With still some work to do regarding build and assessment modeling, I uploaded the DOCX and the referenced SVG figures in GitHub and on Google drive, in the modeling directories.
I won't be able to connect for the length of my flight back to Europe.
I'll connect again tomorrow evening (likely) and monday (certainly).
From: Philippe-Emmanuel Douziech Sent: Thursday, December 12, 2019 1:27 PM
To: Gary O'Neall
Cc: Subject: RE: Model suggestions for the IP / licensing section
Since yesterday, I worked on updating the configuration of my generation tool according to the results of the discussions yesterday. I'm almost done for most of the model (see below). I'm checking the generated word document for obvious mistakes before I share it in the Google Drive and in the Github project.
The area of the model that were still to finalize with the help of the experts among us were:
* required modeling to support document signature
* the detailed licensing part, for which I was adding the license reference modeling in case there is a non-standard license found and used in the license _expression_ (the discussed plan was to not include the whole modeling capability of SPDX)
* required modeling to capture the actions of build activities and assessment activities
I'll try and post before my flight today.
From: Gary O'Neall Sent: Thursday, December 12, 2019 11:32 AM
To: Philippe-Emmanuel Douziech
Cc: Subject: Model suggestions for the IP / licensing section
Following up on the model discussion yesterday, I can provide you some UML in XMI format. Let me know if you would prefer an email, attachment to a github issue or pull request. If you could also point me to the repo that contains your XMI files, I’ll start with those.
Also, FYI, the XMI for SPDX 2.2 is at https://github.com/spdx/spdx-spec/blob/development/v2.2/model/spdx-model.xmi
Since yesterday, I have been thinking about simplifying the SBOM model. For the licensing, we could include license expressions rather than the full model of licenses.
The full license model is rather complex. It does, however, allow for much stronger validation and the ability to query the graph of license information to answer important questions for some of the use cases. Most users, however, will only want to express the license for a given material/artifact and the complex license will likely just get in the way.
The license _expression_ is reasonably well defined in BNF in the SPDX spec Appendix IV. For many of the serialization formats (e.g. XML, JSON, YAML) we are storing the license information as expressions in SPDX. Only RDF/XML uses the full graph.
My recommendation is to use the simpler license expressions.
Philippe and the rest of the SBOM community, please let me know if you disagree.
Source Auditor Inc.
Email: CONFIDENTIALITY NOTE: The information transmitted, including attachments, is intended only for the person(s) or entity to which it is addressed and may contain confidential and/or privileged material. Any review, re-transmission, dissemination or other use of, or taking of any action in reliance upon this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and destroy any copies of this information.