|
|
(41 intermediate revisions by 5 users not shown) |
Line 1: |
Line 1: |
− | <p>For anyone wanting to add comments/questions/etc. directly in the document, so they get tracked without having to do a lot of version reference, please put your comments on a new line and use the following syntax:</p>
| + | This is the location of the official version of the SPDX specification. During active development of next version, drafts may be found here as well. |
− | <p><em>(</em>yyyymmdd initials<em> comments) </em></p>
| + | |
− | <p><em>for</em> example:</p>
| + | The [http://spdx.org/licenses/ license list] used by SPDX is available too, as are the [[Technical_Team/SPDX_RDF_Vocabularies_and_Terms/1.2/Vocabulary|Version 1.2 RDF references]]. |
− | <p>(20100407 KS <em>does this make sense?</em>)</p>
| + | |
− | <p><strong>***</strong></p>
| + | [[Category:Technical]] |
− | <p><span style="text-decoration: underline;"><strong>Disclaimer: The following is a draft of the Software Package Data eXchange (SDPX) Specification. This draft is provided as a public courtesy to illustrate the progress of the project. Please be advised that in addition to the licensing terms recited below, no reliance should be made regarding this draft, including any reliance that this draft represents any particular standard for any particular purpose. When the official SPDX specification is released, it will be clearly be labeled "official", and its purpose and recommended use will be clearly stated at that time.</strong></span></p>
| + | |
− | <p><strong>***</strong></p>
| + | |
− | <p><strong>Software Package Data eXchange (SPDX) Specification Version: DRAFT 201006XX</strong></p>
| + | |
− | <p><strong>(c) Copyright 2010. </strong><strong>Andrew Back, Bill Schineller, Brad Dixon, Bruno Cornec, Ciaran Farrell, Daniel German, Debra McGlade, Eran Strod, Eric Thomas, Esteban Rockett, Gary O'Neall, Guillaume Rousseau, Jack Manbeck, Jeff Luszcz, John Ellis, Kate Stewart, Kim Weins, Marshall Clow, Martin Miclmayr , Martin von Willebrand, Michael J. Herzog, Michel Ruffin, Phil Robb, Philip Odence, Philp Koltun, Scott K Peterson, Shane Coughlan, Stuart Hughes, Tom Callaway, and Tom Incorvia.</strong></p>
| + | |
− | <p><strong>Licensed under the Creative Commons Attribution License 3.0 (reproduced in Appendix III herein).</strong></p>
| + | |
− | <p><strong>All other rights are expressly reserved.</strong></p>
| + | |
− | <p><em>(20100310 JM General – Is the Package Facts file licensed (the use of a Formal Copyright Holder in 3.2.7 seems to imply that)? If so, do we want to say it should be under the same license as the specification? I like the idea of a permissive license or possibly even public domain. However, we could allow people to license the file or not license it according to their project or tastes. My only concern with this is the inevitable are these licenses compatible mess if I try to take 10 or 20 of these files and roll them up into (or even take info from them) a nice neat re-distributable document. I would suggest at a minimum, if someone can license this content that we have a block to capture it.) <strong>RESOLUTION</strong>: Add boilerplate disclaimer with regard to copyright of instance of facts file. Creative C header file including authorship assignment. Plan is to preserve as sidecar, but it may make sense to create a version of SPDX for inclusion in package (issue is checksum...should it be optional?). - <strong>Rockett</strong> Set up call with CC folks with regards to boilerplate - <strong>Bradley</strong></em></p>
| + | |
− | <p><em>(Provide ITU/IETF examples to the list- <strong>John</strong>. <strong>Jack </strong>will create an appendix on use of spec including aggregation and history.)</em></p>
| + | |
− | <p><em>(20100415 FacetoFace General- Should we extend spec to describe streams and usage of streams? Only at file level?) <strong>RESOLUTION:</strong> Assess whether extensibility proposal accommodates. <strong>Jeff L </strong>IN PROCESS</em></p>
| + | |
− | <p><strong>Signed off:</strong></p>
| + | |
− | <p>(Approved for release by active participants in this specification effort, as indicated by name and email id)</p>
| + | |
− | <p> </p>
| + | |
− | <p> </p>
| + | |
− | <h2>1. Rationale</h2>
| + | |
− | <p style="padding-left: 30px;"><strong>1.1. Charter</strong></p>
| + | |
− | <p style="padding-left: 30px;">Create a set of data exchange standards to enable companies and organizations to share license and component information (metadata) for software packages and related content with the aim of facilitating license and other policy compliance.</p>
| + | |
− | <p style="padding-left: 30px;"><strong>1.2. Why is a common format for data exchange needed?</strong></p>
| + | |
− | <p style="padding-left: 30px;">Companies and organizations (collectively “Organizations”) are widely using and reusing open source and other software packages. Compliance with the associated licenses requires a set of due diligence activities that each Organization performs independently: a manual and/or automated scan of software and identification of associated licenses followed by manual verification. Software development teams across the globe use the same open source packages, but they have not yet set-up a way to collaborate on license discovery – many groups are performing the same work leading to duplicated effort and redundancy. This working group seeks to create a data exchange format so that information about software packages and related content, may be collected and shared in a common format with the goal of saving time and improving data accuracy.</p>
| + | |
− | <p style="padding-left: 30px;"><strong>1.3. What does this specification cover?</strong></p>
| + | |
− | <p style="padding-left: 60px;">1.3.1. Identification Information: Meta data to associate analysis results with a specific package. This includes a unique identifier to permit correlation of a specific instance of this data with a specific package.</p>
| + | |
− | <p style="padding-left: 60px;">1.3.2. Overview Information: Facts that are common properties for the entire package.</p>
| + | |
− | <p style="padding-left: 60px;">1.3.3. File Specific Information: Facts that are specific to each file (copyrights, licenses) that are included in the package.</p>
| + | |
− | <p style="padding-left: 60px;">1.3.4. Common Licenses: standardized way of referring to the common licenses likely to be encountered.</p>
| + | |
− | <p style="padding-left: 60px;"><em>(20100415 Face to Face - Add proposed text regarding extensibility.) - <strong>MichaelH</strong></em></p>
| + | |
− | <p style="padding-left: 30px;"><strong>1.4. What is not covered in the written standard?</strong></p>
| + | |
− | <p style="padding-left: 60px;">1.4.1. Information that cannot be derived from a visual inspection of the package to be analyzed. </p>
| + | |
− | <p style="padding-left: 60px;">1.4.2. How the data stored in this file format is used. </p>
| + | |
− | <p style="padding-left: 60px;">1.4.3. Any identification of any patent(s) which may or may not relate to the package.</p>
| + | |
− | <p style="padding-left: 30px;"><strong>1.5. Format Requirements:</strong></p>
| + | |
− | <p style="padding-left: 60px;">1.5.1. Needs to be in human readable form.</p>
| + | |
− | <p style="padding-left: 60px;">1.5.2. Needs to be a syntax that tools can read and write.</p>
| + | |
− | <p style="padding-left: 60px;">1.5.3. Needs to be suitable to be checked for syntactic correctness independent of how it was generated (human or tool).</p>
| + | |
− | <p style="padding-left: 60px;">1.5.4. Character set to be used in the SPDX file shall support UTF-8 encoding. <em>(<strong>Philippe</strong> to provide example of potentially problematic issue with filepath.)</em></p>
| + | |
− | <p style="padding-left: 60px;">1.5.5 Discussion: XML vs. simple text to represent fields. Extent human understandable without tool still needs to be discussed. (<em>Deferred to mailing list. <strong>RDF syntax under discussion).</strong></em></p>
| + | |
− | <h2>2. Identification Information</h2>
| + | |
− | <p style="padding-left: 30px;">2.1. One instance per package instance.</p>
| + | |
− | <p style="padding-left: 30px;">2.2. Fields:</p>
| + | |
− | <p style="padding-left: 60px;">2.2.1. SPDX Specification Version Number</p>
| + | |
− | <p style="padding-left: 90px;">2.2.1.1. Purpose: version of SPDX specification version information to use to parse the rest of the file. This will permit future changes to the specification, and retain backwards compatibility.</p>
| + | |
− | <p style="padding-left: 90px;"><span style="font-style: italic;">(20100415 F2F Generate language for meaning of major/minor versions - <strong>Jack</strong>)</span></p>
| + | |
− | <p style="padding-left: 90px;">2.2.1.2 Intent: Here, parties exchanging Identification Information in accordance with SPDX need to provide 100% transparency as to which SPDX specification such Identification Information is conforming to.</p>
| + | |
− | <p style="padding-left: 90px;">2.2.1.3 Tag: "SPDXversion"</p>
| + | |
− | <p style="padding-left: 90px;">2.2.1.4. Data Format: SPDX-N.N </p>
| + | |
− | <p style="padding-left: 90px;">where: N is [0-9].</p>
| + | |
− | <p style="padding-left: 90px;">2.2.1.5. Example: SPDXversion: SPDX-1.0</p>
| + | |
− | <p style="padding-left: 60px;">2.2.2. Unique Identifier</p>
| + | |
− | <p style="padding-left: 90px;">2.2.2.1. Purpose: Need an independently reproducible mechanism that is agreed will permit unique identification of a specific package with this data. It must be able to determine if any file in the original package has been changed in a verifiable way.</p>
| + | |
− | <p style="padding-left: 90px;"><em><span><span style="font-style: normal;">2.2.2.2. Intent: Here, by providing an unique identifier of each package, confusion over which version/modification of a specific package the Identification Information references should be eliminated.</span></span></em></p>
| + | |
− | <p style="padding-left: 90px;"><em><span><span style="font-style: normal;"> </span></span></em>2.2.2.3. Tag: "UniqueID"</p>
| + | |
− | <p style="padding-left: 90px;">2.2.2.4. Data Format: SHA-1</p>
| + | |
− | <p style="padding-left: 90px;">2.2.2.5. Example: UniqueID: XXXXXXXXXXXXXXXXXXXXX</p>
| + | |
− | <p style="padding-left: 60px;">2.2.3. Generation Method</p>
| + | |
− | <p style="padding-left: 90px;">2.2.3.1. Purpose: identify how this information was generated. If manual – who, if tool – identifier and version.</p>
| + | |
− | <p style="padding-left: 90px;">2.2.3.2. Intent: Here, the generation method will assist the reader of the Identification Information in self determining the general reliability/accuracy of the Identification Information.</p>
| + | |
− | <p style="padding-left: 90px;">2.2.3.3. Tag: "CreatedBy"</p>
| + | |
− | <p style="padding-left: 90px;">2.2.3.4. Data Format: ”Person: person name” or "Company: company" (depending on which is accountable) or "Tool: tool identifier - version”.</p>
| + | |
− | <p style="padding-left: 90px;">2.2.3.5. Examples: CreatedBy: Person: Kim Weins</p>
| + | |
− | <p style="padding-left: 90px;"><span style="font-style: italic;">(20100505 -KS do we want to include email information? )</span></p>
| + | |
− | <p style="padding-left: 60px;"><span style="font-style: italic;"> </span>2.2.4. Creation Time Stamp</p>
| + | |
− | <p style="padding-left: 90px;">2.2.4.1. Purpose: Identify when the analysis was done. This is to be specified according to combined data and time in UTC as specified in ISO 8601 standard. </p>
| + | |
− | <p style="padding-left: 90px;">2.2.4.2 Intent: Here, the Time Stamp can serve as a verification as to whether the analysis needs to be updated. For example, changes in the software industry may require a different reading of a particular license identification, post a certain fixed date, due to a court holding.</p>
| + | |
− | <p style="padding-left: 90px;">2.2.4.3 Tag: "Created"</p>
| + | |
− | <p style="padding-left: 90px;">2.2.4.4. Data Format: YYYY-MM-DDThh:mm:ssZ</p>
| + | |
− | <p style="padding-left: 120px;">where: YYYY is year, MM is month with leading zero, DD is day with leading zero, T is deliminter for time, hh is hours with leading zero in 24 hour time, mm is minutes with leading zero, ss is second with leading zero, and Z is universal time indicator.</p>
| + | |
− | <p style="padding-left: 90px;">2.2.4.5. Example: Created: 2010-01-29T18:30:22Z</p>
| + | |
− | <p style="padding-left: 60px;">2.2.5. Review</p>
| + | |
− | <p style="padding-left: 90px;">2.2.5.1. Purpose: reviewers of tool result, or other reviewer of original – equivalent to “signed off” or “reviewed by”.</p>
| + | |
− | <p style="padding-left: 90px;">(20100310 JM <em>2.2.5 – This one makes me a little nervous. If someone puts something there what does it mean? Have they verified all the information is factual? Independent Audit implies to me that someone other than the Package creator or even the project (?) has looked at this and said the information is <?>. )</em></p>
| + | |
− | <p style="padding-left: 90px;"><em><span style="font-style: normal;">2.2.5.2. Intent: Here, as time progress certain reviewers will begin to gain creditability as reliable. This field intends to make such information transparent.</span></em></p>
| + | |
− | <p style="padding-left: 90px;"><em><span style="font-style: normal;"> </span></em><em><span style="font-style: normal;">2.2.5.3. Tag: "ReviewedBy"</span></em></p>
| + | |
− | <p style="padding-left: 90px;"><em><span style="font-style: normal;"> </span></em>2.2.5.4. Data Format: "Person: person name”</p>
| + | |
− | <p style="padding-left: 90px;">2.2.5.5. Example: ReviewedBy: Person: Bradley Kuhn</p>
| + | |
− | <p style="padding-left: 90px;"><span style="font-style: italic;"><strong>(20100415 F2F RESOLUTION: Bradley K</strong> to rework section including such issues as defining "reviewed by," date, partial review or caveats, etc. Make optional field and include multiple, down the supply chain reviewed bys.)</span></p>
| + | |
− | <p style="text-align: left;"><span style="font-style: italic;"> </span><strong>3. Common Overview Information</strong></p>
| + | |
− | <p>3.1. One instance per package instance</p>
| + | |
− | <p>3.2. Fields:</p>
| + | |
− | <p style="padding-left: 30px;">3.2.1. Formal Name</p>
| + | |
− | <p style="padding-left: 60px;">3.2.1.1. Purpose: Full name of package as given by originator with version information included if available.</p>
| + | |
− | <p style="padding-left: 60px;">3.2.1.2. Intent: Here, the formal name of each package is an important conventional technical identifier to be maintained for each package.</p>
| + | |
− | <p style="padding-left: 60px;">3.2.1.3 Tag: "DeclaredName"</p>
| + | |
− | <p style="padding-left: 60px;">3.2.1.4. Data Format: <text string of full name> <version info if avilable></p>
| + | |
− | <p style="padding-left: 60px;">3.2.1.5. Example: DeclaredName: glibc 2.11.1</p>
| + | |
− | <p style="padding-left: 30px;">3.2.2. Specific Package File Name</p>
| + | |
− | <p style="padding-left: 60px;">3.2.2.1. Purpose: File name of package instance.</p>
| + | |
− | <p style="padding-left: 60px;">3.2.2.2. Intent: Here, the actual filename of the compressed file (containing the package) is a significant technical element that needs to be carried with each package's Identification Information.</p>
| + | |
− | <p style="padding-left: 60px;">3.2.2.3. Tag: FileName:</p>
| + | |
− | <p style="padding-left: 60px;">3.2.2.4. Data Format: identifier</p>
| + | |
− | <p style="padding-left: 60px;">where identifier is the machine generated file name and version typically includes the packaging and compression methods used.</p>
| + | |
− | <p style="padding-left: 60px;">3.2.2.5. Examples: FileName: glibc-2.11.1.tar.gz</p>
| + | |
− | <p style="padding-left: 30px;">3.2.3. Download URL</p>
| + | |
− | <p style="padding-left: 60px;">3.2.3.1. Purpose: identify exact download URL of the original version of this package resides (at time of analysis).</p>
| + | |
− | <p style="padding-left: 60px;">3.2.3.2. Intent: Here, where to download the exact package being referenced is a critical verification and tracking datum.</p>
| + | |
− | <p style="padding-left: 60px;">3.2.3.3. Tag: URL:</p>
| + | |
− | <p style="padding-left: 60px;">3.2.3.4. Format: URL or "unknown"</p>
| + | |
− | <p style="padding-left: 60px;">3.2.3.5. Example: URL: http://ftp.gnu.org/gnu/glibc/</p>
| + | |
− | <p style="padding-left: 60px;"><em><strong>(</strong></em>20100414 F2F<em><strong> Debra M</strong>- Begin section on Wiki cataloging various SPDX doc use cases. IN PROCESS)</em></p>
| + | |
− | <p style="padding-left: 60px;"><span style="font-style: italic;"><strong>(</strong></span>20100414 F2F<span style="font-style: italic;"><strong> Philippe, David M, Bradley</strong> taking a stab at developing tool that utilizes format.)</span></p>
| + | |
− | <p style="padding-left: 60px;"><span style="font-style: italic;">(20100506 BillS- Concern raised that standard XML checkers would have a hard time validating a field with URL or string="unknown".)</span></p>
| + | |
− | <p style="padding-left: 30px;">3.2.4 Source Additional Information</p>
| + | |
− | <p style="padding-left: 60px;">3.2.4.1. Purpose: Freeform source commentary to add clarity to origins. For instance whether its been pulled from SCM or has been repackaged.</p>
| + | |
− | <p style="padding-left: 60px;">3.2.4.2. Intent: Here, by providing a freeform field, reviewers can provide any additional information to describe any anomalies, or discoveries, in the their determination of the origin of the package.</p>
| + | |
− | <p style="padding-left: 60px;">(DONE -- 20100505 KS - <em><strong>Rockett</strong> can you fill this in?</em> )</p>
| + | |
− | <p style="padding-left: 60px;">3.2.4.3. Tag: "SourceInfo"</p>
| + | |
− | <p style="padding-left: 60px;">3.2.4.4. Data Format: <string without line separator></p>
| + | |
− | <p style="padding-left: 60px;">3.2.4.5. Example: SourceInfo: use glibc-2_11-branch from git://sourceware.org/git/glibc.git.</p>
| + | |
− | <p style="padding-left: 30px;">3.2.5. Declared License for Package</p>
| + | |
− | <p style="padding-left: 60px;">3.2.5.1. Purpose: use a standard way of referring to license and its version. See Appendix I for standardized license short forms. If more than one in effect, list license package defaults to and indicate alternate license is present.</p>
| + | |
− | <p style="padding-left: 60px;">3.2.5.2. Intent: This is simply the license identified in text in the actual package source code files (typically in the header of each package file.) This field may have multiple declared licenses, if multiple licenses are declared at the package level.</p>
| + | |
− | <p style="padding-left: 60px;">(DONE -- 20100505 KS <em><strong>Rockett</strong></em> - should the wording be "This field may have multiple declared licenses, if multiple licenses are declared at the package level.")</p>
| + | |
− | <p style="padding-left: 60px;">3.2.4.3. Tag: "DeclaredLicense"</p>
| + | |
− | <p style="padding-left: 60px;">3.2.5.4. Data Format: <short form identifier> | "FullLicense"-N</p>
| + | |
− | <p style="padding-left: 60px;">3.2.5.5. Example: DeclaredLicense: GPL2.0</p>
| + | |
− | <p style="padding-left: 60px;"><em><strong>(</strong></em>20100415 F2F<em><strong> Kim</strong> will revise 3.2.5 section and Appendix I based on comments received on short form terminology that merges best from Debian and Fedora)</em></p>
| + | |
− | <p style="padding-left: 30px;">3.2.6. License(s) Present</p>
| + | |
− | <p style="padding-left: 60px;">3.2.6.1. Purpose: list of all licenses found in files in package by scanning</p>
| + | |
− | <p style="padding-left: 60px;">3.2.6.2. Intent: Here, we intend to capture all licenses within the package detected by any scanning tools used by the package reviewer.</p>
| + | |
− | <p style="padding-left: 60px;">(PLEASE CONFIRM THIS IS ACCURATE -- 20100415 F2F <em><strong>Rockett </strong>- Update intent</em>.)</p>
| + | |
− | <p style="padding-left: 60px;">3.2.6.3. Tag: "DetectedLicense"</p>
| + | |
− | <p style="padding-left: 60px;">3.2.6.4. Data Format: ((<short form identifier> | "FullLicense"-N)",")* </p>
| + | |
− | <p style="padding-left: 60px;">where it is either a single license identifier, or a comma separated list of identifiers. The identifier can be a short form identifier from Appendix I or a reference to the section of Full License texts (that are included in a numerical detection order (each unique denoted by N).</p>
| + | |
− | <p style="padding-left: 60px;">3.2.6.5. Example: DetectedLicense: GPL2.0, FullLicense-1, FullLicense-2, GPL2.0+</p>
| + | |
− | <p style="padding-left: 60px;"><em><strong>(</strong></em>20100415 F2F<em><strong> Kim</strong>- Propose optional field for identifying packages from which files come.)</em></p>
| + | |
− | <p style="padding-left: 60px;"><em><span>(20100506 Bill- consider adding count per license)</span></em></p>
| + | |
− | <p style="padding-left: 30px;">3.2.7. Declared Copyright Holder of Package</p>
| + | |
− | <p style="padding-left: 60px;">3.2.7.1. Purpose: identify the author and licensor of package itself. ? Permit international extended characters in character string or restrict ?</p>
| + | |
− | <p style="padding-left: 60px;">3.2.7.2. Intent: Here, by identifying the actual author(s), some ambiguities, e.g., under which license the author(s) were intending to license the package, may be resolvable by knowing who to contact for clarity.</p>
| + | |
− | <p style="padding-left: 60px;">3.2.7.3. Tag "DeclaredCopyright"</p>
| + | |
− | <p style="padding-left: 60px;">3.2.7.4. Data Format: ?</p>
| + | |
− | <p style="padding-left: 60px;">(20100415 F2F<em><strong> Kate</strong>- Update. Needs to accommodate multiple copyright holders and dates. Include None as possible.) </em></p>
| + | |
− | <p style="padding-left: 60px;">3.2.7.5. Example: ?</p>
| + | |
− | <p style="padding-left: 30px;">3.2.8. Declared Copyright Date of Package</p>
| + | |
− | <p style="padding-left: 60px;">3.2.8.1. Purpose: Identify the date this package was created. Individual files inside package may have different copyright dates.</p>
| + | |
− | <p style="padding-left: 60px;">3.2.8.2. Intent: Here, we can now begin to track when copyright protection expires, for example, and the package falls into the public domain.</p>
| + | |
− | <p style="padding-left: 60px;">3.2.8.3. Tag: CopyrightDate</p>
| + | |
− | <p style="padding-left: 60px;">3.2.8.4. Format: YYYY </p>
| + | |
− | <p style="padding-left: 60px;">where YYYY is the year.</p>
| + | |
− | <p style="padding-left: 60px;">3.2.8.5. Example: CopyrightDate: 2010</p>
| + | |
− | <p style="padding-left: 30px;">3.2.9. Pithy Description Field</p>
| + | |
− | <p style="padding-left: 30px;"><em><strong>(</strong></em>20100415 - F2F<em><strong> Jeff</strong>- Propose to mailing list.)</em></p>
| + | |
− | <p style="padding-left: 60px;"> </p>
| + | |
− | <p>4. Index of Non Standard License(s) Detected</p>
| + | |
− | <p style="padding-left: 30px;">4.1 One instance for every unique license detected in package that does not match one of the standard license short forms from Appendix I.</p>
| + | |
− | <p style="padding-left: 30px;">4.2 Fields:</p>
| + | |
− | <p style="padding-left: 60px;">4.2.1 Identifier</p>
| + | |
− | <p style="padding-left: 90px;">4.2.1.1. Purpose: Provide a unique identifier for the packages and files sections to refer to non standard license text detected in the package and reproduced here to aid analysis.</p>
| + | |
− | <p style="padding-left: 90px;">4.2.1.2. Intent: Here, we seek to identify in whole or in part portions of the package which are licensed under unfamiliar and/or uncommon licenses.</p>
| + | |
− | <p style="padding-left: 90px;">4.2.1.3. Tag: "LicenseID"</p>
| + | |
− | <p style="padding-left: 90px;">4.2.1.4. Data Format: "License-"N where N is a unique ascending numeric value.</p>
| + | |
− | <p style="padding-left: 90px;">4.2.1.5. Example: LicenseID: License-1</p>
| + | |
− | <p style="padding-left: 60px;"><span style="white-space: pre;"> </span>4.2.2 Extracted Text</p>
| + | |
− | <p style="padding-left: 90px;"> 4.2.2.1. Purpose: Provide a copy of the actual text of the license extracted from the package to aid in analysis.</p>
| + | |
− | <p style="padding-left: 90px;">4.2.2.2. Intent: Here, the actual license text included in the package serves as confirmation that the license, and version, named in the header files of the package is correct.</p>
| + | |
− | <p style="padding-left: 90px;">4.2.2.3. Tag: "LicenseText"</p>
| + | |
− | <p style="padding-left: 90px;">4.2.1.4. Data Format: <multiline text> "***EOLT***" </p>
| + | |
− | <p style="padding-left: 90px;">4.2.1.5. Example: LicenseText: <multiline text> ***EOLT***</p>
| + | |
− | <h2>5. File Specific Information</h2>
| + | |
− | <p style="padding-left: 30px;"><em>(20100310 JM 4.0- Would files that do not have licensing information be present in this block? I would think so and the relevant fields would be blank. We may want to have an explicit statement versus leaving blank. Interested in others thoughts.)</em></p>
| + | |
− | <p style="padding-left: 30px;"><em> </em></p>
| + | |
− | <p style="padding-left: 30px;">5.1. One entry for every file in package instance</p>
| + | |
− | <p style="padding-left: 30px;">5.2. Fields:</p>
| + | |
− | <p style="padding-left: 60px;">5.2.1. Full File Name</p>
| + | |
− | <p style="padding-left: 90px;">5.2.1.1. Purpose: identify path to file that corresponds to this summary information. version of this standard to use to parse the rest of the file.</p>
| + | |
− | <p style="padding-left: 90px;">5.2.1.2. Intent: Here, any confusion over where a file needs to hierarchically be placed for proper functionality is mitigated.</p>
| + | |
− | <p style="padding-left: 90px;">5.2.1.3. Tag: "FileName"</p>
| + | |
− | <p style="padding-left: 90px;">5.2.1.4. Format: [directory/]filename.suffix</p>
| + | |
− | <p style="padding-left: 90px;">5.2.1.5. Example: FileName: /bar/foo.c</p>
| + | |
− | <p style="padding-left: 60px;">5.2.2. File Type (optional)</p>
| + | |
− | <p style="padding-left: 90px;">5.2.2.1. Purpose: Identify common types of files where there may be different treatment of copyright and license information: source, binary, machine generated, etc.</p>
| + | |
− | <p style="padding-left: 90px;">5.2.2.2. Intent: Here, this field is basically the "best available" format field, from a developer perspective.</p>
| + | |
− | <p style="padding-left: 90px;">5.2.2.3. Tag: "FileType"</p>
| + | |
− | <p style="padding-left: 90px;">5.2.2.4. Data Format: "source" | "binary" | "archive" |"other"</p>
| + | |
− | <p style="padding-left: 90px;">5.2.2.5. Example: FileType: binary</p>
| + | |
− | <p style="padding-left: 90px;"><span style="font-style: italic;"> </span></p>
| + | |
− | <p style="padding-left: 60px;">5.2.3. License(s)</p>
| + | |
− | <p style="padding-left: 90px;">5.2.3.1. Purpose: License governing file if known. This will either be explicit in file, or be expected to default to package license. Use a standard way of referring to license and its version. See Section 5.0 for standardized license references. If more than one in effect, list all licenses.</p>
| + | |
− | <p style="padding-left: 90px;">5.2.3.2. Intent: Here, the intent is to have a uniform method to refer to each license with specificity to eliminate any license confusion. For example, the 3 clause BSD would have a different license identifier then the 4 clause BSD. </p>
| + | |
− | <p style="padding-left: 90px;">5.2.3.3. Tag: "FileLicense"</p>
| + | |
− | <p style="padding-left: 90px;">5.2.3.4. Data Format: ( [identier,]* [identifier])|"unknown"</p>
| + | |
− | <p style="padding-left: 120px;">where identifier is either one of the short forms from Appendix I or LicenseID from section 4. If no license detected, should have "unknown". </p>
| + | |
− | <p style="padding-left: 90px;">5.2.3.5. Example: FileLicense: GPL-2.0,License-5</p>
| + | |
− | <p style="padding-left: 90px;"><em> </em></p>
| + | |
− | <p style="padding-left: 60px;">5.2.4. Copyright(s)</p>
| + | |
− | <p style="padding-left: 90px;">5.2.4.1. Purpose: identify the copyright holders and associated dates of their copyright that are in this specific file if known. Note: Copyright holder identifier may have developer names, companies, email addresses, so we’ll probably need a generic string mechanism (including international characters). Since there may be multiple per file, need a way of having separators between them.</p>
| + | |
− | <p style="padding-left: 90px;">5.2.4.2. Intent: Here, similar to identifying the actual author(s) (above), by identifying the copyright holder(s), the copyright holder(s) may be contact if licensing issues exist with the package, or to request distribution under another license more compatible with a given implementation, for example.</p>
| + | |
− | <p style="padding-left: 90px;">5.2.4.3. Tag: "FileCopyright"</p>
| + | |
− | <p style="padding-left: 90px;">5.2.4.2. Data Format: (“copyright holder”:<date(s)> ";")*</p>
| + | |
− | <p style="padding-left: 120px;">where date(s) are of form (YYYY["-"|","])* YYYY</p>
| + | |
− | <p style="padding-left: 90px;">5.2.4.3. Example: FileCopyright: “Linus Torvalds”:”1996-2010”;</p>
| + | |
− | <p style="padding-left: 60px;">5.2.5. Package(s) (optional)</p>
| + | |
− | <p style="padding-left: 60px;"><em><strong>(</strong></em>20100415 F2F<em><strong> - Kim</strong> to implement same as at package level.)</em></p>
| + | |
− | <p style="padding-left: 60px;"><span>5.2.6 Hash on File (optional)</span></p>
| + | |
− | <p style="padding-left: 60px;"><em> </em></p>
| + | |
− | <p><strong>6. DEFINITIONS</strong></p>
| + | |
− | <p style="padding-left: 60px;">6. Definitions</p>
| + | |
− | <p style="padding-left: 30px;">1. Package: ...</p>
| + | |
− | <p style="padding-left: 30px;">2. Date range: [YYYY,]*[YYYY-]YYYY syntax for multiple ranges needed.</p>
| + | |
− | <p style="padding-left: 30px;"><span style="font-style: italic;">(20100415 F2F Legal question: Do we want to capitalize terms that are defined here as in a legal agreement.)</span></p>
| + | |
− | <p style="padding-left: 30px;"><em><strong>(</strong></em>20100415 F2F<em><strong> All</strong>- Add terms here that seem ambiguous above.)</em></p>
| + | |
− | <p><em>(20100505 KS reshuffle sections to put this earlier in the specification? </em></p>
| + | |
− | <p><em><br /></em></p>
| + | |
− | <h2>Appendix I. Standard License Short Forms</h2>
| + | |
− | <p style="padding-left: 30px;">https://fossbazaar.org/wiki/standard-license-short-forms</p>
| + | |
− | <p style="padding-left: 30px;"><span style="font-size: 15px; font-weight: bold;"><em><span style="font-size: 10px; font-weight: normal;">(20100415 F2F Consider moving this section to SPDX website. </span></em><span style="font-size: 10px; font-weight: normal;">20100505 K</span><em><span style="font-size: 10px; font-weight: normal;">S this will be reference information in spec with its own syntax - <strong>Kate</strong> to own first draft </span></em><span style="font-size: 10px; font-weight: normal;">20100506 KS - </span><em><span style="font-size: 10px; font-weight: normal;">new link created - forrmatting in progress)</span></em></span></p>
| + | |
− | <p> </p>
| + | |
− | <h2 style="font-size: 1.5em;">Appendix II. Examples</h2>
| + | |
− | <p style="padding-left: 30px;">(20100505 KS - <em><strong>Kate</strong></em> - <em>create links to child pages with examples </em>) </p>
| + | |
− | <p> </p>
| + | |
− | <p><span style="font-family: arial, verdana, sans-serif; font-size: 17px; color: #333333; line-height: 16px;">(font (below) needs to be unified) </span></p>
| + | |
− | <p><span style="font-family: arial, verdana, sans-serif; font-size: 17px; color: #333333; font-weight: bold; line-height: 16px;">Appendix III. Creative Commons Attribution License 3.0</span></p>
| + | |
− | <p> </p>
| + | |
− | <p>THE WORK (AS DEFINED BELOW) IS PROVIDED UNDER THE TERMS OF THIS CREATIVE COMMONS PUBLIC LICENSE ("CCPL" OR "LICENSE"). THE WORK IS PROTECTED BY COPYRIGHT AND/OR OTHER APPLICABLE LAW. ANY USE OF THE WORK OTHER THAN AS AUTHORIZED UNDER THIS LICENSE OR COPYRIGHT LAW IS PROHIBITED.</p>
| + | |
− | <p>BY EXERCISING ANY RIGHTS TO THE WORK PROVIDED HERE, YOU ACCEPT AND AGREE TO BE BOUND BY THE TERMS OF THIS LICENSE. TO THE EXTENT THIS LICENSE MAY BE CONSIDERED TO BE A CONTRACT, THE LICENSOR GRANTS YOU THE RIGHTS CONTAINED HERE IN CONSIDERATION OF YOUR ACCEPTANCE OF SUCH TERMS AND CONDITIONS.</p>
| + | |
− | <p><strong>1. Definitions</strong></p>
| + | |
− | <ol type="a">
| + | |
− | <li style="margin-bottom: 8px;"><strong style="color: #222222;">"Adaptation"</strong> means a work based upon the Work, or upon the Work and other pre-existing works, such as a translation, adaptation, derivative work, arrangement of music or other alterations of a literary or artistic work, or phonogram or performance and includes cinematographic adaptations or any other form in which the Work may be recast, transformed, or adapted including in any form recognizably derived from the original, except that a work that constitutes a Collection will not be considered an Adaptation for the purpose of this License. For the avoidance of doubt, where the Work is a musical work, performance or phonogram, the synchronization of the Work in timed-relation with a moving image ("synching") will be considered an Adaptation for the purpose of this License.</li>
| + | |
− | <li style="margin-bottom: 8px;"><strong style="color: #222222;">"Collection"</strong> means a collection of literary or artistic works, such as encyclopedias and anthologies, or performances, phonograms or broadcasts, or other works or subject matter other than works listed in Section 1(f) below, which, by reason of the selection and arrangement of their contents, constitute intellectual creations, in which the Work is included in its entirety in unmodified form along with one or more other contributions, each constituting separate and independent works in themselves, which together are assembled into a collective whole. A work that constitutes a Collection will not be considered an Adaptation (as defined above) for the purposes of this License.</li>
| + | |
− | <li style="margin-bottom: 8px;"><strong style="color: #222222;">"Distribute"</strong> means to make available to the public the original and copies of the Work or Adaptation, as appropriate, through sale or other transfer of ownership.</li>
| + | |
− | <li style="margin-bottom: 8px;"><strong style="color: #222222;">"Licensor"</strong> means the individual, individuals, entity or entities that offer(s) the Work under the terms of this License.</li>
| + | |
− | <li style="margin-bottom: 8px;"><strong style="color: #222222;">"Original Author"</strong> means, in the case of a literary or artistic work, the individual, individuals, entity or entities who created the Work or if no individual or entity can be identified, the publisher; and in addition (i) in the case of a performance the actors, singers, musicians, dancers, and other persons who act, sing, deliver, declaim, play in, interpret or otherwise perform literary or artistic works or expressions of folklore; (ii) in the case of a phonogram the producer being the person or legal entity who first fixes the sounds of a performance or other sounds; and, (iii) in the case of broadcasts, the organization that transmits the broadcast.</li>
| + | |
− | <li style="margin-bottom: 8px;"><strong style="color: #222222;">"Work"</strong> means the literary and/or artistic work offered under the terms of this License including without limitation any production in the literary, scientific and artistic domain, whatever may be the mode or form of its expression including digital form, such as a book, pamphlet and other writing; a lecture, address, sermon or other work of the same nature; a dramatic or dramatico-musical work; a choreographic work or entertainment in dumb show; a musical composition with or without words; a cinematographic work to which are assimilated works expressed by a process analogous to cinematography; a work of drawing, painting, architecture, sculpture, engraving or lithography; a photographic work to which are assimilated works expressed by a process analogous to photography; a work of applied art; an illustration, map, plan, sketch or three-dimensional work relative to geography, topography, architecture or science; a performance; a broadcast; a phonogram; a compilation of data to the extent it is protected as a copyrightable work; or a work performed by a variety or circus performer to the extent it is not otherwise considered a literary or artistic work.</li>
| + | |
− | <li style="margin-bottom: 8px;"><strong style="color: #222222;">"You"</strong> means an individual or entity exercising rights under this License who has not previously violated the terms of this License with respect to the Work, or who has received express permission from the Licensor to exercise rights under this License despite a previous violation.</li>
| + | |
− | <li style="margin-bottom: 8px;"><strong style="color: #222222;">"Publicly Perform"</strong> means to perform public recitations of the Work and to communicate to the public those public recitations, by any means or process, including by wire or wireless means or public digital performances; to make available to the public Works in such a way that members of the public may access these Works from a place and at a place individually chosen by them; to perform the Work to the public by any means or process and the communication to the public of the performances of the Work, including by public digital performance; to broadcast and rebroadcast the Work by any means including signs, sounds or images.</li>
| + | |
− | <li style="margin-bottom: 8px;"><strong style="color: #222222;">"Reproduce"</strong> means to make copies of the Work by any means including without limitation by sound or visual recordings and the right of fixation and reproducing fixations of the Work, including storage of a protected performance or phonogram in digital form or other electronic medium.</li>
| + | |
− | </ol>
| + | |
− | <p><strong>2. Fair Dealing Rights.</strong> Nothing in this License is intended to reduce, limit, or restrict any uses free from copyright or rights arising from limitations or exceptions that are provided for in connection with the copyright protection under copyright law or other applicable laws.</p>
| + | |
− | <p><strong>3. License Grant.</strong> Subject to the terms and conditions of this License, Licensor hereby grants You a worldwide, royalty-free, non-exclusive, perpetual (for the duration of the applicable copyright) license to exercise the rights in the Work as stated below:</p>
| + | |
− | <ol type="a">
| + | |
− | <li style="margin-bottom: 8px;">to Reproduce the Work, to incorporate the Work into one or more Collections, and to Reproduce the Work as incorporated in the Collections;</li>
| + | |
− | <li style="margin-bottom: 8px;">to create and Reproduce Adaptations provided that any such Adaptation, including any translation in any medium, takes reasonable steps to clearly label, demarcate or otherwise identify that changes were made to the original Work. For example, a translation could be marked "The original work was translated from English to Spanish," or a modification could indicate "The original work has been modified.";</li>
| + | |
− | <li style="margin-bottom: 8px;">to Distribute and Publicly Perform the Work including as incorporated in Collections; and,</li>
| + | |
− | <li style="margin-bottom: 8px;">to Distribute and Publicly Perform Adaptations.</li>
| + | |
− | <li style="margin-bottom: 8px;">
| + | |
− | <p>For the avoidance of doubt:</p>
| + | |
− | <ol type="i">
| + | |
− | <li style="margin-bottom: 8px;"><strong style="color: #222222;">Non-waivable Compulsory License Schemes</strong>. In those jurisdictions in which the right to collect royalties through any statutory or compulsory licensing scheme cannot be waived, the Licensor reserves the exclusive right to collect such royalties for any exercise by You of the rights granted under this License;</li>
| + | |
− | <li style="margin-bottom: 8px;"><strong style="color: #222222;">Waivable Compulsory License Schemes</strong>. In those jurisdictions in which the right to collect royalties through any statutory or compulsory licensing scheme can be waived, the Licensor waives the exclusive right to collect such royalties for any exercise by You of the rights granted under this License; and,</li>
| + | |
− | <li style="margin-bottom: 8px;"><strong style="color: #222222;">Voluntary License Schemes</strong>. The Licensor waives the right to collect royalties, whether individually or, in the event that the Licensor is a member of a collecting society that administers voluntary licensing schemes, via that society, from any exercise by You of the rights granted under this License.</li>
| + | |
− | </ol></li>
| + | |
− | </ol>
| + | |
− | <p>The above rights may be exercised in all media and formats whether now known or hereafter devised. The above rights include the right to make such modifications as are technically necessary to exercise the rights in other media and formats. Subject to Section 8(f), all rights not expressly granted by Licensor are hereby reserved.</p>
| + | |
− | <p><strong>4. Restrictions.</strong> The license granted in Section 3 above is expressly made subject to and limited by the following restrictions:</p>
| + | |
− | <ol type="a">
| + | |
− | <li style="margin-bottom: 8px;">You may Distribute or Publicly Perform the Work only under the terms of this License. You must include a copy of, or the Uniform Resource Identifier (URI) for, this License with every copy of the Work You Distribute or Publicly Perform. You may not offer or impose any terms on the Work that restrict the terms of this License or the ability of the recipient of the Work to exercise the rights granted to that recipient under the terms of the License. You may not sublicense the Work. You must keep intact all notices that refer to this License and to the disclaimer of warranties with every copy of the Work You Distribute or Publicly Perform. When You Distribute or Publicly Perform the Work, You may not impose any effective technological measures on the Work that restrict the ability of a recipient of the Work from You to exercise the rights granted to that recipient under the terms of the License. This Section 4(a) applies to the Work as incorporated in a Collection, but this does not require the Collection apart from the Work itself to be made subject to the terms of this License. If You create a Collection, upon notice from any Licensor You must, to the extent practicable, remove from the Collection any credit as required by Section 4(b), as requested. If You create an Adaptation, upon notice from any Licensor You must, to the extent practicable, remove from the Adaptation any credit as required by Section 4(b), as requested.</li>
| + | |
− | <li style="margin-bottom: 8px;">If You Distribute, or Publicly Perform the Work or any Adaptations or Collections, You must, unless a request has been made pursuant to Section 4(a), keep intact all copyright notices for the Work and provide, reasonable to the medium or means You are utilizing: (i) the name of the Original Author (or pseudonym, if applicable) if supplied, and/or if the Original Author and/or Licensor designate another party or parties (e.g., a sponsor institute, publishing entity, journal) for attribution ("Attribution Parties") in Licensor's copyright notice, terms of service or by other reasonable means, the name of such party or parties; (ii) the title of the Work if supplied; (iii) to the extent reasonably practicable, the URI, if any, that Licensor specifies to be associated with the Work, unless such URI does not refer to the copyright notice or licensing information for the Work; and (iv) , consistent with Section 3(b), in the case of an Adaptation, a credit identifying the use of the Work in the Adaptation (e.g., "French translation of the Work by Original Author," or "Screenplay based on original Work by Original Author"). The credit required by this Section 4 (b) may be implemented in any reasonable manner; provided, however, that in the case of a Adaptation or Collection, at a minimum such credit will appear, if a credit for all contributing authors of the Adaptation or Collection appears, then as part of these credits and in a manner at least as prominent as the credits for the other contributing authors. For the avoidance of doubt, You may only use the credit required by this Section for the purpose of attribution in the manner set out above and, by exercising Your rights under this License, You may not implicitly or explicitly assert or imply any connection with, sponsorship or endorsement by the Original Author, Licensor and/or Attribution Parties, as appropriate, of You or Your use of the Work, without the separate, express prior written permission of the Original Author, Licensor and/or Attribution Parties.</li>
| + | |
− | <li style="margin-bottom: 8px;">Except as otherwise agreed in writing by the Licensor or as may be otherwise permitted by applicable law, if You Reproduce, Distribute or Publicly Perform the Work either by itself or as part of any Adaptations or Collections, You must not distort, mutilate, modify or take other derogatory action in relation to the Work which would be prejudicial to the Original Author's honor or reputation. Licensor agrees that in those jurisdictions (e.g. Japan), in which any exercise of the right granted in Section 3(b) of this License (the right to make Adaptations) would be deemed to be a distortion, mutilation, modification or other derogatory action prejudicial to the Original Author's honor and reputation, the Licensor will waive or not assert, as appropriate, this Section, to the fullest extent permitted by the applicable national law, to enable You to reasonably exercise Your right under Section 3(b) of this License (right to make Adaptations) but not otherwise.</li>
| + | |
− | </ol>
| + | |
− | <p><strong>5. Representations, Warranties and Disclaimer</strong></p>
| + | |
− | <p>UNLESS OTHERWISE MUTUALLY AGREED TO BY THE PARTIES IN WRITING, LICENSOR OFFERS THE WORK AS-IS AND MAKES NO REPRESENTATIONS OR WARRANTIES OF ANY KIND CONCERNING THE WORK, EXPRESS, IMPLIED, STATUTORY OR OTHERWISE, INCLUDING, WITHOUT LIMITATION, WARRANTIES OF TITLE, MERCHANTIBILITY, FITNESS FOR A PARTICULAR PURPOSE, NONINFRINGEMENT, OR THE ABSENCE OF LATENT OR OTHER DEFECTS, ACCURACY, OR THE PRESENCE OF ABSENCE OF ERRORS, WHETHER OR NOT DISCOVERABLE. SOME JURISDICTIONS DO NOT ALLOW THE EXCLUSION OF IMPLIED WARRANTIES, SO SUCH EXCLUSION MAY NOT APPLY TO YOU.</p>
| + | |
− | <p><strong>6. Limitation on Liability.</strong> EXCEPT TO THE EXTENT REQUIRED BY APPLICABLE LAW, IN NO EVENT WILL LICENSOR BE LIABLE TO YOU ON ANY LEGAL THEORY FOR ANY SPECIAL, INCIDENTAL, CONSEQUENTIAL, PUNITIVE OR EXEMPLARY DAMAGES ARISING OUT OF THIS LICENSE OR THE USE OF THE WORK, EVEN IF LICENSOR HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.</p>
| + | |
− | <p><strong>7. Termination</strong></p>
| + | |
− | <ol type="a">
| + | |
− | <li style="margin-bottom: 8px;">This License and the rights granted hereunder will terminate automatically upon any breach by You of the terms of this License. Individuals or entities who have received Adaptations or Collections from You under this License, however, will not have their licenses terminated provided such individuals or entities remain in full compliance with those licenses. Sections 1, 2, 5, 6, 7, and 8 will survive any termination of this License.</li>
| + | |
− | <li style="margin-bottom: 8px;">Subject to the above terms and conditions, the license granted here is perpetual (for the duration of the applicable copyright in the Work). Notwithstanding the above, Licensor reserves the right to release the Work under different license terms or to stop distributing the Work at any time; provided, however that any such election will not serve to withdraw this License (or any other license that has been, or is required to be, granted under the terms of this License), and this License will continue in full force and effect unless terminated as stated above.</li>
| + | |
− | </ol>
| + | |
− | <p><strong>8. Miscellaneous</strong></p>
| + | |
− | <ol type="a">
| + | |
− | <li style="margin-bottom: 8px;">Each time You Distribute or Publicly Perform the Work or a Collection, the Licensor offers to the recipient a license to the Work on the same terms and conditions as the license granted to You under this License.</li>
| + | |
− | <li style="margin-bottom: 8px;">Each time You Distribute or Publicly Perform an Adaptation, Licensor offers to the recipient a license to the original Work on the same terms and conditions as the license granted to You under this License.</li>
| + | |
− | <li style="margin-bottom: 8px;">If any provision of this License is invalid or unenforceable under applicable law, it shall not affect the validity or enforceability of the remainder of the terms of this License, and without further action by the parties to this agreement, such provision shall be reformed to the minimum extent necessary to make such provision valid and enforceable.</li>
| + | |
− | <li style="margin-bottom: 8px;">No term or provision of this License shall be deemed waived and no breach consented to unless such waiver or consent shall be in writing and signed by the party to be charged with such waiver or consent.</li>
| + | |
− | <li style="margin-bottom: 8px;">This License constitutes the entire agreement between the parties with respect to the Work licensed here. There are no understandings, agreements or representations with respect to the Work not specified here. Licensor shall not be bound by any additional provisions that may appear in any communication from You. This License may not be modified without the mutual written agreement of the Licensor and You.</li>
| + | |
− | <li style="margin-bottom: 8px;">The rights granted under, and the subject matter referenced, in this License were drafted utilizing the terminology of the Berne Convention for the Protection of Literary and Artistic Works (as amended on September 28, 1979), the Rome Convention of 1961, the WIPO Copyright Treaty of 1996, the WIPO Performances and Phonograms Treaty of 1996 and the Universal Copyright Convention (as revised on July 24, 1971). These rights and subject matter take effect in the relevant jurisdiction in which the License terms are sought to be enforced according to the corresponding provisions of the implementation of those treaty provisions in the applicable national law. If the standard suite of rights granted under applicable copyright law includes additional rights not granted under this License, such additional rights are deemed to be included in the License; this License is not intended to restrict the license of any rights under applicable law.</li>
| + | |
− | </ol>
| + | |
This is the location of the official version of the SPDX specification. During active development of next version, drafts may be found here as well.