[spdx-tech] [spdx] Usage profile for SPDX3.0 - proposal from OpenChain Japan WG -

Takahashi, Kentaro <kentaro_takahashi@...>

Thank you for your kind support Kate-san !

Best regards,

Kentaro Takahashi

-----Original Message-----
From: Spdx-tech@... [mailto:Spdx-tech@...] On Behalf
Of Kate Stewart
Sent: Wednesday, January 20, 2021 12:27 AM
To: spdx-tech@...
Cc: SPDX-general <spdx@...>
Subject: [spdx-tech] [spdx] Usage profile for SPDX3.0 - proposal from
OpenChain Japan WG -

Thanks for sending this Takahashi-san.

I'm forwarding this email for discussion on the spdx-tech mailing list
where the usage profile will be discussed. spdx-tech is where we
are discussing the profiles. spdx-general is low volume, and more
for announcements.

Will follow up on the spdx-tech mail list.

Thanks, Kate

---------- Forwarded message ---------
From: Takahashi, Kentaro <kentaro_takahashi@...
<mailto:kentaro_takahashi@...> >
Date: Tue, Jan 19, 2021 at 8:57 AM
Subject: [spdx] Usage profile for SPDX3.0 - proposal from OpenChain Japan
WG -
To: spdx@... <mailto:spdx@...> <spdx@...
<mailto:spdx@...> >

Dear members,

We are in the license information exchange sub group under OpenChain Japan
WG, and would like to propose usage profile for SPDX3.0 on this mailing list
based on Kate's suggestion as follows:

How can we describe "Reference to Local/Contract Documents" with External
Document Ref Tag?

(1) Proposal of usage profile: including OSS policy and/or contract information
on the SPDX (at chain basis) As each company would have own OSS policy,
OSS related inconsistency may be arisen at each deal(each supply chain).
Generally, this kind of policy would be defined in the closed / local document
such as policy, agreement, contract, and/or SPEC under each chain, and as
such, it would not be applicable for SPDX2.2 for the moment.
However, for the purpose of clear data exchange at supply chain basis and of
whole data exchange management, we would like to include OSS policy and/or
contract information on the SPDX3.0 at chain basis.

(2)How can we do?
For example, restricted OSS license may be identified in the OSS policy. Also,
such OSS license may be approved only for prototype.
Accordingly, we are focused on "External Document References", "UsageInfo",
"ValidUntil" to describe such information exchange with the following (A)-(D):

(A)In order to refer to the machine readable "Agreement" in relation to product
development between company A and company B.:
ExternalDocumentRef: DocumentRef-Agreement_Btw_A_B
ExternalDocumentRef: DocumentRef-Agreement_Btw_A_B "Specific ID,
Effective As Of or any other common identifier between supplier A and
consumer B" Checksum_for_Agreement_Btw_A_B

(B)In order to describe UsageInfo for product defined in the Agreement
between A and B:
TargetProductInfo: TargetProductinfo-ThisSPDXID "Product Name which
worte in Agreement_Btw_A_B"

(C)In order to pick up UsageInfo description about package "X" from the
Agreement between A and B:
Package Description about "X".....
UsageInfo:<text> "Only for Verification but not for Final Product" </text>
(Picked up from "Agreement_Btw_A_B").

(D)In order to define Expiration of This SPDX Document on Product
ValidUntil: <text>"Next Scheduled Delivery of SPDX Doc"</text>

We are looking forward to receive any feedback from others on this matter.

Thank you in advance!

Best regards,

Kentaro Takahashi

Intellectual Property Div.

Attention: The information contained in this email may be attorney/client
privileged and confidential information intended only for the use of the
recipient(s) named above. If the reader of this message is not the intended
recipient, you are hereby notified that any dissemination, distribution or
copying of this communication is strictly prohibited.
If you have received this communication in error, please contact the sender by
reply e-mail and destroy all copies of this e-mail message. Thank you.