Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Usage profile #191

Open
wants to merge 5 commits into
base: usage-profile
Choose a base branch
from
Open

Usage profile #191

wants to merge 5 commits into from

Conversation

yoshi-i
Copy link
Contributor

@yoshi-i yoshi-i commented Apr 11, 2023

Model descriptions with drawio and supplemental pdf document of Usage Profile

Signed-off-by: Yoshiyuki Ito [email protected]

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This SVG should be a rendering of the drawio? It just shows the github icon form me:
2023-04-11_16-52-18

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@maxhbr -san, It was overwritten by my operation mistake. I've committed correct one.

maxhbr
maxhbr previously requested changes Apr 11, 2023



<!DOCTYPE html>
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I am not able to open this drawio file, as it seems to be a html github page

@swinslow
Copy link
Member

Hello,

It doesn't look like there is a way to comment inline in the PDF itself, so I'm replying with a couple of thoughts here.

For slide 6 "Terms of Use for these deliverables": if this is about a contractual limitation on use, wouldn't that be more appropriate to include a licensing profile section with a LicenseRef- ID, pointing to the text of the contract? I don't think a separate field to refer to a contract that imposes different limitations on use of software would be helpful, since it would require an SBOM recipient to look in two separate places to understand the license limitations.

For slide 7 "Expiration date and time OR Expiration event": similarly, it would be helpful to have more explanation to understand what is "expiring" in this situation. I assume that it wouldn't be either the SBOM itself, or the license to use the software. Is there something else that is "expiring"?

Copy link
Member

@goneall goneall left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I just saw @maxhbr comment - indeed the draw.io file is HTML rather than the draw.io data which can be downloaded.

@yoshi-i
Copy link
Contributor Author

yoshi-i commented Apr 19, 2023

I just saw @maxhbr comment - indeed the draw.io file is HTML rather than the draw.io data which can be downloaded.

Sorry, I've re-committed at #38f3040 for that drawio file.

Copy link
Member

@goneall goneall left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM - Thanks @yoshi-i

@goneall
Copy link
Member

goneall commented Apr 24, 2023

@maxhbr - pls review and if OK, we can merge

@maxhbr maxhbr dismissed their stale review April 24, 2023 06:58

outdated

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I do not understand the USAGE OPERATOR, are there some examples?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This uses the DESCRIBES relation, but that is (at least in 2.3) defined as "Is to be used when SPDXRef-DOCUMENT describes SPDXRef-A." with the example "An SPDX document WildFly.spdx describes package ‘WildFly’. Note this is a logical relationship to help organize related items within an SPDX document that is mandatory if more than one package or set of files (not in a package) is present.". Not sure if it is valid in this usecase.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This shows a specific way of how licensing information is expressed, which might not align with the actual future of the licensing profile. Maybe this could be made transparent

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we always use singular:

  • Deliverables -> Deliverable
  • comments -> comment

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The AND and OR looks very similar to license expressions and might cause confusion.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This uses the DESCRIBES relation, but that is (at least in 2.3) defined as "Is to be used when SPDXRef-DOCUMENT describes SPDXRef-A." with the example "An SPDX document WildFly.spdx describes package ‘WildFly’. Note this is a logical relationship to help organize related items within an SPDX document that is mandatory if more than one package or set of files (not in a package) is present.". Not sure if it is valid in this usecase.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This shows a specific way of how licensing information is expressed, which might not align with the actual future of the licensing profile. Maybe this could be made transparent

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we always use singular:

  • Deliverables -> Deliverable
  • comments -> comment

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The AND and OR looks very similar to license expressions and might cause confusion.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could you maybe instead provide some file that can be edited and further improved instead of a PDF?

@kestewart kestewart added this to the 3.0 milestone May 6, 2023
@kestewart kestewart modified the milestones: 3.0, 3.1 Oct 21, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants