https://wiki.spdx.org/api.php?action=feedcontributions&feedformat=atom&user=NglaudeSPDX Wiki - User contributions [en]2026-05-07T13:10:56ZUser contributionsMediaWiki 1.23.13https://wiki.spdx.org/view/Business_Team/AdoptionBusiness Team/Adoption2013-10-17T17:14:26Z<p>Nglaude: /* Metrics */</p>
<hr />
<div>DRAFT AS OF 28 August 2013<br />
Currently it is a draft until we formulate the plan at which time this sentence will be removed.<br />
<br />
<br /><br />
<br />
= Adoption =<br />
<br />
This page is being used to track the adoption of SPDX. <br />
<br />
We will track adoption in three key areas:<br />
* SPDX License List<br />
* Generating or consuming SPDX Documents<br />
* Using SPDX meta tags in software<br />
<br />
<br /><br />
<br />
== License List ==<br />
<br />
=== Overview ===<br />
<br />
The license list is a key component for SPDX. The SPDX License List includes a standardized short identifier, full name for each license, vetted license text, other basic information, and a canonical permanent URL. By providing a short identifier, users can efficiently refer to a license without having to redundantly reproduce the full license. For more information on the License List see the [http://spdx.org/licenses/ SPDX web site].<br />
<br />
=== Goals ===<br />
<br />
We talked about one year goals. Should we have one and five?<br />
<br />
* [proposal] Tool adoption: 5 or more license management / open source tracking tools vendors utilize the SPDX license list<br />
* [proposal] Open Source Projects: 10 or more open source projects visibly utilize the SPDX license list in declaring licenses<br />
<br />
=== Metrics ===<br />
<br />
For groups use one of the following. You can use multiple groups for an entity.<br />
<br />
* Foundation (e.g. Linux Foundation, Free Software, Apache, Eclipse, etc).<br />
* Standards (e.g. OSI, W3C, etc).<br />
* Community (e.g. Community projects like Uboot, Kernel, Busy Box, GNU Compiler, etc).<br />
* Forge (e.g. Github, Sourceforge, etc).<br />
* Tools (e.g. open source community or company that has tools to generate or consume SPDX).<br />
* Company<br />
<br />
{| class="wikitable sortable" border="1"<br />
|+ License List Adoption Tracking<br />
! align="left" width=12% | Entity<br />
! width=8% | Group<br />
! class="unsortable" | Notes<br />
|-<br />
| Texas Instruments <br />
| Company<br />
| Using SPDX license identifiers on software BOMs delivered with products.<br />
|-<br />
|-<br />
| Wind River <br />
| Company<br />
| Using SPDX license identifiers in Wind River Linux and we use internally as standard license references.<br />
|-<br />
|-<br />
| Micro Focus <br />
| Company<br />
| Using SPDX license identifiers internally as standard license references. (Tom Incorvia)<br />
|-<br />
|-<br />
| Siemens <br />
| Company<br />
| Using SPDX license identifiers internally as standard license references. (Roger Meier)<br />
|-<br />
|-<br />
| Black Duck <br />
| Tools<br />
| Utilizes license list for references to licenses in Black Duck Suite.<br />
|-<br />
|-<br />
| nexB <br />
| Tools<br />
| Utilizes license list for references to licenses in DejaCode.<br />
|-<br />
|-<br />
| Protecode <br />
| Tools<br />
| Utilizes license list for references to licenses in Protecode Suite.<br />
|-<br />
|-<br />
| FOSSology <br />
| Tools<br />
| Utilizes license list for references to licenses inside tool.<br />
|-<br />
|-<br />
| Open Source Initiative (OSI) <br />
| Standards<br />
| Adopted license list short names.<br />
|-<br />
|}<br />
<br />
<br /><br />
<br />
== Generation and Consumption of SPDX Documents ==<br />
<br />
=== Overview ===<br />
The SPDX specification is centered on the SPDX document. Creation and consumption of SPDX documents is a key measure of success for the SPDX standardization efforts.<br />
<br />
=== Goals ===<br />
<br />
We talked about one year goals. Should we have one and five?<br />
* Proposal: At least one additional large open source organization provide SPDX documents by LinuxConn 2014<br />
<br />
=== Metrics ===<br />
<br />
How we will measure adoption of this.<br />
* Proposal: Number of participants in the SPDX document "plugfest".<br />
* Proposal: Number of consuming organizations piloting use of SPDX documents as part of their governance process.<br />
* Proposal: Number of consuming organizations announcing adoption of SPDX as part of their governance process.<br />
* Proposal: Number of producing organizations posting SPDX format documents on the web.<br />
* Proposal: Number of large (more than 100 members) open source organizations producing SPDX documents (e.g. Linux Kernel, Apache, Eclipse).<br />
<br />
For groups use one of the following. You can use multiple groups for an entity.<br />
<br />
* Foundation (e.g. Linux Foundation, Free Software, Apache, Eclipse, etc).<br />
* Standards (e.g. OSI, W3C, etc).<br />
* Community (e.g. Community projects like Uboot, Kernel, Busy Box, GNU Compiler, etc).<br />
* Forge (e.g. Github, Sourceforge, etc).<br />
* Tools (e.g. open source community or company that has tools to generate or consume SPDX).<br />
* Company<br />
<br />
{| class="wikitable sortable" border="1"<br />
|+ SPDX Producer/Consumer Tracking<br />
! align="left" width=12% | Entity<br />
! width=8% | Group<br />
! class="unsortable" | Notes<br />
|-<br />
| Texas Instruments<br />
| Company<br />
| Limited internal generation of SPDX documents.<br />
|-<br />
|-<br />
| Wind River<br />
| Company<br />
| 100% SPDX doc generation - both hi-def (human expert) and low-def (automation); Free SPDX cloud generation: [http://spdx.windriver.com/pkg_upload.aspx]; Format for Open Source disclosure docs for Wind River Linux 5 distro (700+); Used internally in IP compliance review; ISV requested OSS disclosure format; Created website to promote adoption (includes example SPDX files): spdx.windriver.com [http://spdx.windriver.com].<br />
|-<br />
|-<br />
| Alcatel-Lucent<br />
| Company<br />
| Use SPDX documents for internal communication. (Michel Ruffin)<br />
|-<br />
|}<br />
<br />
<br/><br />
<br />
== Use of META Tags ==<br />
<br />
=== Overview ===<br />
<br />
This is a new area. It focuses on using META tags in code to help in identification of licensing and possibly other SPDX information. The technical team is looking at writing this up. Currently the U-boot community has started using a field called SPDX-License-Identifier. You can see an example here: <br />
http://git.denx.de/?p=u-boot.git;a=blob;f=post/post.c;h=4af5355fa5a20f9c2e763f37b269bea38d43e8ea;hb=6612ab33956ae09c5ba2fde9c1540b519625ba37<br />
<br />
=== Goals ===<br />
<br />
We talked about one year goals. Should we have one and five?<br />
* Proposal: Publish guidelines and/or standards for meta tag inclusion by Linux Collab Summit 2014<br />
* Proposal: 5 or more open source projects utilize meta tags in their in development projects by end of year 2013<br />
<br />
=== Metrics ===<br />
<br />
For groups use one of the following. You can use multiple groups for an entity.<br />
<br />
* Foundation (e.g. Linux Foundation, Free Software, Apache, Eclipse, etc).<br />
* Standards (e.g. OSI, W3C, etc).<br />
* Community (e.g. Community projects like Uboot, Kernel, Busy Box, GNU Compiler, etc).<br />
* Forge (e.g. Github, Sourceforge, etc).<br />
* Tools (e.g. open source community or company that has tools to generate or consume SPDX).<br />
* Company<br />
<br />
{| class="wikitable sortable" border="1"<br />
|+ META Tags Tracking<br />
! align="left" width=12% | Entity<br />
! width=8% | Group<br />
! class="unsortable" | Notes<br />
|-<br />
| U-boot<br />
| Community<br />
| [http://git.denx.de/?p=u-boot.git;a=blob;f=post/post.c;h=4af5355fa5a20f9c2e763f37b269bea38d43e8ea;hb=6612ab33956ae09c5ba2fde9c1540b519625ba37]Using SPDX-License-Identifier in place of a license header in source.<br />
|-<br />
|-<br />
| Wind River<br />
| Company<br />
| Wind River developed a file license tagging syntax that uses SPDX License List shortnames.<br />
|-<br />
|}<br />
<br />
<br />
[[Category:Business]]</div>Nglaudehttps://wiki.spdx.org/view/Technical_Team/Best_PracticesTechnical Team/Best Practices2013-10-16T13:28:14Z<p>Nglaude: /* Use of Parentheses in License Tag Fields */</p>
<hr />
<div>This is a place holder for working on the Best Practices document.<br />
<br />
Best Practices <br />
<br />
__TOC__<br />
<br />
= Introduction =<br />
<br />
= Interpreting the Specification =<br />
<br />
Clarify and help with what is in the spec. Structure sections around the spec?<br />
<br />
= Tools =<br />
<br />
Best practices around using the SPDX tools<br />
<br />
= Contributing to SPDX =<br />
<br />
how to provide feedback, get involved, etc<br />
<br />
= Producing = <br />
<br />
SPDX Version: 1.2<br />
PURPOSE: The SPDX specification is meant to stand on its own and to make clear how a field is to be populated. Still, there are times when more clarification is required. This tech note provides clarification with regard to certain fields about which questions of arisen. Some of these clarifications may be rolled into future versions of the specification. <br />
<br />
== Package Name (4.1) ==<br />
<br />
The package name should be exclusive of version number. Field 4.2 Package Version is intended for version number and the package name should not redundantly specify this information.<br />
===== Example =====<br />
Correct<br />
:Package Name: glibc<br />
:Package Version: 2.11.1<br />
<br />
Incorrect<br />
:Package Name: glibc '''2.11.1'''<br />
:Package Version: 2.11.1<br />
<br />
== Package Supplier (4.4); Package Originator (4.5); Source Information (4.10) ==<br />
<br />
The first two fields are intended to where the package came from and what entity created it. In many cases these will be one in the same, but it is possible that the supplier may have gotten the package from another source. <br />
<br />
===== Example: =====<br />
Wind River supplies the Linux kernel. <br />
:Package Supplier: Wind River<br />
:Package Originator: linux.org<br />
<br />
Source Information is a freeform field, which, like many such fields in SPDX is there to allow the document creator to provide information they feel would be useful or important, but which my not fit neatly into the specification.<br />
<br />
== Package Download Location (4.6) ==<br />
<br />
The intent of this field is to indicate the URL of the location from which the package is actually obtained. Generally this should be the originating site of the package, but in cases where the package was obtained from a mirror site, the URL of the mirror should be used. The format for the URL should follow RFC conventions, specifically RFC3986 or any newer one that may eventually augment or obsolete it.<br />
<br />
== Concluded License (4.11); Declared License (4.13) ==<br />
<br />
In cases where there is a contradiction between the Declared License and some other license present, the concluded license should represent that contradiction, and best practice would be to explain further in the 4.14 Comments on License field.<br />
<br />
'''LEGAL TEAM SHOULD REVIEW THIS'''<br />
<br />
===== Example: =====<br />
A GPL 2 package that contains files licensed under Apache 2.0. <br />
:Declared License: GPL-2.0<br />
:Concluded License: GPL-2.0 and Apache-2.0<br />
:Comments on License: Several Apache licensed files (A, B, and C) are included in the packages causing an incompatibility with the licensing of the package.<br />
<br />
== Extracted Text (5.2) ==<br />
<br />
To clarify, or reinforce, the text included here, should be the exact text in that is included with the package and no more. Some early SPDX tools included full text of the relevant license even though the full text was not supplied in the actual package. The example in the specification is one where full text is included, but if the text is incomplete, so should be the text in the Extracted Text field.<br />
<br />
===== Example: =====<br />
A copying file in the top level of the directory says, “This software is licensed under the Beer License.” <br />
<br />
Correct:<br />
:Extracted Text: This software is licensed under the Beer-ware License<br />
<br />
Incorrect:<br />
:“THE BEER-WARE LICENSE" (Revision 42):<phk@FreeBSD.ORG> wrote this file. As long as you retain this notice you can do whatever you want with this stuff. If we meet some day, and you think this stuff is worth it, you can buy me a beer in return Poul-Henning Kam<br />
<br />
== File Name (6.1) ==<br />
<br />
To clarify, the format for the file name should follow URI RFC conventions, specifically RFC3986 or any newer one that may eventually augment or obsolete it. Specifically, it uses the relative path reference format of an URI, and is defined as being relative to the root of the package from which the file came.<br />
<br />
In RFC3986, section 4.2, a relative path reference must not start with a slash character ("/"). Relative references also do not need to start with a "./" (dot slash), although there is one format for which the preceding "./" is necessary. In any case, RFC3986 is clear about how to handle dot-segments, and in the case of "./", it is simply removed.<br />
<br />
===== Example: =====<br />
Correct:<br />
:FileName: ./package/foo.c<br />
:FileName: package/foo.c<br />
Incorrect:<br />
:FileName: /package/foo.c<br />
:FileName: //package/foo.c<br />
<br />
Note about RFC3986:<br />
:''This document obsoletes [RFC2396], which merged "Uniform Resource Locators" [RFC1738] and "Relative Uniform Resource Locators" [RFC1808] in order to define a single, generic syntax for all URIs.''<br />
<br />
== Author vs. Creator (3.1) vs. Reviewer (7.1)==<br />
<br />
'''Author:''' The author is used occasionally in the text of the specification and generally refers to the creator(s) of the package. There is no explicit field for the author information other than copyright information and URL, which may or may not reflect the actual original author. In section 2.2.1, there is also a reference to an "SPDX Author"; this actually refers to the SPDX Creator.<br />
<br />
'''Creator:''' The SPDX Creator is defined in section 3.1 and is used to identify who (or what, in the case of a tool) created the SPDX file.<br />
<br />
'''Reviewer:''' The SPDX Reviewer is detined in section 7.1 and is used to identify who reviewed the content of the SPDX.<br />
<br />
To put things into context, let's consider the following flow:<br />
# An author creates a package and assigns a license to it, hopefully to each individual file, and also follows all of the best practices and obligations for the chosen or found licenses in the package.<br />
# An SPDX creator analyzes the content of the package, extracts the pertinent information and assembles the SPDX file, whether manually or using a tool.<br />
# An SPDX reviewer inspects the work of the SPDX creator, whether manually or using a tool. Consider the reviewer to be anything from another set of eyes, to a recognized reliable entity with some kind of sign-off authority.<br />
<br />
The SPDX creator is a mandatory parameter - every file must have its creator. However, not every SPDX file is reviewed.<br />
<br />
== Use of Parentheses in License Tag Fields ==<br />
<br />
In the RDF object model, licenses can be defined to be nested disjunctive or conjunctive sets in a very flexible manner. However, when using the Tag value format, it is not clear how, if at all, one could use the parentheses to define more complex licensing scenarios. It is not the intention to restrict either one of the formats, hence we view these additional examples as acceptable:<br />
<br />
'''Examples:'''<br />
<br />
Correct<br />
:LicenseConcluded: LGPL-2.0<br />
:LicenseConcluded: (LGPL-2.0 or LicenseRef-2)<br />
:LicenseConcluded: (LGPL-2.0 and (LicenseRef-2 or LicenseRef-3))<br />
:LicenseConcluded: ((LicenseRef-2 or (LicenseRef-3 and LicenseRef-4)) and LGPL-2.0)<br />
<br />
Incorrect<br />
:LicenseConcluded: (LGPL-2.0)<br />
<br />
Conceptually, much like in the RDF format, there are no limits to the depth of nested license sets, although practically, more than 2 levels are improbable.<br />
<br />
This applies to all license fields.<br />
<br />
= Consuming =<br />
<br />
Best practices around the process of doing it. Examples of how this is done.<br />
<br />
= Notes from LinuxCon 2013 17 Sept 2013 =<br />
<br />
What should be in a best practices, how does it relate to the spec?<br />
<br />
Possibilities:<br />
* examples<br />
* particular questions (sort of like a FAQ)<br />
* Could start with things that are not well defined but end up in the specification<br />
* I need a field for X, its not there, what field could I use?<br />
* best practices around the specification and best practices around contributing to SPDX. Maybe two documents?<br />
* Snapshot best practices document at intervals and post on site. Use wiki for active discussions, new proposals, etc.,.<br />
* Should we have a getting started guide?<br />
* best practices for meta tagging like u-boot did. maybe link it in here but should be separate page. Could possibly include other information for developers supporting spdx and producing spdx friendly code. Look at things like U-boot, Mozilla, etc.,.</div>Nglaudehttps://wiki.spdx.org/view/Technical_Team/Best_PracticesTechnical Team/Best Practices2013-10-16T13:28:01Z<p>Nglaude: /* Use of Parentheses in License Tag Fields */</p>
<hr />
<div>This is a place holder for working on the Best Practices document.<br />
<br />
Best Practices <br />
<br />
__TOC__<br />
<br />
= Introduction =<br />
<br />
= Interpreting the Specification =<br />
<br />
Clarify and help with what is in the spec. Structure sections around the spec?<br />
<br />
= Tools =<br />
<br />
Best practices around using the SPDX tools<br />
<br />
= Contributing to SPDX =<br />
<br />
how to provide feedback, get involved, etc<br />
<br />
= Producing = <br />
<br />
SPDX Version: 1.2<br />
PURPOSE: The SPDX specification is meant to stand on its own and to make clear how a field is to be populated. Still, there are times when more clarification is required. This tech note provides clarification with regard to certain fields about which questions of arisen. Some of these clarifications may be rolled into future versions of the specification. <br />
<br />
== Package Name (4.1) ==<br />
<br />
The package name should be exclusive of version number. Field 4.2 Package Version is intended for version number and the package name should not redundantly specify this information.<br />
===== Example =====<br />
Correct<br />
:Package Name: glibc<br />
:Package Version: 2.11.1<br />
<br />
Incorrect<br />
:Package Name: glibc '''2.11.1'''<br />
:Package Version: 2.11.1<br />
<br />
== Package Supplier (4.4); Package Originator (4.5); Source Information (4.10) ==<br />
<br />
The first two fields are intended to where the package came from and what entity created it. In many cases these will be one in the same, but it is possible that the supplier may have gotten the package from another source. <br />
<br />
===== Example: =====<br />
Wind River supplies the Linux kernel. <br />
:Package Supplier: Wind River<br />
:Package Originator: linux.org<br />
<br />
Source Information is a freeform field, which, like many such fields in SPDX is there to allow the document creator to provide information they feel would be useful or important, but which my not fit neatly into the specification.<br />
<br />
== Package Download Location (4.6) ==<br />
<br />
The intent of this field is to indicate the URL of the location from which the package is actually obtained. Generally this should be the originating site of the package, but in cases where the package was obtained from a mirror site, the URL of the mirror should be used. The format for the URL should follow RFC conventions, specifically RFC3986 or any newer one that may eventually augment or obsolete it.<br />
<br />
== Concluded License (4.11); Declared License (4.13) ==<br />
<br />
In cases where there is a contradiction between the Declared License and some other license present, the concluded license should represent that contradiction, and best practice would be to explain further in the 4.14 Comments on License field.<br />
<br />
'''LEGAL TEAM SHOULD REVIEW THIS'''<br />
<br />
===== Example: =====<br />
A GPL 2 package that contains files licensed under Apache 2.0. <br />
:Declared License: GPL-2.0<br />
:Concluded License: GPL-2.0 and Apache-2.0<br />
:Comments on License: Several Apache licensed files (A, B, and C) are included in the packages causing an incompatibility with the licensing of the package.<br />
<br />
== Extracted Text (5.2) ==<br />
<br />
To clarify, or reinforce, the text included here, should be the exact text in that is included with the package and no more. Some early SPDX tools included full text of the relevant license even though the full text was not supplied in the actual package. The example in the specification is one where full text is included, but if the text is incomplete, so should be the text in the Extracted Text field.<br />
<br />
===== Example: =====<br />
A copying file in the top level of the directory says, “This software is licensed under the Beer License.” <br />
<br />
Correct:<br />
:Extracted Text: This software is licensed under the Beer-ware License<br />
<br />
Incorrect:<br />
:“THE BEER-WARE LICENSE" (Revision 42):<phk@FreeBSD.ORG> wrote this file. As long as you retain this notice you can do whatever you want with this stuff. If we meet some day, and you think this stuff is worth it, you can buy me a beer in return Poul-Henning Kam<br />
<br />
== File Name (6.1) ==<br />
<br />
To clarify, the format for the file name should follow URI RFC conventions, specifically RFC3986 or any newer one that may eventually augment or obsolete it. Specifically, it uses the relative path reference format of an URI, and is defined as being relative to the root of the package from which the file came.<br />
<br />
In RFC3986, section 4.2, a relative path reference must not start with a slash character ("/"). Relative references also do not need to start with a "./" (dot slash), although there is one format for which the preceding "./" is necessary. In any case, RFC3986 is clear about how to handle dot-segments, and in the case of "./", it is simply removed.<br />
<br />
===== Example: =====<br />
Correct:<br />
:FileName: ./package/foo.c<br />
:FileName: package/foo.c<br />
Incorrect:<br />
:FileName: /package/foo.c<br />
:FileName: //package/foo.c<br />
<br />
Note about RFC3986:<br />
:''This document obsoletes [RFC2396], which merged "Uniform Resource Locators" [RFC1738] and "Relative Uniform Resource Locators" [RFC1808] in order to define a single, generic syntax for all URIs.''<br />
<br />
== Author vs. Creator (3.1) vs. Reviewer (7.1)==<br />
<br />
'''Author:''' The author is used occasionally in the text of the specification and generally refers to the creator(s) of the package. There is no explicit field for the author information other than copyright information and URL, which may or may not reflect the actual original author. In section 2.2.1, there is also a reference to an "SPDX Author"; this actually refers to the SPDX Creator.<br />
<br />
'''Creator:''' The SPDX Creator is defined in section 3.1 and is used to identify who (or what, in the case of a tool) created the SPDX file.<br />
<br />
'''Reviewer:''' The SPDX Reviewer is detined in section 7.1 and is used to identify who reviewed the content of the SPDX.<br />
<br />
To put things into context, let's consider the following flow:<br />
# An author creates a package and assigns a license to it, hopefully to each individual file, and also follows all of the best practices and obligations for the chosen or found licenses in the package.<br />
# An SPDX creator analyzes the content of the package, extracts the pertinent information and assembles the SPDX file, whether manually or using a tool.<br />
# An SPDX reviewer inspects the work of the SPDX creator, whether manually or using a tool. Consider the reviewer to be anything from another set of eyes, to a recognized reliable entity with some kind of sign-off authority.<br />
<br />
The SPDX creator is a mandatory parameter - every file must have its creator. However, not every SPDX file is reviewed.<br />
<br />
== Use of Parentheses in License Tag Fields ==<br />
<br />
In the RDF object model, licenses can be defined to be nested disjunctive or conjunctive sets in a very flexible manner. However, when using the Tag value format, it is not clear how, if at all, one could use the parentheses to define more complex licensing scenarios. It is not the intention to restrict either one of the formats, hence we view these additional examples as acceptable:<br />
<br />
'''Examples:'''<br />
Correct<br />
:LicenseConcluded: LGPL-2.0<br />
:LicenseConcluded: (LGPL-2.0 or LicenseRef-2)<br />
:LicenseConcluded: (LGPL-2.0 and (LicenseRef-2 or LicenseRef-3))<br />
:LicenseConcluded: ((LicenseRef-2 or (LicenseRef-3 and LicenseRef-4)) and LGPL-2.0)<br />
<br />
Incorrect<br />
:LicenseConcluded: (LGPL-2.0)<br />
<br />
Conceptually, much like in the RDF format, there are no limits to the depth of nested license sets, although practically, more than 2 levels are improbable.<br />
<br />
This applies to all license fields.<br />
<br />
= Consuming =<br />
<br />
Best practices around the process of doing it. Examples of how this is done.<br />
<br />
= Notes from LinuxCon 2013 17 Sept 2013 =<br />
<br />
What should be in a best practices, how does it relate to the spec?<br />
<br />
Possibilities:<br />
* examples<br />
* particular questions (sort of like a FAQ)<br />
* Could start with things that are not well defined but end up in the specification<br />
* I need a field for X, its not there, what field could I use?<br />
* best practices around the specification and best practices around contributing to SPDX. Maybe two documents?<br />
* Snapshot best practices document at intervals and post on site. Use wiki for active discussions, new proposals, etc.,.<br />
* Should we have a getting started guide?<br />
* best practices for meta tagging like u-boot did. maybe link it in here but should be separate page. Could possibly include other information for developers supporting spdx and producing spdx friendly code. Look at things like U-boot, Mozilla, etc.,.</div>Nglaudehttps://wiki.spdx.org/view/Technical_Team/Best_PracticesTechnical Team/Best Practices2013-10-15T22:08:28Z<p>Nglaude: /* Use of Parentheses in License Tag Fields */</p>
<hr />
<div>This is a place holder for working on the Best Practices document.<br />
<br />
Best Practices <br />
<br />
__TOC__<br />
<br />
= Introduction =<br />
<br />
= Interpreting the Specification =<br />
<br />
Clarify and help with what is in the spec. Structure sections around the spec?<br />
<br />
= Tools =<br />
<br />
Best practices around using the SPDX tools<br />
<br />
= Contributing to SPDX =<br />
<br />
how to provide feedback, get involved, etc<br />
<br />
= Producing = <br />
<br />
SPDX Version: 1.2<br />
PURPOSE: The SPDX specification is meant to stand on its own and to make clear how a field is to be populated. Still, there are times when more clarification is required. This tech note provides clarification with regard to certain fields about which questions of arisen. Some of these clarifications may be rolled into future versions of the specification. <br />
<br />
== Package Name (4.1) ==<br />
<br />
The package name should be exclusive of version number. Field 4.2 Package Version is intended for version number and the package name should not redundantly specify this information.<br />
===== Example =====<br />
Correct<br />
:Package Name: glibc<br />
:Package Version: 2.11.1<br />
<br />
Incorrect<br />
:Package Name: glibc '''2.11.1'''<br />
:Package Version: 2.11.1<br />
<br />
== Package Supplier (4.4); Package Originator (4.5); Source Information (4.10) ==<br />
<br />
The first two fields are intended to where the package came from and what entity created it. In many cases these will be one in the same, but it is possible that the supplier may have gotten the package from another source. <br />
<br />
===== Example: =====<br />
Wind River supplies the Linux kernel. <br />
:Package Supplier: Wind River<br />
:Package Originator: linux.org<br />
<br />
Source Information is a freeform field, which, like many such fields in SPDX is there to allow the document creator to provide information they feel would be useful or important, but which my not fit neatly into the specification.<br />
<br />
== Package Download Location (4.6) ==<br />
<br />
The intent of this field is to indicate the URL of the location from which the package is actually obtained. Generally this should be the originating site of the package, but in cases where the package was obtained from a mirror site, the URL of the mirror should be used. The format for the URL should follow RFC conventions, specifically RFC3986 or any newer one that may eventually augment or obsolete it.<br />
<br />
== Concluded License (4.11); Declared License (4.13) ==<br />
<br />
In cases where there is a contradiction between the Declared License and some other license present, the concluded license should represent that contradiction, and best practice would be to explain further in the 4.14 Comments on License field.<br />
<br />
'''LEGAL TEAM SHOULD REVIEW THIS'''<br />
<br />
===== Example: =====<br />
A GPL 2 package that contains files licensed under Apache 2.0. <br />
:Declared License: GPL-2.0<br />
:Concluded License: GPL-2.0 and Apache-2.0<br />
:Comments on License: Several Apache licensed files (A, B, and C) are included in the packages causing an incompatibility with the licensing of the package.<br />
<br />
== Extracted Text (5.2) ==<br />
<br />
To clarify, or reinforce, the text included here, should be the exact text in that is included with the package and no more. Some early SPDX tools included full text of the relevant license even though the full text was not supplied in the actual package. The example in the specification is one where full text is included, but if the text is incomplete, so should be the text in the Extracted Text field.<br />
<br />
===== Example: =====<br />
A copying file in the top level of the directory says, “This software is licensed under the Beer License.” <br />
<br />
Correct:<br />
:Extracted Text: This software is licensed under the Beer-ware License<br />
<br />
Incorrect:<br />
:“THE BEER-WARE LICENSE" (Revision 42):<phk@FreeBSD.ORG> wrote this file. As long as you retain this notice you can do whatever you want with this stuff. If we meet some day, and you think this stuff is worth it, you can buy me a beer in return Poul-Henning Kam<br />
<br />
== File Name (6.1) ==<br />
<br />
To clarify, the format for the file name should follow URI RFC conventions, specifically RFC3986 or any newer one that may eventually augment or obsolete it. Specifically, it uses the relative path reference format of an URI, and is defined as being relative to the root of the package from which the file came.<br />
<br />
In RFC3986, section 4.2, a relative path reference must not start with a slash character ("/"). Relative references also do not need to start with a "./" (dot slash), although there is one format for which the preceding "./" is necessary. In any case, RFC3986 is clear about how to handle dot-segments, and in the case of "./", it is simply removed.<br />
<br />
===== Example: =====<br />
Correct:<br />
:FileName: ./package/foo.c<br />
:FileName: package/foo.c<br />
Incorrect:<br />
:FileName: /package/foo.c<br />
:FileName: //package/foo.c<br />
<br />
Note about RFC3986:<br />
:''This document obsoletes [RFC2396], which merged "Uniform Resource Locators" [RFC1738] and "Relative Uniform Resource Locators" [RFC1808] in order to define a single, generic syntax for all URIs.''<br />
<br />
== Author vs. Creator (3.1) vs. Reviewer (7.1)==<br />
<br />
'''Author:''' The author is used occasionally in the text of the specification and generally refers to the creator(s) of the package. There is no explicit field for the author information other than copyright information and URL, which may or may not reflect the actual original author. In section 2.2.1, there is also a reference to an "SPDX Author"; this actually refers to the SPDX Creator.<br />
<br />
'''Creator:''' The SPDX Creator is defined in section 3.1 and is used to identify who (or what, in the case of a tool) created the SPDX file.<br />
<br />
'''Reviewer:''' The SPDX Reviewer is detined in section 7.1 and is used to identify who reviewed the content of the SPDX.<br />
<br />
To put things into context, let's consider the following flow:<br />
# An author creates a package and assigns a license to it, hopefully to each individual file, and also follows all of the best practices and obligations for the chosen or found licenses in the package.<br />
# An SPDX creator analyzes the content of the package, extracts the pertinent information and assembles the SPDX file, whether manually or using a tool.<br />
# An SPDX reviewer inspects the work of the SPDX creator, whether manually or using a tool. Consider the reviewer to be anything from another set of eyes, to a recognized reliable entity with some kind of sign-off authority.<br />
<br />
The SPDX creator is a mandatory parameter - every file must have its creator. However, not every SPDX file is reviewed.<br />
<br />
== Use of Parentheses in License Tag Fields ==<br />
<br />
In the RDF object model, licenses can be defined to be nested disjunctive or conjunctive sets in a very flexible manner. However, when using the Tag value format, it is not clear how, if at all, one could use the parentheses to define more complex licensing scenarios. It is not the intention to restrict either one of the formats, hence we view these additional examples as acceptable:<br />
<br />
'''Acceptable Examples'''<br />
:LicenseConcluded: (LGPL-2.0)<br />
:LicenseConcluded: (LGPL-2.0 or LicenseRef-2)<br />
:LicenseConcluded: (LGPL-2.0 and (LicenseRef-2 or LicenseRef-3))<br />
:LicenseConcluded: ((LicenseRef-2 or (LicenseRef-3 and LicenseRef-4)) and LGPL-2.0)<br />
<br />
Conceptually, much like in the RDF format, there are no limits to the depth of nested license sets, although practically, more than 2 levels are improbable.<br />
<br />
This applies to all license fields.<br />
<br />
= Consuming =<br />
<br />
Best practices around the process of doing it. Examples of how this is done.<br />
<br />
= Notes from LinuxCon 2013 17 Sept 2013 =<br />
<br />
What should be in a best practices, how does it relate to the spec?<br />
<br />
Possibilities:<br />
* examples<br />
* particular questions (sort of like a FAQ)<br />
* Could start with things that are not well defined but end up in the specification<br />
* I need a field for X, its not there, what field could I use?<br />
* best practices around the specification and best practices around contributing to SPDX. Maybe two documents?<br />
* Snapshot best practices document at intervals and post on site. Use wiki for active discussions, new proposals, etc.,.<br />
* Should we have a getting started guide?<br />
* best practices for meta tagging like u-boot did. maybe link it in here but should be separate page. Could possibly include other information for developers supporting spdx and producing spdx friendly code. Look at things like U-boot, Mozilla, etc.,.</div>Nglaudehttps://wiki.spdx.org/view/Technical_Team/Best_PracticesTechnical Team/Best Practices2013-10-15T22:07:04Z<p>Nglaude: /* Use of Parentheses in License Tag Fields */</p>
<hr />
<div>This is a place holder for working on the Best Practices document.<br />
<br />
Best Practices <br />
<br />
__TOC__<br />
<br />
= Introduction =<br />
<br />
= Interpreting the Specification =<br />
<br />
Clarify and help with what is in the spec. Structure sections around the spec?<br />
<br />
= Tools =<br />
<br />
Best practices around using the SPDX tools<br />
<br />
= Contributing to SPDX =<br />
<br />
how to provide feedback, get involved, etc<br />
<br />
= Producing = <br />
<br />
SPDX Version: 1.2<br />
PURPOSE: The SPDX specification is meant to stand on its own and to make clear how a field is to be populated. Still, there are times when more clarification is required. This tech note provides clarification with regard to certain fields about which questions of arisen. Some of these clarifications may be rolled into future versions of the specification. <br />
<br />
== Package Name (4.1) ==<br />
<br />
The package name should be exclusive of version number. Field 4.2 Package Version is intended for version number and the package name should not redundantly specify this information.<br />
===== Example =====<br />
Correct<br />
:Package Name: glibc<br />
:Package Version: 2.11.1<br />
<br />
Incorrect<br />
:Package Name: glibc '''2.11.1'''<br />
:Package Version: 2.11.1<br />
<br />
== Package Supplier (4.4); Package Originator (4.5); Source Information (4.10) ==<br />
<br />
The first two fields are intended to where the package came from and what entity created it. In many cases these will be one in the same, but it is possible that the supplier may have gotten the package from another source. <br />
<br />
===== Example: =====<br />
Wind River supplies the Linux kernel. <br />
:Package Supplier: Wind River<br />
:Package Originator: linux.org<br />
<br />
Source Information is a freeform field, which, like many such fields in SPDX is there to allow the document creator to provide information they feel would be useful or important, but which my not fit neatly into the specification.<br />
<br />
== Package Download Location (4.6) ==<br />
<br />
The intent of this field is to indicate the URL of the location from which the package is actually obtained. Generally this should be the originating site of the package, but in cases where the package was obtained from a mirror site, the URL of the mirror should be used. The format for the URL should follow RFC conventions, specifically RFC3986 or any newer one that may eventually augment or obsolete it.<br />
<br />
== Concluded License (4.11); Declared License (4.13) ==<br />
<br />
In cases where there is a contradiction between the Declared License and some other license present, the concluded license should represent that contradiction, and best practice would be to explain further in the 4.14 Comments on License field.<br />
<br />
'''LEGAL TEAM SHOULD REVIEW THIS'''<br />
<br />
===== Example: =====<br />
A GPL 2 package that contains files licensed under Apache 2.0. <br />
:Declared License: GPL-2.0<br />
:Concluded License: GPL-2.0 and Apache-2.0<br />
:Comments on License: Several Apache licensed files (A, B, and C) are included in the packages causing an incompatibility with the licensing of the package.<br />
<br />
== Extracted Text (5.2) ==<br />
<br />
To clarify, or reinforce, the text included here, should be the exact text in that is included with the package and no more. Some early SPDX tools included full text of the relevant license even though the full text was not supplied in the actual package. The example in the specification is one where full text is included, but if the text is incomplete, so should be the text in the Extracted Text field.<br />
<br />
===== Example: =====<br />
A copying file in the top level of the directory says, “This software is licensed under the Beer License.” <br />
<br />
Correct:<br />
:Extracted Text: This software is licensed under the Beer-ware License<br />
<br />
Incorrect:<br />
:“THE BEER-WARE LICENSE" (Revision 42):<phk@FreeBSD.ORG> wrote this file. As long as you retain this notice you can do whatever you want with this stuff. If we meet some day, and you think this stuff is worth it, you can buy me a beer in return Poul-Henning Kam<br />
<br />
== File Name (6.1) ==<br />
<br />
To clarify, the format for the file name should follow URI RFC conventions, specifically RFC3986 or any newer one that may eventually augment or obsolete it. Specifically, it uses the relative path reference format of an URI, and is defined as being relative to the root of the package from which the file came.<br />
<br />
In RFC3986, section 4.2, a relative path reference must not start with a slash character ("/"). Relative references also do not need to start with a "./" (dot slash), although there is one format for which the preceding "./" is necessary. In any case, RFC3986 is clear about how to handle dot-segments, and in the case of "./", it is simply removed.<br />
<br />
===== Example: =====<br />
Correct:<br />
:FileName: ./package/foo.c<br />
:FileName: package/foo.c<br />
Incorrect:<br />
:FileName: /package/foo.c<br />
:FileName: //package/foo.c<br />
<br />
Note about RFC3986:<br />
:''This document obsoletes [RFC2396], which merged "Uniform Resource Locators" [RFC1738] and "Relative Uniform Resource Locators" [RFC1808] in order to define a single, generic syntax for all URIs.''<br />
<br />
== Author vs. Creator (3.1) vs. Reviewer (7.1)==<br />
<br />
'''Author:''' The author is used occasionally in the text of the specification and generally refers to the creator(s) of the package. There is no explicit field for the author information other than copyright information and URL, which may or may not reflect the actual original author. In section 2.2.1, there is also a reference to an "SPDX Author"; this actually refers to the SPDX Creator.<br />
<br />
'''Creator:''' The SPDX Creator is defined in section 3.1 and is used to identify who (or what, in the case of a tool) created the SPDX file.<br />
<br />
'''Reviewer:''' The SPDX Reviewer is detined in section 7.1 and is used to identify who reviewed the content of the SPDX.<br />
<br />
To put things into context, let's consider the following flow:<br />
# An author creates a package and assigns a license to it, hopefully to each individual file, and also follows all of the best practices and obligations for the chosen or found licenses in the package.<br />
# An SPDX creator analyzes the content of the package, extracts the pertinent information and assembles the SPDX file, whether manually or using a tool.<br />
# An SPDX reviewer inspects the work of the SPDX creator, whether manually or using a tool. Consider the reviewer to be anything from another set of eyes, to a recognized reliable entity with some kind of sign-off authority.<br />
<br />
The SPDX creator is a mandatory parameter - every file must have its creator. However, not every SPDX file is reviewed.<br />
<br />
== Use of Parentheses in License Tag Fields ==<br />
<br />
In the RDF object model, licenses can be defined to be nested disjunctive or conjunctive sets in a very flexible manner. However, when using the Tag value format, it is not clear how, if at all, one could use the parentheses to define more complex licensing scenarios. It is not the intention to restrict either one of the formats, hence we view these additional examples as acceptable:<br />
<br />
'''Acceptable Examples'''<br />
:LicenseConcluded: (LGPL-2.0)<br />
:LicenseConcluded: (LGPL-2.0 or LicenseRef-2)<br />
:LicenseConcluded: (LGPL-2.0 and (LicenseRef-2 or LicenseRef-3))<br />
:LicenseConcluded: ((LicenseRef-2 or (LicenseRef-3 and LicenseRef-4)) and LGPL-2.0)<br />
<br />
Conceptually, much like in the RDF format, there are no limits to the depth of nested license sets.<br />
<br />
This applies to all license fields.<br />
<br />
= Consuming =<br />
<br />
Best practices around the process of doing it. Examples of how this is done.<br />
<br />
= Notes from LinuxCon 2013 17 Sept 2013 =<br />
<br />
What should be in a best practices, how does it relate to the spec?<br />
<br />
Possibilities:<br />
* examples<br />
* particular questions (sort of like a FAQ)<br />
* Could start with things that are not well defined but end up in the specification<br />
* I need a field for X, its not there, what field could I use?<br />
* best practices around the specification and best practices around contributing to SPDX. Maybe two documents?<br />
* Snapshot best practices document at intervals and post on site. Use wiki for active discussions, new proposals, etc.,.<br />
* Should we have a getting started guide?<br />
* best practices for meta tagging like u-boot did. maybe link it in here but should be separate page. Could possibly include other information for developers supporting spdx and producing spdx friendly code. Look at things like U-boot, Mozilla, etc.,.</div>Nglaudehttps://wiki.spdx.org/view/Technical_Team/Best_PracticesTechnical Team/Best Practices2013-10-15T22:06:31Z<p>Nglaude: /* Use of Parentheses in License Tag Fields */</p>
<hr />
<div>This is a place holder for working on the Best Practices document.<br />
<br />
Best Practices <br />
<br />
__TOC__<br />
<br />
= Introduction =<br />
<br />
= Interpreting the Specification =<br />
<br />
Clarify and help with what is in the spec. Structure sections around the spec?<br />
<br />
= Tools =<br />
<br />
Best practices around using the SPDX tools<br />
<br />
= Contributing to SPDX =<br />
<br />
how to provide feedback, get involved, etc<br />
<br />
= Producing = <br />
<br />
SPDX Version: 1.2<br />
PURPOSE: The SPDX specification is meant to stand on its own and to make clear how a field is to be populated. Still, there are times when more clarification is required. This tech note provides clarification with regard to certain fields about which questions of arisen. Some of these clarifications may be rolled into future versions of the specification. <br />
<br />
== Package Name (4.1) ==<br />
<br />
The package name should be exclusive of version number. Field 4.2 Package Version is intended for version number and the package name should not redundantly specify this information.<br />
===== Example =====<br />
Correct<br />
:Package Name: glibc<br />
:Package Version: 2.11.1<br />
<br />
Incorrect<br />
:Package Name: glibc '''2.11.1'''<br />
:Package Version: 2.11.1<br />
<br />
== Package Supplier (4.4); Package Originator (4.5); Source Information (4.10) ==<br />
<br />
The first two fields are intended to where the package came from and what entity created it. In many cases these will be one in the same, but it is possible that the supplier may have gotten the package from another source. <br />
<br />
===== Example: =====<br />
Wind River supplies the Linux kernel. <br />
:Package Supplier: Wind River<br />
:Package Originator: linux.org<br />
<br />
Source Information is a freeform field, which, like many such fields in SPDX is there to allow the document creator to provide information they feel would be useful or important, but which my not fit neatly into the specification.<br />
<br />
== Package Download Location (4.6) ==<br />
<br />
The intent of this field is to indicate the URL of the location from which the package is actually obtained. Generally this should be the originating site of the package, but in cases where the package was obtained from a mirror site, the URL of the mirror should be used. The format for the URL should follow RFC conventions, specifically RFC3986 or any newer one that may eventually augment or obsolete it.<br />
<br />
== Concluded License (4.11); Declared License (4.13) ==<br />
<br />
In cases where there is a contradiction between the Declared License and some other license present, the concluded license should represent that contradiction, and best practice would be to explain further in the 4.14 Comments on License field.<br />
<br />
'''LEGAL TEAM SHOULD REVIEW THIS'''<br />
<br />
===== Example: =====<br />
A GPL 2 package that contains files licensed under Apache 2.0. <br />
:Declared License: GPL-2.0<br />
:Concluded License: GPL-2.0 and Apache-2.0<br />
:Comments on License: Several Apache licensed files (A, B, and C) are included in the packages causing an incompatibility with the licensing of the package.<br />
<br />
== Extracted Text (5.2) ==<br />
<br />
To clarify, or reinforce, the text included here, should be the exact text in that is included with the package and no more. Some early SPDX tools included full text of the relevant license even though the full text was not supplied in the actual package. The example in the specification is one where full text is included, but if the text is incomplete, so should be the text in the Extracted Text field.<br />
<br />
===== Example: =====<br />
A copying file in the top level of the directory says, “This software is licensed under the Beer License.” <br />
<br />
Correct:<br />
:Extracted Text: This software is licensed under the Beer-ware License<br />
<br />
Incorrect:<br />
:“THE BEER-WARE LICENSE" (Revision 42):<phk@FreeBSD.ORG> wrote this file. As long as you retain this notice you can do whatever you want with this stuff. If we meet some day, and you think this stuff is worth it, you can buy me a beer in return Poul-Henning Kam<br />
<br />
== File Name (6.1) ==<br />
<br />
To clarify, the format for the file name should follow URI RFC conventions, specifically RFC3986 or any newer one that may eventually augment or obsolete it. Specifically, it uses the relative path reference format of an URI, and is defined as being relative to the root of the package from which the file came.<br />
<br />
In RFC3986, section 4.2, a relative path reference must not start with a slash character ("/"). Relative references also do not need to start with a "./" (dot slash), although there is one format for which the preceding "./" is necessary. In any case, RFC3986 is clear about how to handle dot-segments, and in the case of "./", it is simply removed.<br />
<br />
===== Example: =====<br />
Correct:<br />
:FileName: ./package/foo.c<br />
:FileName: package/foo.c<br />
Incorrect:<br />
:FileName: /package/foo.c<br />
:FileName: //package/foo.c<br />
<br />
Note about RFC3986:<br />
:''This document obsoletes [RFC2396], which merged "Uniform Resource Locators" [RFC1738] and "Relative Uniform Resource Locators" [RFC1808] in order to define a single, generic syntax for all URIs.''<br />
<br />
== Author vs. Creator (3.1) vs. Reviewer (7.1)==<br />
<br />
'''Author:''' The author is used occasionally in the text of the specification and generally refers to the creator(s) of the package. There is no explicit field for the author information other than copyright information and URL, which may or may not reflect the actual original author. In section 2.2.1, there is also a reference to an "SPDX Author"; this actually refers to the SPDX Creator.<br />
<br />
'''Creator:''' The SPDX Creator is defined in section 3.1 and is used to identify who (or what, in the case of a tool) created the SPDX file.<br />
<br />
'''Reviewer:''' The SPDX Reviewer is detined in section 7.1 and is used to identify who reviewed the content of the SPDX.<br />
<br />
To put things into context, let's consider the following flow:<br />
# An author creates a package and assigns a license to it, hopefully to each individual file, and also follows all of the best practices and obligations for the chosen or found licenses in the package.<br />
# An SPDX creator analyzes the content of the package, extracts the pertinent information and assembles the SPDX file, whether manually or using a tool.<br />
# An SPDX reviewer inspects the work of the SPDX creator, whether manually or using a tool. Consider the reviewer to be anything from another set of eyes, to a recognized reliable entity with some kind of sign-off authority.<br />
<br />
The SPDX creator is a mandatory parameter - every file must have its creator. However, not every SPDX file is reviewed.<br />
<br />
== Use of Parentheses in License Tag Fields ==<br />
<br />
In the RDF object model, licenses can be defined to be nested disjunctive or conjunctive sets in a very flexible manner. However, when using the Tag value format, it is not clear how, if at all, one could use the parentheses to define more complex licensing scenarios. It is not the intention to restrict either one of the formats, hence we view these additional examples as acceptable:<br />
<br />
'''Acceptable Examples'''<br />
* LicenseConcluded: (LGPL-2.0)<br />
* LicenseConcluded: (LGPL-2.0 or LicenseRef-2)<br />
* LicenseConcluded: (LGPL-2.0 and (LicenseRef-2 or LicenseRef-3))<br />
* LicenseConcluded: ((LicenseRef-2 or (LicenseRef-3 and LicenseRef-4)) and LGPL-2.0)<br />
<br />
Conceptually, much like in the RDF format, there are no limits to the depth of nested license sets.<br />
<br />
This applies to all license fields.<br />
<br />
= Consuming =<br />
<br />
Best practices around the process of doing it. Examples of how this is done.<br />
<br />
= Notes from LinuxCon 2013 17 Sept 2013 =<br />
<br />
What should be in a best practices, how does it relate to the spec?<br />
<br />
Possibilities:<br />
* examples<br />
* particular questions (sort of like a FAQ)<br />
* Could start with things that are not well defined but end up in the specification<br />
* I need a field for X, its not there, what field could I use?<br />
* best practices around the specification and best practices around contributing to SPDX. Maybe two documents?<br />
* Snapshot best practices document at intervals and post on site. Use wiki for active discussions, new proposals, etc.,.<br />
* Should we have a getting started guide?<br />
* best practices for meta tagging like u-boot did. maybe link it in here but should be separate page. Could possibly include other information for developers supporting spdx and producing spdx friendly code. Look at things like U-boot, Mozilla, etc.,.</div>Nglaudehttps://wiki.spdx.org/view/Technical_Team/Best_PracticesTechnical Team/Best Practices2013-10-15T21:49:45Z<p>Nglaude: /* Author vs. Creator (3.1) vs. Reviewer (7.1) */</p>
<hr />
<div>This is a place holder for working on the Best Practices document.<br />
<br />
Best Practices <br />
<br />
__TOC__<br />
<br />
= Introduction =<br />
<br />
= Interpreting the Specification =<br />
<br />
Clarify and help with what is in the spec. Structure sections around the spec?<br />
<br />
= Tools =<br />
<br />
Best practices around using the SPDX tools<br />
<br />
= Contributing to SPDX =<br />
<br />
how to provide feedback, get involved, etc<br />
<br />
= Producing = <br />
<br />
SPDX Version: 1.2<br />
PURPOSE: The SPDX specification is meant to stand on its own and to make clear how a field is to be populated. Still, there are times when more clarification is required. This tech note provides clarification with regard to certain fields about which questions of arisen. Some of these clarifications may be rolled into future versions of the specification. <br />
<br />
== Package Name (4.1) ==<br />
<br />
The package name should be exclusive of version number. Field 4.2 Package Version is intended for version number and the package name should not redundantly specify this information.<br />
===== Example =====<br />
Correct<br />
:Package Name: glibc<br />
:Package Version: 2.11.1<br />
<br />
Incorrect<br />
:Package Name: glibc '''2.11.1'''<br />
:Package Version: 2.11.1<br />
<br />
== Package Supplier (4.4); Package Originator (4.5); Source Information (4.10) ==<br />
<br />
The first two fields are intended to where the package came from and what entity created it. In many cases these will be one in the same, but it is possible that the supplier may have gotten the package from another source. <br />
<br />
===== Example: =====<br />
Wind River supplies the Linux kernel. <br />
:Package Supplier: Wind River<br />
:Package Originator: linux.org<br />
<br />
Source Information is a freeform field, which, like many such fields in SPDX is there to allow the document creator to provide information they feel would be useful or important, but which my not fit neatly into the specification.<br />
<br />
== Package Download Location (4.6) ==<br />
<br />
The intent of this field is to indicate the URL of the location from which the package is actually obtained. Generally this should be the originating site of the package, but in cases where the package was obtained from a mirror site, the URL of the mirror should be used. The format for the URL should follow RFC conventions, specifically RFC3986 or any newer one that may eventually augment or obsolete it.<br />
<br />
== Concluded License (4.11); Declared License (4.13) ==<br />
<br />
In cases where there is a contradiction between the Declared License and some other license present, the concluded license should represent that contradiction, and best practice would be to explain further in the 4.14 Comments on License field.<br />
<br />
'''LEGAL TEAM SHOULD REVIEW THIS'''<br />
<br />
===== Example: =====<br />
A GPL 2 package that contains files licensed under Apache 2.0. <br />
:Declared License: GPL-2.0<br />
:Concluded License: GPL-2.0 and Apache-2.0<br />
:Comments on License: Several Apache licensed files (A, B, and C) are included in the packages causing an incompatibility with the licensing of the package.<br />
<br />
== Extracted Text (5.2) ==<br />
<br />
To clarify, or reinforce, the text included here, should be the exact text in that is included with the package and no more. Some early SPDX tools included full text of the relevant license even though the full text was not supplied in the actual package. The example in the specification is one where full text is included, but if the text is incomplete, so should be the text in the Extracted Text field.<br />
<br />
===== Example: =====<br />
A copying file in the top level of the directory says, “This software is licensed under the Beer License.” <br />
<br />
Correct:<br />
:Extracted Text: This software is licensed under the Beer-ware License<br />
<br />
Incorrect:<br />
:“THE BEER-WARE LICENSE" (Revision 42):<phk@FreeBSD.ORG> wrote this file. As long as you retain this notice you can do whatever you want with this stuff. If we meet some day, and you think this stuff is worth it, you can buy me a beer in return Poul-Henning Kam<br />
<br />
== File Name (6.1) ==<br />
<br />
To clarify, the format for the file name should follow URI RFC conventions, specifically RFC3986 or any newer one that may eventually augment or obsolete it. Specifically, it uses the relative path reference format of an URI, and is defined as being relative to the root of the package from which the file came.<br />
<br />
In RFC3986, section 4.2, a relative path reference must not start with a slash character ("/"). Relative references also do not need to start with a "./" (dot slash), although there is one format for which the preceding "./" is necessary. In any case, RFC3986 is clear about how to handle dot-segments, and in the case of "./", it is simply removed.<br />
<br />
===== Example: =====<br />
Correct:<br />
:FileName: ./package/foo.c<br />
:FileName: package/foo.c<br />
Incorrect:<br />
:FileName: /package/foo.c<br />
:FileName: //package/foo.c<br />
<br />
Note about RFC3986:<br />
:''This document obsoletes [RFC2396], which merged "Uniform Resource Locators" [RFC1738] and "Relative Uniform Resource Locators" [RFC1808] in order to define a single, generic syntax for all URIs.''<br />
<br />
== Author vs. Creator (3.1) vs. Reviewer (7.1)==<br />
<br />
'''Author:''' The author is used occasionally in the text of the specification and generally refers to the creator(s) of the package. There is no explicit field for the author information other than copyright information and URL, which may or may not reflect the actual original author. In section 2.2.1, there is also a reference to an "SPDX Author"; this actually refers to the SPDX Creator.<br />
<br />
'''Creator:''' The SPDX Creator is defined in section 3.1 and is used to identify who (or what, in the case of a tool) created the SPDX file.<br />
<br />
'''Reviewer:''' The SPDX Reviewer is detined in section 7.1 and is used to identify who reviewed the content of the SPDX.<br />
<br />
To put things into context, let's consider the following flow:<br />
# An author creates a package and assigns a license to it, hopefully to each individual file, and also follows all of the best practices and obligations for the chosen or found licenses in the package.<br />
# An SPDX creator analyzes the content of the package, extracts the pertinent information and assembles the SPDX file, whether manually or using a tool.<br />
# An SPDX reviewer inspects the work of the SPDX creator, whether manually or using a tool. Consider the reviewer to be anything from another set of eyes, to a recognized reliable entity with some kind of sign-off authority.<br />
<br />
The SPDX creator is a mandatory parameter - every file must have its creator. However, not every SPDX file is reviewed.<br />
<br />
== Use of Parentheses in License Tag Fields ==<br />
<br />
= Consuming =<br />
<br />
Best practices around the process of doing it. Examples of how this is done.<br />
<br />
= Notes from LinuxCon 2013 17 Sept 2013 =<br />
<br />
What should be in a best practices, how does it relate to the spec?<br />
<br />
Possibilities:<br />
* examples<br />
* particular questions (sort of like a FAQ)<br />
* Could start with things that are not well defined but end up in the specification<br />
* I need a field for X, its not there, what field could I use?<br />
* best practices around the specification and best practices around contributing to SPDX. Maybe two documents?<br />
* Snapshot best practices document at intervals and post on site. Use wiki for active discussions, new proposals, etc.,.<br />
* Should we have a getting started guide?<br />
* best practices for meta tagging like u-boot did. maybe link it in here but should be separate page. Could possibly include other information for developers supporting spdx and producing spdx friendly code. Look at things like U-boot, Mozilla, etc.,.</div>Nglaudehttps://wiki.spdx.org/view/Technical_Team/Best_PracticesTechnical Team/Best Practices2013-10-15T21:29:37Z<p>Nglaude: /* 4.1 Package Name */</p>
<hr />
<div>This is a place holder for working on the Best Practices document.<br />
<br />
Best Practices <br />
<br />
__TOC__<br />
<br />
= Introduction =<br />
<br />
= Interpreting the Specification =<br />
<br />
Clarify and help with what is in the spec. Structure sections around the spec?<br />
<br />
= Tools =<br />
<br />
Best practices around using the SPDX tools<br />
<br />
= Contributing to SPDX =<br />
<br />
how to provide feedback, get involved, etc<br />
<br />
= Producing = <br />
<br />
SPDX Version: 1.2<br />
PURPOSE: The SPDX specification is meant to stand on its own and to make clear how a field is to be populated. Still, there are times when more clarification is required. This tech note provides clarification with regard to certain fields about which questions of arisen. Some of these clarifications may be rolled into future versions of the specification. <br />
<br />
== Package Name (4.1) ==<br />
<br />
The package name should be exclusive of version number. Field 4.2 Package Version is intended for version number and the package name should not redundantly specify this information.<br />
===== Example =====<br />
Correct<br />
:Package Name: glibc<br />
:Package Version: 2.11.1<br />
<br />
Incorrect<br />
:Package Name: glibc '''2.11.1'''<br />
:Package Version: 2.11.1<br />
<br />
== Package Supplier (4.4); Package Originator (4.5); Source Information (4.10) ==<br />
<br />
The first two fields are intended to where the package came from and what entity created it. In many cases these will be one in the same, but it is possible that the supplier may have gotten the package from another source. <br />
<br />
===== Example: =====<br />
Wind River supplies the Linux kernel. <br />
:Package Supplier: Wind River<br />
:Package Originator: linux.org<br />
<br />
Source Information is a freeform field, which, like many such fields in SPDX is there to allow the document creator to provide information they feel would be useful or important, but which my not fit neatly into the specification.<br />
<br />
== Package Download Location (4.6) ==<br />
<br />
The intent of this field is to indicate the URL of the location from which the package is actually obtained. Generally this should be the originating site of the package, but in cases where the package was obtained from a mirror site, the URL of the mirror should be used. The format for the URL should follow RFC conventions, specifically RFC3986 or any newer one that may eventually augment or obsolete it.<br />
<br />
== Concluded License (4.11); Declared License (4.13) ==<br />
<br />
In cases where there is a contradiction between the Declared License and some other license present, the concluded license should represent that contradiction, and best practice would be to explain further in the 4.14 Comments on License field.<br />
<br />
'''LEGAL TEAM SHOULD REVIEW THIS'''<br />
<br />
===== Example: =====<br />
A GPL 2 package that contains files licensed under Apache 2.0. <br />
:Declared License: GPL-2.0<br />
:Concluded License: GPL-2.0 and Apache-2.0<br />
:Comments on License: Several Apache licensed files (A, B, and C) are included in the packages causing an incompatibility with the licensing of the package.<br />
<br />
== Extracted Text (5.2) ==<br />
<br />
To clarify, or reinforce, the text included here, should be the exact text in that is included with the package and no more. Some early SPDX tools included full text of the relevant license even though the full text was not supplied in the actual package. The example in the specification is one where full text is included, but if the text is incomplete, so should be the text in the Extracted Text field.<br />
<br />
===== Example: =====<br />
A copying file in the top level of the directory says, “This software is licensed under the Beer License.” <br />
<br />
Correct:<br />
:Extracted Text: This software is licensed under the Beer-ware License<br />
<br />
Incorrect:<br />
:“THE BEER-WARE LICENSE" (Revision 42):<phk@FreeBSD.ORG> wrote this file. As long as you retain this notice you can do whatever you want with this stuff. If we meet some day, and you think this stuff is worth it, you can buy me a beer in return Poul-Henning Kam<br />
<br />
== File Name (6.1) ==<br />
<br />
To clarify, the format for the file name should follow URI RFC conventions, specifically RFC3986 or any newer one that may eventually augment or obsolete it. Specifically, it uses the relative path reference format of an URI, and is defined as being relative to the root of the package from which the file came.<br />
<br />
In RFC3986, section 4.2, a relative path reference must not start with a slash character ("/"). Relative references also do not need to start with a "./" (dot slash), although there is one format for which the preceding "./" is necessary. In any case, RFC3986 is clear about how to handle dot-segments, and in the case of "./", it is simply removed.<br />
<br />
===== Example: =====<br />
Correct:<br />
:FileName: ./package/foo.c<br />
:FileName: package/foo.c<br />
Incorrect:<br />
:FileName: /package/foo.c<br />
:FileName: //package/foo.c<br />
<br />
Note about RFC3986:<br />
:''This document obsoletes [RFC2396], which merged "Uniform Resource Locators" [RFC1738] and "Relative Uniform Resource Locators" [RFC1808] in order to define a single, generic syntax for all URIs.''<br />
<br />
== Author vs. Creator (3.1) vs. Reviewer (7.1)==<br />
<br />
'''Author:''' The author is used occasionally in the text of the specification and generally refers to the creator(s) of the package. There is no explicit field for the author information other than copyright information and URL, which may or may not reflect the actual original author. In section 2.2.1, there is also a reference to an "SPDX Author"; this actually refers to the SPDX Creator.<br />
<br />
'''Creator:''' The SPDX Creator is defined in section 3.1 and is used to identify who (or what, in the case of a tool) created the SPDX file.<br />
<br />
'''Reviewer:''' The SPDX Reviewer is detined in section 7.1 and is used to identify who reviewed the content of the SPDX.<br />
<br />
To put things into context, let's consider the following flow:<br />
# An author creates a package and assigns a license to it, hopefully to each individual file, and also follows all of the best practices and obligations for the chosen or found licenses in the package.<br />
# An SPDX creator analyzes the content of the package, extracts the pertinent information and assembles the SPDX file, whether manually or using a tool.<br />
# An SPDX reviewer inspects the work of the SPDX creator, whether manually or using a tool. Consider the reviewer to be anything from another set of eyes, to a recognized reliable entity with some kind of sign-off authority.<br />
<br />
The SPDX creator is a mandatory parameter - every file must have its creator. However, not every SPDX file is reviewed.<br />
<br />
= Consuming =<br />
<br />
Best practices around the process of doing it. Examples of how this is done.<br />
<br />
= Notes from LinuxCon 2013 17 Sept 2013 =<br />
<br />
What should be in a best practices, how does it relate to the spec?<br />
<br />
Possibilities:<br />
* examples<br />
* particular questions (sort of like a FAQ)<br />
* Could start with things that are not well defined but end up in the specification<br />
* I need a field for X, its not there, what field could I use?<br />
* best practices around the specification and best practices around contributing to SPDX. Maybe two documents?<br />
* Snapshot best practices document at intervals and post on site. Use wiki for active discussions, new proposals, etc.,.<br />
* Should we have a getting started guide?<br />
* best practices for meta tagging like u-boot did. maybe link it in here but should be separate page. Could possibly include other information for developers supporting spdx and producing spdx friendly code. Look at things like U-boot, Mozilla, etc.,.</div>Nglaudehttps://wiki.spdx.org/view/Technical_Team/Best_PracticesTechnical Team/Best Practices2013-10-15T21:29:22Z<p>Nglaude: /* 4.4 Package Supplier; 4.5 Package Originator; 4.10 Source Information */</p>
<hr />
<div>This is a place holder for working on the Best Practices document.<br />
<br />
Best Practices <br />
<br />
__TOC__<br />
<br />
= Introduction =<br />
<br />
= Interpreting the Specification =<br />
<br />
Clarify and help with what is in the spec. Structure sections around the spec?<br />
<br />
= Tools =<br />
<br />
Best practices around using the SPDX tools<br />
<br />
= Contributing to SPDX =<br />
<br />
how to provide feedback, get involved, etc<br />
<br />
= Producing = <br />
<br />
SPDX Version: 1.2<br />
PURPOSE: The SPDX specification is meant to stand on its own and to make clear how a field is to be populated. Still, there are times when more clarification is required. This tech note provides clarification with regard to certain fields about which questions of arisen. Some of these clarifications may be rolled into future versions of the specification. <br />
<br />
== 4.1 Package Name ==<br />
<br />
The package name should be exclusive of version number. Field 4.2 Package Version is intended for version number and the package name should not redundantly specify this information.<br />
===== Example =====<br />
Correct<br />
:Package Name: glibc<br />
:Package Version: 2.11.1<br />
<br />
Incorrect<br />
:Package Name: glibc '''2.11.1'''<br />
:Package Version: 2.11.1<br />
<br />
== Package Supplier (4.4); Package Originator (4.5); Source Information (4.10) ==<br />
<br />
The first two fields are intended to where the package came from and what entity created it. In many cases these will be one in the same, but it is possible that the supplier may have gotten the package from another source. <br />
<br />
===== Example: =====<br />
Wind River supplies the Linux kernel. <br />
:Package Supplier: Wind River<br />
:Package Originator: linux.org<br />
<br />
Source Information is a freeform field, which, like many such fields in SPDX is there to allow the document creator to provide information they feel would be useful or important, but which my not fit neatly into the specification.<br />
<br />
== Package Download Location (4.6) ==<br />
<br />
The intent of this field is to indicate the URL of the location from which the package is actually obtained. Generally this should be the originating site of the package, but in cases where the package was obtained from a mirror site, the URL of the mirror should be used. The format for the URL should follow RFC conventions, specifically RFC3986 or any newer one that may eventually augment or obsolete it.<br />
<br />
== Concluded License (4.11); Declared License (4.13) ==<br />
<br />
In cases where there is a contradiction between the Declared License and some other license present, the concluded license should represent that contradiction, and best practice would be to explain further in the 4.14 Comments on License field.<br />
<br />
'''LEGAL TEAM SHOULD REVIEW THIS'''<br />
<br />
===== Example: =====<br />
A GPL 2 package that contains files licensed under Apache 2.0. <br />
:Declared License: GPL-2.0<br />
:Concluded License: GPL-2.0 and Apache-2.0<br />
:Comments on License: Several Apache licensed files (A, B, and C) are included in the packages causing an incompatibility with the licensing of the package.<br />
<br />
== Extracted Text (5.2) ==<br />
<br />
To clarify, or reinforce, the text included here, should be the exact text in that is included with the package and no more. Some early SPDX tools included full text of the relevant license even though the full text was not supplied in the actual package. The example in the specification is one where full text is included, but if the text is incomplete, so should be the text in the Extracted Text field.<br />
<br />
===== Example: =====<br />
A copying file in the top level of the directory says, “This software is licensed under the Beer License.” <br />
<br />
Correct:<br />
:Extracted Text: This software is licensed under the Beer-ware License<br />
<br />
Incorrect:<br />
:“THE BEER-WARE LICENSE" (Revision 42):<phk@FreeBSD.ORG> wrote this file. As long as you retain this notice you can do whatever you want with this stuff. If we meet some day, and you think this stuff is worth it, you can buy me a beer in return Poul-Henning Kam<br />
<br />
== File Name (6.1) ==<br />
<br />
To clarify, the format for the file name should follow URI RFC conventions, specifically RFC3986 or any newer one that may eventually augment or obsolete it. Specifically, it uses the relative path reference format of an URI, and is defined as being relative to the root of the package from which the file came.<br />
<br />
In RFC3986, section 4.2, a relative path reference must not start with a slash character ("/"). Relative references also do not need to start with a "./" (dot slash), although there is one format for which the preceding "./" is necessary. In any case, RFC3986 is clear about how to handle dot-segments, and in the case of "./", it is simply removed.<br />
<br />
===== Example: =====<br />
Correct:<br />
:FileName: ./package/foo.c<br />
:FileName: package/foo.c<br />
Incorrect:<br />
:FileName: /package/foo.c<br />
:FileName: //package/foo.c<br />
<br />
Note about RFC3986:<br />
:''This document obsoletes [RFC2396], which merged "Uniform Resource Locators" [RFC1738] and "Relative Uniform Resource Locators" [RFC1808] in order to define a single, generic syntax for all URIs.''<br />
<br />
== Author vs. Creator (3.1) vs. Reviewer (7.1)==<br />
<br />
'''Author:''' The author is used occasionally in the text of the specification and generally refers to the creator(s) of the package. There is no explicit field for the author information other than copyright information and URL, which may or may not reflect the actual original author. In section 2.2.1, there is also a reference to an "SPDX Author"; this actually refers to the SPDX Creator.<br />
<br />
'''Creator:''' The SPDX Creator is defined in section 3.1 and is used to identify who (or what, in the case of a tool) created the SPDX file.<br />
<br />
'''Reviewer:''' The SPDX Reviewer is detined in section 7.1 and is used to identify who reviewed the content of the SPDX.<br />
<br />
To put things into context, let's consider the following flow:<br />
# An author creates a package and assigns a license to it, hopefully to each individual file, and also follows all of the best practices and obligations for the chosen or found licenses in the package.<br />
# An SPDX creator analyzes the content of the package, extracts the pertinent information and assembles the SPDX file, whether manually or using a tool.<br />
# An SPDX reviewer inspects the work of the SPDX creator, whether manually or using a tool. Consider the reviewer to be anything from another set of eyes, to a recognized reliable entity with some kind of sign-off authority.<br />
<br />
The SPDX creator is a mandatory parameter - every file must have its creator. However, not every SPDX file is reviewed.<br />
<br />
= Consuming =<br />
<br />
Best practices around the process of doing it. Examples of how this is done.<br />
<br />
= Notes from LinuxCon 2013 17 Sept 2013 =<br />
<br />
What should be in a best practices, how does it relate to the spec?<br />
<br />
Possibilities:<br />
* examples<br />
* particular questions (sort of like a FAQ)<br />
* Could start with things that are not well defined but end up in the specification<br />
* I need a field for X, its not there, what field could I use?<br />
* best practices around the specification and best practices around contributing to SPDX. Maybe two documents?<br />
* Snapshot best practices document at intervals and post on site. Use wiki for active discussions, new proposals, etc.,.<br />
* Should we have a getting started guide?<br />
* best practices for meta tagging like u-boot did. maybe link it in here but should be separate page. Could possibly include other information for developers supporting spdx and producing spdx friendly code. Look at things like U-boot, Mozilla, etc.,.</div>Nglaudehttps://wiki.spdx.org/view/Technical_Team/Best_PracticesTechnical Team/Best Practices2013-10-15T21:28:48Z<p>Nglaude: /* 4.6 Package Download Location */</p>
<hr />
<div>This is a place holder for working on the Best Practices document.<br />
<br />
Best Practices <br />
<br />
__TOC__<br />
<br />
= Introduction =<br />
<br />
= Interpreting the Specification =<br />
<br />
Clarify and help with what is in the spec. Structure sections around the spec?<br />
<br />
= Tools =<br />
<br />
Best practices around using the SPDX tools<br />
<br />
= Contributing to SPDX =<br />
<br />
how to provide feedback, get involved, etc<br />
<br />
= Producing = <br />
<br />
SPDX Version: 1.2<br />
PURPOSE: The SPDX specification is meant to stand on its own and to make clear how a field is to be populated. Still, there are times when more clarification is required. This tech note provides clarification with regard to certain fields about which questions of arisen. Some of these clarifications may be rolled into future versions of the specification. <br />
<br />
== 4.1 Package Name ==<br />
<br />
The package name should be exclusive of version number. Field 4.2 Package Version is intended for version number and the package name should not redundantly specify this information.<br />
===== Example =====<br />
Correct<br />
:Package Name: glibc<br />
:Package Version: 2.11.1<br />
<br />
Incorrect<br />
:Package Name: glibc '''2.11.1'''<br />
:Package Version: 2.11.1<br />
<br />
== 4.4 Package Supplier; 4.5 Package Originator; 4.10 Source Information ==<br />
<br />
The first two fields are intended to where the package came from and what entity created it. In many cases these will be one in the same, but it is possible that the supplier may have gotten the package from another source. <br />
<br />
===== Example: =====<br />
Wind River supplies the Linux kernel. <br />
:Package Supplier: Wind River<br />
:Package Originator: linux.org<br />
<br />
Source Information is a freeform field, which, like many such fields in SPDX is there to allow the document creator to provide information they feel would be useful or important, but which my not fit neatly into the specification. <br />
<br />
== Package Download Location (4.6) ==<br />
<br />
The intent of this field is to indicate the URL of the location from which the package is actually obtained. Generally this should be the originating site of the package, but in cases where the package was obtained from a mirror site, the URL of the mirror should be used. The format for the URL should follow RFC conventions, specifically RFC3986 or any newer one that may eventually augment or obsolete it.<br />
<br />
== Concluded License (4.11); Declared License (4.13) ==<br />
<br />
In cases where there is a contradiction between the Declared License and some other license present, the concluded license should represent that contradiction, and best practice would be to explain further in the 4.14 Comments on License field.<br />
<br />
'''LEGAL TEAM SHOULD REVIEW THIS'''<br />
<br />
===== Example: =====<br />
A GPL 2 package that contains files licensed under Apache 2.0. <br />
:Declared License: GPL-2.0<br />
:Concluded License: GPL-2.0 and Apache-2.0<br />
:Comments on License: Several Apache licensed files (A, B, and C) are included in the packages causing an incompatibility with the licensing of the package.<br />
<br />
== Extracted Text (5.2) ==<br />
<br />
To clarify, or reinforce, the text included here, should be the exact text in that is included with the package and no more. Some early SPDX tools included full text of the relevant license even though the full text was not supplied in the actual package. The example in the specification is one where full text is included, but if the text is incomplete, so should be the text in the Extracted Text field.<br />
<br />
===== Example: =====<br />
A copying file in the top level of the directory says, “This software is licensed under the Beer License.” <br />
<br />
Correct:<br />
:Extracted Text: This software is licensed under the Beer-ware License<br />
<br />
Incorrect:<br />
:“THE BEER-WARE LICENSE" (Revision 42):<phk@FreeBSD.ORG> wrote this file. As long as you retain this notice you can do whatever you want with this stuff. If we meet some day, and you think this stuff is worth it, you can buy me a beer in return Poul-Henning Kam<br />
<br />
== File Name (6.1) ==<br />
<br />
To clarify, the format for the file name should follow URI RFC conventions, specifically RFC3986 or any newer one that may eventually augment or obsolete it. Specifically, it uses the relative path reference format of an URI, and is defined as being relative to the root of the package from which the file came.<br />
<br />
In RFC3986, section 4.2, a relative path reference must not start with a slash character ("/"). Relative references also do not need to start with a "./" (dot slash), although there is one format for which the preceding "./" is necessary. In any case, RFC3986 is clear about how to handle dot-segments, and in the case of "./", it is simply removed.<br />
<br />
===== Example: =====<br />
Correct:<br />
:FileName: ./package/foo.c<br />
:FileName: package/foo.c<br />
Incorrect:<br />
:FileName: /package/foo.c<br />
:FileName: //package/foo.c<br />
<br />
Note about RFC3986:<br />
:''This document obsoletes [RFC2396], which merged "Uniform Resource Locators" [RFC1738] and "Relative Uniform Resource Locators" [RFC1808] in order to define a single, generic syntax for all URIs.''<br />
<br />
== Author vs. Creator (3.1) vs. Reviewer (7.1)==<br />
<br />
'''Author:''' The author is used occasionally in the text of the specification and generally refers to the creator(s) of the package. There is no explicit field for the author information other than copyright information and URL, which may or may not reflect the actual original author. In section 2.2.1, there is also a reference to an "SPDX Author"; this actually refers to the SPDX Creator.<br />
<br />
'''Creator:''' The SPDX Creator is defined in section 3.1 and is used to identify who (or what, in the case of a tool) created the SPDX file.<br />
<br />
'''Reviewer:''' The SPDX Reviewer is detined in section 7.1 and is used to identify who reviewed the content of the SPDX.<br />
<br />
To put things into context, let's consider the following flow:<br />
# An author creates a package and assigns a license to it, hopefully to each individual file, and also follows all of the best practices and obligations for the chosen or found licenses in the package.<br />
# An SPDX creator analyzes the content of the package, extracts the pertinent information and assembles the SPDX file, whether manually or using a tool.<br />
# An SPDX reviewer inspects the work of the SPDX creator, whether manually or using a tool. Consider the reviewer to be anything from another set of eyes, to a recognized reliable entity with some kind of sign-off authority.<br />
<br />
The SPDX creator is a mandatory parameter - every file must have its creator. However, not every SPDX file is reviewed.<br />
<br />
= Consuming =<br />
<br />
Best practices around the process of doing it. Examples of how this is done.<br />
<br />
= Notes from LinuxCon 2013 17 Sept 2013 =<br />
<br />
What should be in a best practices, how does it relate to the spec?<br />
<br />
Possibilities:<br />
* examples<br />
* particular questions (sort of like a FAQ)<br />
* Could start with things that are not well defined but end up in the specification<br />
* I need a field for X, its not there, what field could I use?<br />
* best practices around the specification and best practices around contributing to SPDX. Maybe two documents?<br />
* Snapshot best practices document at intervals and post on site. Use wiki for active discussions, new proposals, etc.,.<br />
* Should we have a getting started guide?<br />
* best practices for meta tagging like u-boot did. maybe link it in here but should be separate page. Could possibly include other information for developers supporting spdx and producing spdx friendly code. Look at things like U-boot, Mozilla, etc.,.</div>Nglaudehttps://wiki.spdx.org/view/Technical_Team/Best_PracticesTechnical Team/Best Practices2013-10-15T21:28:34Z<p>Nglaude: /* 4.11 Concluded License; 4.13 Declared License */</p>
<hr />
<div>This is a place holder for working on the Best Practices document.<br />
<br />
Best Practices <br />
<br />
__TOC__<br />
<br />
= Introduction =<br />
<br />
= Interpreting the Specification =<br />
<br />
Clarify and help with what is in the spec. Structure sections around the spec?<br />
<br />
= Tools =<br />
<br />
Best practices around using the SPDX tools<br />
<br />
= Contributing to SPDX =<br />
<br />
how to provide feedback, get involved, etc<br />
<br />
= Producing = <br />
<br />
SPDX Version: 1.2<br />
PURPOSE: The SPDX specification is meant to stand on its own and to make clear how a field is to be populated. Still, there are times when more clarification is required. This tech note provides clarification with regard to certain fields about which questions of arisen. Some of these clarifications may be rolled into future versions of the specification. <br />
<br />
== 4.1 Package Name ==<br />
<br />
The package name should be exclusive of version number. Field 4.2 Package Version is intended for version number and the package name should not redundantly specify this information.<br />
===== Example =====<br />
Correct<br />
:Package Name: glibc<br />
:Package Version: 2.11.1<br />
<br />
Incorrect<br />
:Package Name: glibc '''2.11.1'''<br />
:Package Version: 2.11.1<br />
<br />
== 4.4 Package Supplier; 4.5 Package Originator; 4.10 Source Information ==<br />
<br />
The first two fields are intended to where the package came from and what entity created it. In many cases these will be one in the same, but it is possible that the supplier may have gotten the package from another source. <br />
<br />
===== Example: =====<br />
Wind River supplies the Linux kernel. <br />
:Package Supplier: Wind River<br />
:Package Originator: linux.org<br />
<br />
Source Information is a freeform field, which, like many such fields in SPDX is there to allow the document creator to provide information they feel would be useful or important, but which my not fit neatly into the specification. <br />
<br />
== 4.6 Package Download Location ==<br />
<br />
The intent of this field is to indicate the URL of the location from which the package is actually obtained. Generally this should be the originating site of the package, but in cases where the package was obtained from a mirror site, the URL of the mirror should be used. The format for the URL should follow RFC conventions, specifically RFC3986 or any newer one that may eventually augment or obsolete it.<br />
<br />
== Concluded License (4.11); Declared License (4.13) ==<br />
<br />
In cases where there is a contradiction between the Declared License and some other license present, the concluded license should represent that contradiction, and best practice would be to explain further in the 4.14 Comments on License field.<br />
<br />
'''LEGAL TEAM SHOULD REVIEW THIS'''<br />
<br />
===== Example: =====<br />
A GPL 2 package that contains files licensed under Apache 2.0. <br />
:Declared License: GPL-2.0<br />
:Concluded License: GPL-2.0 and Apache-2.0<br />
:Comments on License: Several Apache licensed files (A, B, and C) are included in the packages causing an incompatibility with the licensing of the package.<br />
<br />
== Extracted Text (5.2) ==<br />
<br />
To clarify, or reinforce, the text included here, should be the exact text in that is included with the package and no more. Some early SPDX tools included full text of the relevant license even though the full text was not supplied in the actual package. The example in the specification is one where full text is included, but if the text is incomplete, so should be the text in the Extracted Text field.<br />
<br />
===== Example: =====<br />
A copying file in the top level of the directory says, “This software is licensed under the Beer License.” <br />
<br />
Correct:<br />
:Extracted Text: This software is licensed under the Beer-ware License<br />
<br />
Incorrect:<br />
:“THE BEER-WARE LICENSE" (Revision 42):<phk@FreeBSD.ORG> wrote this file. As long as you retain this notice you can do whatever you want with this stuff. If we meet some day, and you think this stuff is worth it, you can buy me a beer in return Poul-Henning Kam<br />
<br />
== File Name (6.1) ==<br />
<br />
To clarify, the format for the file name should follow URI RFC conventions, specifically RFC3986 or any newer one that may eventually augment or obsolete it. Specifically, it uses the relative path reference format of an URI, and is defined as being relative to the root of the package from which the file came.<br />
<br />
In RFC3986, section 4.2, a relative path reference must not start with a slash character ("/"). Relative references also do not need to start with a "./" (dot slash), although there is one format for which the preceding "./" is necessary. In any case, RFC3986 is clear about how to handle dot-segments, and in the case of "./", it is simply removed.<br />
<br />
===== Example: =====<br />
Correct:<br />
:FileName: ./package/foo.c<br />
:FileName: package/foo.c<br />
Incorrect:<br />
:FileName: /package/foo.c<br />
:FileName: //package/foo.c<br />
<br />
Note about RFC3986:<br />
:''This document obsoletes [RFC2396], which merged "Uniform Resource Locators" [RFC1738] and "Relative Uniform Resource Locators" [RFC1808] in order to define a single, generic syntax for all URIs.''<br />
<br />
== Author vs. Creator (3.1) vs. Reviewer (7.1)==<br />
<br />
'''Author:''' The author is used occasionally in the text of the specification and generally refers to the creator(s) of the package. There is no explicit field for the author information other than copyright information and URL, which may or may not reflect the actual original author. In section 2.2.1, there is also a reference to an "SPDX Author"; this actually refers to the SPDX Creator.<br />
<br />
'''Creator:''' The SPDX Creator is defined in section 3.1 and is used to identify who (or what, in the case of a tool) created the SPDX file.<br />
<br />
'''Reviewer:''' The SPDX Reviewer is detined in section 7.1 and is used to identify who reviewed the content of the SPDX.<br />
<br />
To put things into context, let's consider the following flow:<br />
# An author creates a package and assigns a license to it, hopefully to each individual file, and also follows all of the best practices and obligations for the chosen or found licenses in the package.<br />
# An SPDX creator analyzes the content of the package, extracts the pertinent information and assembles the SPDX file, whether manually or using a tool.<br />
# An SPDX reviewer inspects the work of the SPDX creator, whether manually or using a tool. Consider the reviewer to be anything from another set of eyes, to a recognized reliable entity with some kind of sign-off authority.<br />
<br />
The SPDX creator is a mandatory parameter - every file must have its creator. However, not every SPDX file is reviewed.<br />
<br />
= Consuming =<br />
<br />
Best practices around the process of doing it. Examples of how this is done.<br />
<br />
= Notes from LinuxCon 2013 17 Sept 2013 =<br />
<br />
What should be in a best practices, how does it relate to the spec?<br />
<br />
Possibilities:<br />
* examples<br />
* particular questions (sort of like a FAQ)<br />
* Could start with things that are not well defined but end up in the specification<br />
* I need a field for X, its not there, what field could I use?<br />
* best practices around the specification and best practices around contributing to SPDX. Maybe two documents?<br />
* Snapshot best practices document at intervals and post on site. Use wiki for active discussions, new proposals, etc.,.<br />
* Should we have a getting started guide?<br />
* best practices for meta tagging like u-boot did. maybe link it in here but should be separate page. Could possibly include other information for developers supporting spdx and producing spdx friendly code. Look at things like U-boot, Mozilla, etc.,.</div>Nglaudehttps://wiki.spdx.org/view/Technical_Team/Best_PracticesTechnical Team/Best Practices2013-10-15T21:28:09Z<p>Nglaude: /* 5.2 Extracted Text */</p>
<hr />
<div>This is a place holder for working on the Best Practices document.<br />
<br />
Best Practices <br />
<br />
__TOC__<br />
<br />
= Introduction =<br />
<br />
= Interpreting the Specification =<br />
<br />
Clarify and help with what is in the spec. Structure sections around the spec?<br />
<br />
= Tools =<br />
<br />
Best practices around using the SPDX tools<br />
<br />
= Contributing to SPDX =<br />
<br />
how to provide feedback, get involved, etc<br />
<br />
= Producing = <br />
<br />
SPDX Version: 1.2<br />
PURPOSE: The SPDX specification is meant to stand on its own and to make clear how a field is to be populated. Still, there are times when more clarification is required. This tech note provides clarification with regard to certain fields about which questions of arisen. Some of these clarifications may be rolled into future versions of the specification. <br />
<br />
== 4.1 Package Name ==<br />
<br />
The package name should be exclusive of version number. Field 4.2 Package Version is intended for version number and the package name should not redundantly specify this information.<br />
===== Example =====<br />
Correct<br />
:Package Name: glibc<br />
:Package Version: 2.11.1<br />
<br />
Incorrect<br />
:Package Name: glibc '''2.11.1'''<br />
:Package Version: 2.11.1<br />
<br />
== 4.4 Package Supplier; 4.5 Package Originator; 4.10 Source Information ==<br />
<br />
The first two fields are intended to where the package came from and what entity created it. In many cases these will be one in the same, but it is possible that the supplier may have gotten the package from another source. <br />
<br />
===== Example: =====<br />
Wind River supplies the Linux kernel. <br />
:Package Supplier: Wind River<br />
:Package Originator: linux.org<br />
<br />
Source Information is a freeform field, which, like many such fields in SPDX is there to allow the document creator to provide information they feel would be useful or important, but which my not fit neatly into the specification. <br />
<br />
== 4.6 Package Download Location ==<br />
<br />
The intent of this field is to indicate the URL of the location from which the package is actually obtained. Generally this should be the originating site of the package, but in cases where the package was obtained from a mirror site, the URL of the mirror should be used. The format for the URL should follow RFC conventions, specifically RFC3986 or any newer one that may eventually augment or obsolete it.<br />
<br />
== 4.11 Concluded License; 4.13 Declared License ==<br />
<br />
In cases where there is a contradiction between the Declared License and some other license present, the concluded license should represent that contradiction, and best practice would be to explain further in the 4.14 Comments on License field.<br />
<br />
'''LEGAL TEAM SHOULD REVIEW THIS'''<br />
<br />
===== Example: =====<br />
A GPL 2 package that contains files licensed under Apache 2.0. <br />
:Declared License: GPL-2.0<br />
:Concluded License: GPL-2.0 and Apache-2.0<br />
:Comments on License: Several Apache licensed files (A, B, and C) are included in the packages causing an incompatibility with the licensing of the package.<br />
<br />
== Extracted Text (5.2) ==<br />
<br />
To clarify, or reinforce, the text included here, should be the exact text in that is included with the package and no more. Some early SPDX tools included full text of the relevant license even though the full text was not supplied in the actual package. The example in the specification is one where full text is included, but if the text is incomplete, so should be the text in the Extracted Text field.<br />
<br />
===== Example: =====<br />
A copying file in the top level of the directory says, “This software is licensed under the Beer License.” <br />
<br />
Correct:<br />
:Extracted Text: This software is licensed under the Beer-ware License<br />
<br />
Incorrect:<br />
:“THE BEER-WARE LICENSE" (Revision 42):<phk@FreeBSD.ORG> wrote this file. As long as you retain this notice you can do whatever you want with this stuff. If we meet some day, and you think this stuff is worth it, you can buy me a beer in return Poul-Henning Kam<br />
<br />
== File Name (6.1) ==<br />
<br />
To clarify, the format for the file name should follow URI RFC conventions, specifically RFC3986 or any newer one that may eventually augment or obsolete it. Specifically, it uses the relative path reference format of an URI, and is defined as being relative to the root of the package from which the file came.<br />
<br />
In RFC3986, section 4.2, a relative path reference must not start with a slash character ("/"). Relative references also do not need to start with a "./" (dot slash), although there is one format for which the preceding "./" is necessary. In any case, RFC3986 is clear about how to handle dot-segments, and in the case of "./", it is simply removed.<br />
<br />
===== Example: =====<br />
Correct:<br />
:FileName: ./package/foo.c<br />
:FileName: package/foo.c<br />
Incorrect:<br />
:FileName: /package/foo.c<br />
:FileName: //package/foo.c<br />
<br />
Note about RFC3986:<br />
:''This document obsoletes [RFC2396], which merged "Uniform Resource Locators" [RFC1738] and "Relative Uniform Resource Locators" [RFC1808] in order to define a single, generic syntax for all URIs.''<br />
<br />
== Author vs. Creator (3.1) vs. Reviewer (7.1)==<br />
<br />
'''Author:''' The author is used occasionally in the text of the specification and generally refers to the creator(s) of the package. There is no explicit field for the author information other than copyright information and URL, which may or may not reflect the actual original author. In section 2.2.1, there is also a reference to an "SPDX Author"; this actually refers to the SPDX Creator.<br />
<br />
'''Creator:''' The SPDX Creator is defined in section 3.1 and is used to identify who (or what, in the case of a tool) created the SPDX file.<br />
<br />
'''Reviewer:''' The SPDX Reviewer is detined in section 7.1 and is used to identify who reviewed the content of the SPDX.<br />
<br />
To put things into context, let's consider the following flow:<br />
# An author creates a package and assigns a license to it, hopefully to each individual file, and also follows all of the best practices and obligations for the chosen or found licenses in the package.<br />
# An SPDX creator analyzes the content of the package, extracts the pertinent information and assembles the SPDX file, whether manually or using a tool.<br />
# An SPDX reviewer inspects the work of the SPDX creator, whether manually or using a tool. Consider the reviewer to be anything from another set of eyes, to a recognized reliable entity with some kind of sign-off authority.<br />
<br />
The SPDX creator is a mandatory parameter - every file must have its creator. However, not every SPDX file is reviewed.<br />
<br />
= Consuming =<br />
<br />
Best practices around the process of doing it. Examples of how this is done.<br />
<br />
= Notes from LinuxCon 2013 17 Sept 2013 =<br />
<br />
What should be in a best practices, how does it relate to the spec?<br />
<br />
Possibilities:<br />
* examples<br />
* particular questions (sort of like a FAQ)<br />
* Could start with things that are not well defined but end up in the specification<br />
* I need a field for X, its not there, what field could I use?<br />
* best practices around the specification and best practices around contributing to SPDX. Maybe two documents?<br />
* Snapshot best practices document at intervals and post on site. Use wiki for active discussions, new proposals, etc.,.<br />
* Should we have a getting started guide?<br />
* best practices for meta tagging like u-boot did. maybe link it in here but should be separate page. Could possibly include other information for developers supporting spdx and producing spdx friendly code. Look at things like U-boot, Mozilla, etc.,.</div>Nglaudehttps://wiki.spdx.org/view/Technical_Team/Best_PracticesTechnical Team/Best Practices2013-10-15T21:23:45Z<p>Nglaude: /* Producing */</p>
<hr />
<div>This is a place holder for working on the Best Practices document.<br />
<br />
Best Practices <br />
<br />
__TOC__<br />
<br />
= Introduction =<br />
<br />
= Interpreting the Specification =<br />
<br />
Clarify and help with what is in the spec. Structure sections around the spec?<br />
<br />
= Tools =<br />
<br />
Best practices around using the SPDX tools<br />
<br />
= Contributing to SPDX =<br />
<br />
how to provide feedback, get involved, etc<br />
<br />
= Producing = <br />
<br />
SPDX Version: 1.2<br />
PURPOSE: The SPDX specification is meant to stand on its own and to make clear how a field is to be populated. Still, there are times when more clarification is required. This tech note provides clarification with regard to certain fields about which questions of arisen. Some of these clarifications may be rolled into future versions of the specification. <br />
<br />
== 4.1 Package Name ==<br />
<br />
The package name should be exclusive of version number. Field 4.2 Package Version is intended for version number and the package name should not redundantly specify this information.<br />
===== Example =====<br />
Correct<br />
:Package Name: glibc<br />
:Package Version: 2.11.1<br />
<br />
Incorrect<br />
:Package Name: glibc '''2.11.1'''<br />
:Package Version: 2.11.1<br />
<br />
== 4.4 Package Supplier; 4.5 Package Originator; 4.10 Source Information ==<br />
<br />
The first two fields are intended to where the package came from and what entity created it. In many cases these will be one in the same, but it is possible that the supplier may have gotten the package from another source. <br />
<br />
===== Example: =====<br />
Wind River supplies the Linux kernel. <br />
:Package Supplier: Wind River<br />
:Package Originator: linux.org<br />
<br />
Source Information is a freeform field, which, like many such fields in SPDX is there to allow the document creator to provide information they feel would be useful or important, but which my not fit neatly into the specification. <br />
<br />
== 4.6 Package Download Location ==<br />
<br />
The intent of this field is to indicate the URL of the location from which the package is actually obtained. Generally this should be the originating site of the package, but in cases where the package was obtained from a mirror site, the URL of the mirror should be used. The format for the URL should follow RFC conventions, specifically RFC3986 or any newer one that may eventually augment or obsolete it.<br />
<br />
== 4.11 Concluded License; 4.13 Declared License ==<br />
<br />
In cases where there is a contradiction between the Declared License and some other license present, the concluded license should represent that contradiction, and best practice would be to explain further in the 4.14 Comments on License field.<br />
<br />
'''LEGAL TEAM SHOULD REVIEW THIS'''<br />
<br />
===== Example: =====<br />
A GPL 2 package that contains files licensed under Apache 2.0. <br />
:Declared License: GPL-2.0<br />
:Concluded License: GPL-2.0 and Apache-2.0<br />
:Comments on License: Several Apache licensed files (A, B, and C) are included in the packages causing an incompatibility with the licensing of the package.<br />
<br />
== 5.2 Extracted Text ==<br />
<br />
To clarify, or reinforce, the text included here, should be the exact text in that is included with the package and no more. Some early SPDX tools included full text of the relevant license even though the full text was not supplied in the actual package. The example in the specification is one where full text is included, but if the text is incomplete, so should be the text in the Extracted Text field.<br />
<br />
===== Example: =====<br />
A copying file in the top level of the directory says, “This software is licensed under the Beer License.” <br />
<br />
Correct:<br />
:Extracted Text: This software is licensed under the Beer-ware License<br />
<br />
Incorrect:<br />
:“THE BEER-WARE LICENSE" (Revision 42):<phk@FreeBSD.ORG> wrote this file. As long as you retain this notice you can do whatever you want with this stuff. If we meet some day, and you think this stuff is worth it, you can buy me a beer in return Poul-Henning Kam<br />
<br />
== File Name (6.1) ==<br />
<br />
To clarify, the format for the file name should follow URI RFC conventions, specifically RFC3986 or any newer one that may eventually augment or obsolete it. Specifically, it uses the relative path reference format of an URI, and is defined as being relative to the root of the package from which the file came.<br />
<br />
In RFC3986, section 4.2, a relative path reference must not start with a slash character ("/"). Relative references also do not need to start with a "./" (dot slash), although there is one format for which the preceding "./" is necessary. In any case, RFC3986 is clear about how to handle dot-segments, and in the case of "./", it is simply removed.<br />
<br />
===== Example: =====<br />
Correct:<br />
:FileName: ./package/foo.c<br />
:FileName: package/foo.c<br />
Incorrect:<br />
:FileName: /package/foo.c<br />
:FileName: //package/foo.c<br />
<br />
Note about RFC3986:<br />
:''This document obsoletes [RFC2396], which merged "Uniform Resource Locators" [RFC1738] and "Relative Uniform Resource Locators" [RFC1808] in order to define a single, generic syntax for all URIs.''<br />
<br />
== Author vs. Creator (3.1) vs. Reviewer (7.1)==<br />
<br />
'''Author:''' The author is used occasionally in the text of the specification and generally refers to the creator(s) of the package. There is no explicit field for the author information other than copyright information and URL, which may or may not reflect the actual original author. In section 2.2.1, there is also a reference to an "SPDX Author"; this actually refers to the SPDX Creator.<br />
<br />
'''Creator:''' The SPDX Creator is defined in section 3.1 and is used to identify who (or what, in the case of a tool) created the SPDX file.<br />
<br />
'''Reviewer:''' The SPDX Reviewer is detined in section 7.1 and is used to identify who reviewed the content of the SPDX.<br />
<br />
To put things into context, let's consider the following flow:<br />
# An author creates a package and assigns a license to it, hopefully to each individual file, and also follows all of the best practices and obligations for the chosen or found licenses in the package.<br />
# An SPDX creator analyzes the content of the package, extracts the pertinent information and assembles the SPDX file, whether manually or using a tool.<br />
# An SPDX reviewer inspects the work of the SPDX creator, whether manually or using a tool. Consider the reviewer to be anything from another set of eyes, to a recognized reliable entity with some kind of sign-off authority.<br />
<br />
The SPDX creator is a mandatory parameter - every file must have its creator. However, not every SPDX file is reviewed.<br />
<br />
= Consuming =<br />
<br />
Best practices around the process of doing it. Examples of how this is done.<br />
<br />
= Notes from LinuxCon 2013 17 Sept 2013 =<br />
<br />
What should be in a best practices, how does it relate to the spec?<br />
<br />
Possibilities:<br />
* examples<br />
* particular questions (sort of like a FAQ)<br />
* Could start with things that are not well defined but end up in the specification<br />
* I need a field for X, its not there, what field could I use?<br />
* best practices around the specification and best practices around contributing to SPDX. Maybe two documents?<br />
* Snapshot best practices document at intervals and post on site. Use wiki for active discussions, new proposals, etc.,.<br />
* Should we have a getting started guide?<br />
* best practices for meta tagging like u-boot did. maybe link it in here but should be separate page. Could possibly include other information for developers supporting spdx and producing spdx friendly code. Look at things like U-boot, Mozilla, etc.,.</div>Nglaudehttps://wiki.spdx.org/view/Technical_Team/Best_PracticesTechnical Team/Best Practices2013-10-11T17:47:37Z<p>Nglaude: /* Producing */</p>
<hr />
<div>This is a place holder for working on the Best Practices document.<br />
<br />
Best Practices <br />
<br />
__TOC__<br />
<br />
= Introduction =<br />
<br />
= Interpreting the Specification =<br />
<br />
Clarify and help with what is in the spec. Structure sections around the spec?<br />
<br />
= Tools =<br />
<br />
Best practices around using the SPDX tools<br />
<br />
= Contributing to SPDX =<br />
<br />
how to provide feedback, get involved, etc<br />
<br />
= Producing = <br />
<br />
SPDX Version: 1.2<br />
PURPOSE: The SPDX specification is meant to stand on its own and to make clear how a field is to be populated. Still, there are times when more clarification is required. This tech note provides clarification with regard to certain fields about which questions of arisen. Some of these clarifications may be rolled into future versions of the specification. <br />
<br />
== 4.1 Package Name ==<br />
<br />
The package name should be exclusive of version number. Field 4.2 Package Version is intended for version number and the package name should not redundantly specify this information.<br />
===== Example =====<br />
Correct<br />
:Package Name: glibc<br />
:Package Version: 2.11.1<br />
<br />
Incorrect<br />
:Package Name: glibc '''2.11.1'''<br />
:Package Version: 2.11.1<br />
<br />
== 4.4 Package Supplier; 4.5 Package Originator; 4.10 Source Information ==<br />
<br />
The first two fields are intended to where the package came from and what entity created it. In many cases these will be one in the same, but it is possible that the supplier may have gotten the package from another source. <br />
<br />
===== Example: =====<br />
Wind River supplies the Linux kernel. <br />
:Package Supplier: Wind River<br />
:Package Originator: linux.org<br />
<br />
Source Information is a freeform field, which, like many such fields in SPDX is there to allow the document creator to provide information they feel would be useful or important, but which my not fit neatly into the specification. <br />
<br />
== 4.6 Package Download Location ==<br />
<br />
The intent of this field is to indicate the URL of the location from which the package is actually obtained. Generally this should be the originating site of the package, but in cases where the package was obtained from a mirror site, the URL of the mirror should be used. The format for the URL should follow RFC conventions, specifically RFC3986 or any newer one that may eventually augment or obsolete it.<br />
<br />
== 4.11 Concluded License; 4.13 Declared License ==<br />
<br />
In cases where there is a contradiction between the Declared License and some other license present, the concluded license should represent that contradiction, and best practice would be to explain further in the 4.14 Comments on License field.<br />
<br />
'''LEGAL TEAM SHOULD REVIEW THIS'''<br />
<br />
===== Example: =====<br />
A GPL 2 package that contains files licensed under Apache 2.0. <br />
:Declared License: GPL-2.0<br />
:Concluded License: GPL-2.0 and Apache-2.0<br />
:Comments on License: Several Apache licensed files (A, B, and C) are included in the packages causing an incompatibility with the licensing of the package.<br />
<br />
== 5.2 Extracted Text ==<br />
<br />
To clarify, or reinforce, the text included here, should be the exact text in that is included with the package and no more. Some early SPDX tools included full text of the relevant license even though the full text was not supplied in the actual package. The example in the specification is one where full text is included, but if the text is incomplete, so should be the text in the Extracted Text field.<br />
<br />
===== Example: =====<br />
A copying file in the top level of the directory says, “This software is licensed under the Beer License.” <br />
<br />
Correct:<br />
:Extracted Text: This software is licensed under the Beer-ware License<br />
<br />
Incorrect:<br />
:“THE BEER-WARE LICENSE" (Revision 42):<phk@FreeBSD.ORG> wrote this file. As long as you retain this notice you can do whatever you want with this stuff. If we meet some day, and you think this stuff is worth it, you can buy me a beer in return Poul-Henning Kam<br />
<br />
== 6.1 File Name ==<br />
<br />
To clarify, the format for the file name should follow URI RFC conventions, specifically RFC3986 or any newer one that may eventually augment or obsolete it. Specifically, it uses the relative path reference format of an URI, and is defined as being relative to the root of the package from which the file came.<br />
<br />
In RFC3986, section 4.2, a relative path reference must not start with a slash character ("/"). Relative references also do not need to start with a "./" (dot slash), although there is one format for which the preceding "./" is necessary. In any case, RFC3986 is clear about how to handle dot-segments, and in the case of "./", it is simply removed.<br />
<br />
===== Example: =====<br />
Correct:<br />
:FileName: ./package/foo.c<br />
:FileName: package/foo.c<br />
Incorrect:<br />
:FileName: /package/foo.c<br />
:FileName: //package/foo.c<br />
<br />
Note about RFC3986:<br />
:''This document obsoletes [RFC2396], which merged "Uniform Resource Locators" [RFC1738] and "Relative Uniform Resource Locators" [RFC1808] in order to define a single, generic syntax for all URIs.''<br />
<br />
= Consuming =<br />
<br />
Best practices around the process of doing it. Examples of how this is done.<br />
<br />
= Notes from LinuxCon 2013 17 Sept 2013 =<br />
<br />
What should be in a best practices, how does it relate to the spec?<br />
<br />
Possibilities:<br />
* examples<br />
* particular questions (sort of like a FAQ)<br />
* Could start with things that are not well defined but end up in the specification<br />
* I need a field for X, its not there, what field could I use?<br />
* best practices around the specification and best practices around contributing to SPDX. Maybe two documents?<br />
* Snapshot best practices document at intervals and post on site. Use wiki for active discussions, new proposals, etc.,.<br />
* Should we have a getting started guide?<br />
* best practices for meta tagging like u-boot did. maybe link it in here but should be separate page. Could possibly include other information for developers supporting spdx and producing spdx friendly code. Look at things like U-boot, Mozilla, etc.,.</div>Nglaude