"Compliance Artifacts"

Question

"Compliance Artifacts"

Closed this issue 5 years ago · 3 comments

This terminology is a bit stilted. I have found that it puts off clients who prefer to use terms like 'licence book' for a collection of the materials required to be distributed alongside the software to comply with the licences.

The definition is also a bit unclear: it talks about the output of the program which suggests that the generation of compliance artifacts is the only output from the program.

I suggest something like:

licence compliance materials
the set of materials required to be provided (by physical delivery, reference or otherwise) with a supplied software release in order to comply with the licenses applicable to the open source components contained within the supplied software

In the associated note, it may not be clear what 'SPDX documents' means without reference to the SPDX website and I would give consideration to adding a definition (which would preferably be text, although a reference to https://spdx.org/using-spdx-documents should be considered, in which case it should also be considered that this is made a normative reference).

Answer 1 · 2019-10-19T18:20:45.000Z

The definition "Compliance Artifacts" was much discussed and intentionally chosen. To your point:

_it talks about the output of the program which suggests that the generation of compliance artifacts is the only output from the program_.

The intent was to define a concept that represents the "output" of the compliance "program". Precisely the stuff you can "trust", because it was procedure by a certified program. It also includes specific examples for clarify.

For addition clarity we might consider adding:

compliance artifacts - a collection of artifacts that represent the output of the program that accompany the supplied software

Answer 2 · 2019-11-14T09:32:27.000Z

a collection of artifacts that represent the output of the program that accompany the supplied software

it is now in the form "X that does Y that does Z"; I read it as "does Z" applies to Y.
Surely it is not the "program" that "accompanies the supplied software".

If both "does Y" and "does Z" apply to X, maybe just use and ?

a collection of artifacts that represent the output of the program and accompany the supplied software

Answer 3 · 2019-11-14T14:17:24.000Z

Alexios - your suggestion makes the definition more clear. This update has been incorporated into draft version rc3.