
  13. Signoff/multiple signoff on SPDX data
    1. Contracts with multiple parties requiring signoff by all [MORE INFO REQUESTED Kate Stewart]
  14. Third party does licensing analysis
    1. Third party generates license analysis [OK]
    2. Collecting enough information to allow auditor to make recommendations to remove or not a component [OK]
  15. Auditor Analyzing/Sanity-checking/correcting Bill of Material he's handed
    1. Backtrack from compiled/binary file to constituent files [MORE STUDY NEEDED]
    2. outbound: validate that SPDX goes hand in hand with what's being shipped (Kirsten Newcomer)
      1. Check to see if the SPDX data provided matches the files provided [OK larger scope]
  16. Extensions:
    1. Communicate data beyond what is described in spec between consenting parties w/o breaking consumers that are not in the know [OK]
    2. License list extensions, how do you handle folks who have more licenses than SPDX [OK]
    3. Decorating an already produces and signed SPDX dataset with extension data [OK]
  17. Other arising during vetting...
    1. Given 2 SPDX files about the same codebase from the same source, be able to tell which is the later rev / more current and correct one. [DETAIL PAGE NEEDS TO BE WRITTEN - seems to be asking for something more robust than just a later date on one SPDX file vs. the other, rather 'signing with revisioning, where the later revision may reference the earlier and declare it is an amendment to the earlier one]

Cross-cutting concerns

  1. Provenance (the need to optionally use signing to validate who said what)
  2. Trust
  3. Handling staleness of data
  4. Composite licensing
  5. Ease of sharing information
    1. Collecting tribal knowledge along the way
  6. Guarding against file bloat
  7. Simple simple simple
  8. SPDX-Lite: here's interest in something SPDX-Lite like https://bugzilla.yoctoproject.org/show_bug.cgi?id=4516
  9. Clarity
  10. Automation/toolifiability
  11. Regionality

Themes

Looking at these Use Cases, there are some underlying themes:

  1. Root of data (closer to upstream the better)
  2. Subsetting of copyrightable things (and their SPDX data) (Note: Subsets of copyrightable things are usually also copyrightable things)
  3. Aggregation of copyrightable things (and their SPDX data) (Note: Aggregations of copyrightable things are usually also copyrightable things).