Usage profile for SPDX3.0 - proposal from OpenChain Japan WG -


Takahashi, Kentaro
 

Dear members,



We are in the license information exchange sub group under OpenChain Japan WG, and would like to propose usage profile for SPDX3.0 on this mailing list based on Kate's suggestion as follows:



How can we describe "Reference to Local/Contract Documents" with External Document Ref Tag?



(1) Proposal of usage profile: including OSS policy and/or contract information on the SPDX (at chain basis) As each company would have own OSS policy, OSS related inconsistency may be arisen at each deal(each supply chain).
Generally, this kind of policy would be defined in the closed / local document such as policy, agreement, contract, and/or SPEC under each chain, and as such, it would not be applicable for SPDX2.2 for the moment.
However, for the purpose of clear data exchange at supply chain basis and of whole data exchange management, we would like to include OSS policy and/or contract information on the SPDX3.0 at chain basis.



(2)How can we do?
For example, restricted OSS license may be identified in the OSS policy. Also, such OSS license may be approved only for prototype.
Accordingly, we are focused on "External Document References", "UsageInfo", "ValidUntil" to describe such information exchange with the following (A)-(D):


(A)In order to refer to the machine readable "Agreement" in relation to product development between company A and company B.:
ExternalDocumentRef: DocumentRef-Agreement_Btw_A_B file://anyware_but_not_disclosed_to_open/Agreement_Btw_A_B.txt Checksum_for_for_Agreement_Btw_A_B
Or
ExternalDocumentRef: DocumentRef-Agreement_Btw_A_B "Specific ID, Effective As Of or any other common identifier between supplier A and consumer B" Checksum_for_Agreement_Btw_A_B

(B)In order to describe UsageInfo for product defined in the Agreement between A and B:
DocumentRef-ThisSPDXID: SPDXID PREREQUISITE_FOR TargetProductInfo-ThisSPDXID
TargetProductInfo: TargetProductinfo-ThisSPDXID "Product Name which worte in Agreement_Btw_A_B"

(C)In order to pick up UsageInfo description about package "X" from the Agreement between A and B:
Package Description about "X".....
UsageInfo:<text> "Only for Verification but not for Final Product" </text> (Picked up from "Agreement_Btw_A_B").

(D)In order to define Expiration of This SPDX Document on Product Development:
ValidUntil: <text>"Next Scheduled Delivery of SPDX Doc"</text>



We are looking forward to receive any feedback from others on this matter.


Thank you in advance!



Best regards,



Kentaro Takahashi

Intellectual Property Div.
TOYOTA MOTOR CORPORATION

Attention: The information contained in this email may be attorney/client privileged and confidential information intended only for the use of the recipient(s) named above. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited.
If you have received this communication in error, please contact the sender by reply e-mail and destroy all copies of this e-mail message. Thank you.


Kate Stewart
 

Thanks for sending this Takahashi-san.

I'm forwarding this email for discussion on the spdx-tech mailing list
where the usage profile will be discussed.   spdx-tech is where we
are discussing the profiles.   spdx-general is low volume, and more 
for announcements.

Will follow up on the spdx-tech mail list.

Thanks,  Kate

---------- Forwarded message ---------
From: Takahashi, Kentaro <kentaro_takahashi@...>
Date: Tue, Jan 19, 2021 at 8:57 AM
Subject: [spdx] Usage profile for SPDX3.0 - proposal from OpenChain Japan WG -
To: spdx@... <spdx@...>


Dear members,



We are in the license information exchange sub group under OpenChain Japan WG, and would like to propose usage profile for SPDX3.0 on this mailing list based on Kate's suggestion as follows:



How can we describe "Reference to Local/Contract Documents" with External Document Ref Tag?



(1) Proposal of usage profile: including OSS policy and/or contract information on the SPDX (at chain basis) As each company would have own OSS policy, OSS related inconsistency may be arisen at each deal(each supply chain).
Generally, this kind of policy would be defined in the closed / local document such as policy, agreement, contract, and/or SPEC  under each chain, and as such, it would not be applicable for SPDX2.2 for the moment.
However, for the purpose of clear data exchange at supply chain basis and of whole data exchange management, we would like to include OSS policy and/or contract information on the SPDX3.0 at chain basis.



(2)How can we do?
For example, restricted OSS license may be identified in the OSS policy. Also, such OSS license may be approved only for prototype.
Accordingly, we are focused on "External Document References", "UsageInfo", "ValidUntil" to describe such information exchange with the following (A)-(D):


(A)In order to refer to the machine readable "Agreement" in relation to product development between company A and company B.:
ExternalDocumentRef: DocumentRef-Agreement_Btw_A_B file://anyware_but_not_disclosed_to_open/Agreement_Btw_A_B.txt Checksum_for_for_Agreement_Btw_A_B
        Or
ExternalDocumentRef: DocumentRef-Agreement_Btw_A_B "Specific ID, Effective As Of or any other common identifier between supplier A and consumer B" Checksum_for_Agreement_Btw_A_B

(B)In order to describe UsageInfo for product defined in the Agreement between A and B:
DocumentRef-ThisSPDXID: SPDXID PREREQUISITE_FOR TargetProductInfo-ThisSPDXID
TargetProductInfo: TargetProductinfo-ThisSPDXID "Product Name which worte in Agreement_Btw_A_B"

(C)In order to pick up UsageInfo description about package "X" from the Agreement between A and B:
Package Description about "X".....
UsageInfo:<text> "Only for Verification but not for Final Product" </text>   (Picked up from "Agreement_Btw_A_B").

(D)In order to define Expiration of This SPDX Document on Product Development:
ValidUntil: <text>"Next Scheduled Delivery of SPDX Doc"</text>



We are looking forward to receive any feedback from others on this matter.


Thank you in advance!



Best regards,



Kentaro Takahashi

Intellectual Property Div.
TOYOTA MOTOR CORPORATION

Attention: The information contained in this email may be attorney/client privileged and confidential information intended only for the use of the recipient(s) named above. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited.
If you have received this communication in error, please contact the sender by reply e-mail and destroy all copies of this e-mail message. Thank you.