Skip to content

Lifecycle Agreement Processes

Alex Flom edited this page May 14, 2026 · 2 revisions

Lifecycle: Agreement Processes

This chapter specifies Prism’s instance of the Agreement processes from ISO/IEC/IEEE 15288:2023 Clause 6.1. The two processes in this group concern the agreement under which a system is acquired or supplied between an acquirer and a supplier.

Note

Normative source: ISO/IEC/IEEE 15288:2023, Systems and software engineering — System life cycle processes, Third edition (2023-05). Published jointly by ISO, IEC, and IEEE; supersedes ISO/IEC/IEEE 15288:2015. ICS 35.080. Free preview (Foreword, Introduction, Clauses 1–3) at the ISO Online Browsing Platform: iso.org/obp. The standard’s Clause 6 organises the lifecycle process catalogue into four groups (Agreement, Organizational Project-Enabling, Technical Management, Technical); this chapter covers Clause 6.1.

Agreement processes do not have an instance in Prism’s architecture. Prism is a library distribution: the three crates uor-foundation, prism, and prism-verify are published to a registry, the Rust toolchain compiles application authors' source against them, and authors distribute the resulting executables to users by mechanisms Prism is silent on (ADR-004). No acquirer-supplier relationship is specified at any boundary of the system, nor required for the system to function. The two sections below record this explicitly per process, documenting the absence of an agreement instance.

Acquisition

Not applicable to Prism.

The 15288 Acquisition process governs the activities by which an acquirer obtains a system, product, or service from a supplier. Prism’s distribution channel is external to Prism’s specification (ADR-004, constraint TC-06): the application author publishes the executable to a channel of their choosing, and the application user obtains it from that channel. Prism does not interact with the channel. The channel does not appear as an actor in Prism’s Level 1 system context (section 3, Context and Scope). No acquirer role is specified by Prism’s architecture, so no acquisition process inheres in the system.

The Rust toolchain’s interactions with crates.io (where uor-foundation, prism, and prism-verify are published) are ordinary package-manager mechanics, not an acquisition process Prism specifies.

Supply

Not applicable to Prism.

The 15288 Supply process governs the activities by which a supplier provides a system, product, or service to an acquirer in accordance with an agreement. Prism’s three crates are published as ordinary Rust library distributions; their delivery is a one-way publication event to the registry, not an agreement-bound supply process. The application author, who is downstream of the crate publication, does not enter into a supply agreement with the UOR Foundation as part of using Prism. The Foundation publishes the crates; once published, the crates are ordinary library dependencies the Rust toolchain resolves locally. Constraint TC-06 (no application-author infrastructure) ensures that an application’s runtime correctness does not depend on the Foundation’s services either, since the application’s runtime depends only on its compiled-in code, not on any service.

A supplier role exists only at the boundary between the application author and the application user (the author supplies the executable); that boundary is external to Prism’s specification per ADR-004.

Clone this wiki locally