Home » Specification » Current Version

SPDX Section 5.0

 

 

 

5. File Specific Information

This section is used to list information for the files in the package.

One instance should be created for each file. Each file instance should have the following fields.

Fields:

  • 5.1. Full File Name

    • 5.1.1. Purpose: Identify path to file that corresponds to this information.

    • 5.1.2. Intent: Here, any confusion over where a file needs to hierarchically be placed for proper functionality is mitigated.

    • 5.1.3. Cardinality: Mandatory single instance

    • 5.1.4. Tag: "Name"

    • 5.1.5. RDF: /RDF/SPDXDoc/Describes/File/Name

    • 5.1.6. Data Format: [directory/]filename.suffix

    • 5.1.7. Example: Name: /bar/foo.c

     

  • 5.2. File Type

    • 5.2.1. Purpose: This field Identifies common types of files where there may be different treatment of copyright and license information: source, binary, machine generated, etc.

    • 5.2.2. Intent: Here, this field is basically the "best available" format field, from a developer perspective.

    • 5.2.3. Cardinality: Optional single instance

    • 5.2.4. Tag: "Type:"

    • 5.2.5. RDF: /RDF/SPDXDoc/Describes/File/Type

    • 5.2.6. Data Format: “source” | “binary” | “archive” | “other”

    • 5.2.7. Example: Type: binary

     

  • 5.3. License(s)

    • 5.3.1. Purpose: This field contains the license governing the file if it is known. It will either be explicit from the file header or other information found in the file’s source code or the default from the package. If no license information is found it should be denoted as “NotSpecified”. If no license information can be determined, the license is denoted as “Unknown”. The licenses should use the standard short form names. See Appendix I for standardized license short forms. If a Detected License is not one of the standardized license short forms, this field must contain a reference to the full licenses text included in this SPDX file in section 4. If more than one license is detected in the file, then each should be listed. If any of the detected licenses offer the recipient a choice of licenses, then each of the choices will be declared as a “disjunctive” license.

    • 5.3.2. Intent: Here, the intent is to have a uniform method to refer to each license with specificity to eliminate any license confusion. For example, the 3 clause BSD would have a different license identifier then the 4 clause BSD.

    • 5.3.3. Cardinality: Mandatory, one or many.

    • 5.3.4. Tag: "License:"

      [“License/DisjunctiveLicense:”]

    • 5.3.5. RDF:

      /RDF/SPDXDoc/Describes/File/License

      /RDF/SPDXDoc/Describes/File/License/DisjunctiveLicense

    • 5.3.6. Data Format: <short form identifier in Appendix I> | "FullLicense"-N

    • 5.3.7. Example:

      License: GPL-2.0

      License: FullLicense-2

     

  • 5.4. Copyright Information Detected

    • 5.4.1. Purpose: This field identifies the copyright holders and associated dates of their copyright that are in this specific file if known. Note: Copyright holder identifier may have developer names, companies, email addresses, and may be specified in international character sets. This will be a freeform text field extracted from the package information files.

    • 5.4.2. Intent: Here, similar to identifying the actual author(s) (above), by identifying the copyright holder(s), the copyright holder(s) may be contacted if licensing issues exist with the package, or to request distribution under another license more compatible with a given implementation, for example.

    • 5.4.3. Cardinality: Mandatory, single instance

    • 5.4.4. Tag: "Copyright:"

    • 5.4.5. RDF: /RDF/SPDXDoc/Describes/File/Copyright

    • 5.4.6. Data Format: free form text | "unknown"

    • 5.4.7. Example: Copyright: Copyright 2008-2010 John Smith

     

  • 5.5. File Identifier

    • 5.5.1. Purpose: Provide a unique identifier to match analysis information on specific files between packages.

    • 5.5.2. Intent: Here, by providing an unique identifier of each file, confusion over which version/modification of a specific file the Identification Information references should be eliminated.

    • 5.5.3. Cardinality: Optional, single instance

    • 5.5.4. Tag: "SHA1"

    • 5.5.5. RDF: /RDF/SPDXDoc/Describes/File/SHA1

    • 5.5.6. Data Format: 160 bit value represented as 40 hexadecimal digits.

    • 5.5.7. Example: SHA1: d6a770ba38583ed4bb4525bd96e50461655d2758

     

  • 5.6. --get from maillist --

    • 5.6.1. Purpose:....

    • 5.6.2. Intent: ...

    • 5.6.3. Cardinality: Optional, single instance

    • 5.6.4. Tag: ...

    • 5.6.5. RDF: ...

    • 5.6.6. Data Format: ...

    • 5.6.7. Example: ...

     

  • 5.7. --get from maillist --

    • 5.7.1. Purpose:....

    • 5.7.2. Intent: ...

    • 5.7.3. Cardinality: Optional, single instance

    • 5.7.4. Tag: ...

    • 5.7.5. RDF: ...

    • 5.7.6. Data Format: ...

    • 5.7.7. Example: ...