8 File information section
8.1 File name field
8.1.1 Description
Identify the full path and filename that corresponds to the file information in this section. The metadata for the file name field is shown in Table 36.
Table 36 — Metadata for the file name field
Attribute | Value |
---|---|
Required | Yes |
Cardinality | 1..1 |
Format | A relative filename with the root of the package archive or directory. In general, every filename is preceded with a ./ , see http://www.ietf.org/rfc/rfc3986.txt for syntax. |
8.1.2 Intent
To aid finding the correct file which corresponds to the file information.
8.1.3 Examples
EXAMPLE 1 Tag: FileName:
FileName: ./package/foo.c
EXAMPLE 2 RDF: Property spdx:fileName
in class spdx:File
<File rdf:about="...">
<fileName>./package/foo.c</fileName>
...
</File>
8.2 File SPDX identifier field
8.2.1 Description
Uniquely identify any element in an SPDX document which might be referenced by other elements. These might be referenced internally and externally with the addition of the SPDX document identifier. The metadata for the file SPDX identifier field is shown in Table 37.
Table 37 — Metadata for the file SPDX identifier field
Attribute | Value |
---|---|
Required | Yes |
Cardinality | 1..1 |
Format | "SPDXRef-"[idstring] where [idstring] is a unique string containing letters, numbers, . and/or - . |
8.2.2 Intent
There may be several versions of the same file within an SPDX document. Each element needs to be able to be referred to uniquely so that relationships between elements can be clearly articulated.
8.2.3 Examples
EXAMPLE 1 Tag: SPDXID:
SPDXID: SPDXRef-1
EXAMPLE 2 RDF: The URI for the element will follow the form: [SpdxDocumentURI]#SPDXRef-[idstring] where [SpdxDocumentURI] is the URI for the SPDX document containing the element.
Using xml:base:
<rdf:RDF xml:base="http://acme.com/spdxdocs/acmeproj/v1.2/1BE2A4FF-5F1A-48D3-8483-28A9B0349A1B"
...
<File rdf:about="#SPDXRef-1">
...
</File>
Using document URI:
<File rdf:about="http://acme.com/spdxdocs/acmeproj/v1.2/1BE2A4FF-5F1A-48D3-8483-28A9B0349A1B#SPDXRef-1">
...
</File>
8.3 File type field
8.3.1 Description
This field provides information about the type of file identified. File Type is intrinsic to the file, independent of how the file is being used. A file may have more than one file type assigned to it, however the options to populate this field are limited to:
SOURCE
if the file is human readable source code (.c, .html, etc.);BINARY
if the file is a compiled object, target image or binary executable (.o, .a, etc.);ARCHIVE
if the file represents an archive (.tar, .jar, etc.);APPLICATION
if the file is associated with a specific application type (MIME type of application/*);AUDIO
if the file is associated with an audio file (MIME type of audio/* , e.g. .mp3);IMAGE
if the file is associated with a picture image file (MIME type of image/*, e.g., .jpg, .gif);TEXT
if the file is human readable text file (MIME type of text/*);VIDEO
if the file is associated with a video file type (MIME type of video/*);DOCUMENTATION
if the file serves as documentation;SPDX
if the file is an SPDX document;OTHER
if the file doesn't fit into the above categories (generated artifacts, data files, etc.)
The metadata for the file type field is shown in Table 38.
Table 38 — Metadata for the file type field
Attribute | Value |
---|---|
Required | No |
Cardinality | 0..* |
Format | SOURCE | BINARY | ARCHIVE | APPLICATION | AUDIO | IMAGE | TEXT | VIDEO | DOCUMENTATION | SPDX | OTHER |
8.3.2 Intent
Here, this field is a reasonable estimation of the file type, from a developer perspective.
8.3.3 Examples
EXAMPLE 1 Tag: FileType:
FileType: BINARY
For a README.TXT
FileType: TEXT
FileType: DOCUMENTATION
foo.exe
FileType: BINARY
FileType: APPLICATION
EXAMPLE 2 RDF: Property spdx:fileType
in class spdx:File
<File rdf:about="file1">
<fileType rdf:resource="fileType_binary" />
</File>
Where file2 is a README.TXT
<File rdf:about="file2">
<fileType rdf:resource
="http://spdx.org/rdf/terms#fileType_text" />
<fileType rdf:resource
="http://spdx.org/rdf/terms#fileType_documentation" />
</File>
8.4 File checksum field
8.4.1 Description
This field provides the result from some specific checksum algorithm. Checksum algorithms consume data from the file and produce a short, fix-sized summary that is sensitive to changes in the file's data. Any random change to the file's data will (with high likelihood) result in a different checksum value.
The metadata for the file checksum field is shown in Table 39.
Table 39 — Metadata for the file checksum field
Attribute | Value |
---|---|
Required | Yes |
Cardinality | 1..1 for the SHA1 algorithm, 0..* for all other algorithms |
Algorithm | SHA1 is to be used on the file. Other algorithms that can be provided optionally include SHA224 , SHA256 , SHA384 , SHA512 , [SHA3-256 ][SHA3-256], [SHA3-384 ][SHA3-384], [SHA3-512 ][SHA3-512], [BLAKE2b-256 ][BLAKE2b-256], [BLAKE2b-384 ][BLAKE2b-384], [BLAKE2b-512 ][BLAKE2b-512], [BLAKE3 ][BLAKE3], MD2 , MD4 , MD5 , MD6 , [ADLER32 ][ADLER32] |
Format | In tag:value there are three components, an algorithm identifier (SHA1), a separator (“:”) and a checksum value. The RDF shall also contain an algorithm identifier and a checksum value. For example, when the algorithm identifier is SHA1, the checksum value should be a 160-bit value represented as 40 lowercase hexadecimal digits. For other algorithms, an appropriate number of hexadecimal digits is expected. |
8.4.2 Intent
Checksum values are used primarily to protect a file's data against accidental corruption during transmissions or storage. Cryptographically strong checksum algorithms may be used to detect deliberate corruption, but only if the authenticity of the checksum value may be verified.
Checksum values may also be used as an identifier for the file's data that is (with high likelihood) unique. Such an identifier may be used to establish the desired version of a file, if multiple versions are available.
8.4.3 Examples
EXAMPLE 1 Tag: FileChecksum:
FileChecksum: SHA1: d6a770ba38583ed4bb4525bd96e50461655d2758
FileChecksum: MD5: 624c1abb3664f4b35547e7c73864ad24
EXAMPLE 2 RDF: Property spdx:Checksum
in class spdx:File
<File rdf:about="...">
<checksum>
<Checksum>
<algorithm rdf:resource
="http://spdx.org/rdf/terms#checksumAlgorithm_sha1"/>
<checksumValue>d6a770ba38583ed4bb4525bd96e50461655d2758
</checksumValue>
</Checksum>
</checksum>
<checksum>
<Checksum>
<algorithm rdf:resource
="http://spdx.org/rdf/terms#checksumAlgorithm_md5"/>
<checksumValue> 624c1abb3664f4b35547e7c73864ad24
</checksumValue>
</Checksum>
</checksum>
</File>
8.5 Concluded license field
8.5.1 Description
This field contains the license the SPDX document creator has concluded as governing the file or alternative values if the governing license cannot be determined.
The options to populate this field are limited to:
A valid SPDX License Expression as defined in Annex D;
NONE
, if the SPDX document creator concludes there is no license available for this file; or
NOASSERTION
, if:
-
the SPDX document creator has attempted to, but cannot reach a reasonable objective determination;
-
the SPDX document creator has made no attempt to determine this field; or
-
the SPDX document creator has intentionally provided no information (no meaning should be implied by doing so).
If the Concluded License is not the same as the License Information in File, a written explanation should be provided in the Comments on License field (8.7). With respect to NOASSERTION
, a written explanation in the Comments on License field (8.7) is preferred. If the Concluded License field is not present for a file, it implies an equivalent meaning to NOASSERTION
. The metadata for the concluded license field is shown in Table 40.
Table 40 — Metadata for the concluded license field
Attribute | Value |
---|---|
Required | No |
Cardinality | 0..1 |
Format | <SPDX License Expression> | NONE | NOASSERTION where: <SPDX License Expression> is a valid SPDX License Expression as defined in Annex D. |
8.5.2 Intent
Here, the intent is for the SPDX document creator to analyze the License Information in File (8.6) and other objective information, e.g., “COPYING FILE,” along with the results from any scanning tools, to arrive at a reasonably objective conclusion as to what license governs the file.
8.5.3 Examples
EXAMPLE 1 Tag: LicenseConcluded:
LicenseConcluded: LGPL-2.0-only
LicenseConcluded: (LGPL-2.0-only OR LicenseRef-2)
EXAMPLE 2 RDF: Property spdx:licenseConcluded
in class spdx:File
<File rdf:about="file">
<licenseConcluded>LGPL-2.0-only</licenseConcluded>
</File>
<File rdf:about="...">
<licenseConcluded>
<DisjunctiveLicenseSet>
<member rdf:resource
="http://spdx.org/licenses/LGPL-2.0-only"/>
<member rdf:resource="#LicenseRef-2"/>
</DisjunctiveLicenseSet>
</licenseConcluded>
</File>
8.6 License information in file field
8.6.1 Description
This field contains the license information actually found in the file, if any. This information is most commonly found in the header of the file, although it might be in other areas of the actual file. Any license information not actually in the file, e.g., “COPYING.txt” file in a top-level directory, should not be reflected in this field.
The options to populate this field are limited to:
The SPDX License List short form identifier, if the license is on the SPDX License List;
A reference to the license, denoted by LicenseRef-[idstring]
, if the license is not on the SPDX License List;
NONE
, if the file contains no license information whatsoever; or
NOASSERTION
, if:
-
the SPDX document creator has made no attempt to determine this field; or
-
the SPDX document creator has intentionally provided no information (no meaning should be implied by doing so).
If license information for more than one license is contained in the file or if the license information offers the package recipient a choice of licenses, then each of the choices should be listed as a separate entry. If the License Information in File field is not present for a file, it implies an equivalent meaning to NOASSERTION
. The metadata for the license information in file field is shown in Table 41.
Table 41 — Metadata for the license information in file field
Attribute | Value |
---|---|
Required | No |
Cardinality | 0..* |
Format | <SPDX License Expression> |["DocumentRef-" [idstring] ":"]"LicenseRef-"[idstring] || NONE | NOASSERTION where: <SPDX License Expression> is a valid SPDX License Expression as defined in Annex D."DocumentRef-" [idstring] : is an optional reference to an external SPDX document as described in 6.6[idstring] is a unique string containing letters, numbers, . and/or - |
8.6.2 Intent
Here, the intent is to provide the license information actually in the file, as compared to the Concluded License field.
8.6.3 Examples
EXAMPLE 1 Tag: LicenseInfoInFile:
LicenseInfoInFile: GPL-2.0-only
LicenseInfoInFile: LicenseRef-2
EXAMPLE 2 RDF: Property spdx:licenseInfoInFile
in class spdx:File
<File rdf:about="file1">
<licenseInfoInFile rdf:resource
="http://spdx.org/licenses/GPL-2.0-only" />
<licenseInfoInFile rdf:resource="#LicenseRef-2" />
</File>
8.7 Comments on license field
8.7.1 Description
This field provides a place for the SPDX document creator to record any relevant background references or analysis that went in to arriving at the Concluded License for a file. If the Concluded License does not match the License Information in File, this should be explained by the SPDX document creator. It is also preferable to include an explanation here when the Concluded License is NOASSERTION
. The metadata for the comments on license field is shown in Table 42.
Table 42 — Metadata for the comments on license field
Attribute | Value |
---|---|
Required | No |
Cardinality | 0..1 |
Format | Free form text that can span multiple lines |
8.7.2 Intent
Here, the intent is to provide the recipient of the SPDX document with a detailed explanation of how the Concluded License was determined if it does not match the License Information in File, is marked NOASSERTION
, or other helpful information relevant to determining the license of the file.
8.7.3 Examples
EXAMPLE 1 Tag: LicenseComments:
In tag:value
format multiple lines are delimited by <text> .. </text>
.
LicenseComments: <text>The concluded license was taken from the package
level that the file was included in. This information was found in the
COPYING.txt file in the xyz directory.</text>
EXAMPLE 2 RDF: Property spdx:licenseComments
in class spdx:File
<File rdf:about="...">
<licenseComments>
The concluded license was taken from the package level that
the file was included in. This information was found in the
COPYING.txt file in the xyz directory. This package has been
shipped in source and binary form.
</licenseComments>
</File>
8.8 Copyright text field
8.8.1 Description
Identify the copyright holder of the file, as well as any dates present. This shall be a free-form text field extracted from the actual file.
The options to populate this field are limited to:
Any text relating to a copyright notice, even if not complete;
NONE
, if the file contains no copyright information whatsoever; or
NOASSERTION
, if
-
the SPDX document creator has made no attempt to determine this field; or
-
the SPDX document creator has intentionally provided no information (no meaning should be implied from the absence of an assertion).
If the Copyright Text field is not present for a file, it implies an equivalent meaning to NOASSERTION
. The metadata for the copyright text field is shown in Table 43.
Table 43 — Metadata for the copyright text field
Attribute | Value |
---|---|
Required | No |
Cardinality | 0..1 |
Format | Free form text that can span multiple lines | NONE | NOASSERTION |
8.8.2 Intent
Record any copyright notice for the file.
8.8.3 Examples
EXAMPLE 1 Tag: FileCopyrightText:
In tag:value
format multiple lines are delimited by <text> .. </text>
.
FileCopyrightText: <text> Copyright 2008-2010 John Smith </text>
EXAMPLE 2 RDF: Property spdx:copyrightText
in class spdx:File
<File rdf:about="...">
<copyrightText>
Copyright 2008-2010 John Smith
</copyrightText>
</File>
8.9 Artifact of project name field (deprecated)
This field is deprecated since 1.8.4, as they can be replaced by a relationship to the more descriptive External Packages.
8.9.1 Description
To indicate that a file has been derived from a specific project. The metadata for the artifact of project name field is shown in Table 44.
Table 44 — Metadata for the artifact of project name field
Attribute | Value |
---|---|
Required | No |
Cardinality | 0..* |
Format | Single line of text. In tag:value format the ArtifactOfProjectName shall precede any optional ArtifactOf optional properties (e.g. ArtifactOfHomePage and ArtifactOfURI). |
8.9.2 Intent
To make it easier for recipients of the SPDX document to determine the original source of the identified file. If the project is not described in an SPDX document, then ArtifactOf
can be used.
If the project is described in another SPDX document, then Relationship should be used.
8.9.3 Examples
EXAMPLE 1 Tag: ArtifactOfProjectName:
ArtifactOfProjectName: Jena
EXAMPLE 2 RDF: Property doap:name
in class doap:Project
in property spdx:artifactOf
in class spdx:File
<File>
<artifactOf>
<doap:Project>
<doap:name>Jena</doap:name>
</doap:Project>
</artifactOf>
</File>
8.10 Artifact of project homepage field (deprecated)
This field is deprecated since 1.8.4, as they can be replaced by a relationship to the more descriptive External Packages.
8.10.1 Description
To indicate the location of the project from which the file has been derived. The metadata for the artifact of project homepage field is shown in Table 45.
Table 45 — Metadata for the artifact of project homepage field
Attribute | Value |
---|---|
Required | No |
Cardinality | 0..* |
Format | Uniform Resource Locator | UNKNOWN .In tag:value format all optional ArtifactOf fields shall follow immediately below the ArtifactOfProjectName. |
8.10.2 Intent
To make it easier for recipients of the SPDX document to determine the original source of the identified file. If the project is described in another SPDX document, then Relationship
should be used.
8.10.3 Examples
EXAMPLE 1 Tag: Property ArtifactOfProjectHomePage
in class spdx:File
ArtifactOfProjectHomePage: http://www.openjena.org/
EXAMPLE 2 RDF: Property doap:homepage
in class doap:Project
in property spdx:artifactOf
in class spdx:File
<File>
<artifactOf>
<doap:Project>
<doap:homepage >rttp://www.openjena.org/</doap:homepage>
</doap:Project>
</artifactOf>
</File>
8.11 Artifact of project uniform resource identifier field (deprecated)
This field is deprecated since 1.8.4, as they can be replaced by a relationship to the more descriptive External Packages.
8.11.1 Description
To provide a linkage to the project resource in the DOAP document and permit interoperability between the different formats supported. The metadata for the artifact of project uniform resource identifier field is shown in Table 46.
Table 46 — Metadata for the artifact of project uniform resource identifier field
Attribute | Value |
---|---|
Required | No |
Cardinality | 0..* |
Format | Uniform Resource Identifier. In tag:value format all optional ArtifactOf fields shall follow immediately below the ArtifactOfProjectName. |
In tag:value
format all optional ArtifactOf fields shall follow immediately below the ArtifactOfProjectName.
8.11.2 Intent
To make it easier for recipients of the SPDX document to determine the original source of the identified file. If the project is described in another SPDX document, then Relationship
should be used.
8.11.3 Examples
EXAMPLE 1 Tag: ArtifactOfProjectURI:
ArtifactOfProjectURI: http://subversion.apache.org/doap.rdf
EXAMPLE 2 RDF: Property spdx:artifactOf
in class spdx:File
<File>
<artifactOf rdf:resource="http://subversion.apache.org/" />
</File>
<!-- Note: within the DOAP file at http://subversion.apache.org/doap.rdf
the value "http://subversion.apache.org/" is the URI of the describes
resource of type doap:Project -->
8.12 File comment field
8.12.1 Description
This field provides a place for the SPDX document creator to record any general comments about the file. The metadata for the file comment field is shown in Table 47.
Table 47 — Metadata for the file comment field
Attribute | Value |
---|---|
Required | No |
Cardinality | 0..1 |
Format | Free form text that may span multiple lines |
8.12.2 Intent
Here, the intent is to provide the recipient of the SPDX document with more information determined after careful analysis of a file.
8.12.3 Examples
EXAMPLE 1 Tag: FileComment:
In tag:value
format multiple lines are delimited by <text> .. </text>
.
FileComment: <text>
This file appears in other packages, such as Foo and Ufoo.
</text>
EXAMPLE 2 RDF: Property rdfs:comments
in class spdx:File
<File rdf:about="...">
<rdfs:comment>
This file appears in other packages, such as Foo and Ufoo.
</rdfs:comment>
</File>
8.13 File notice field
8.13.1 Description
This field provides a place for the SPDX document creator to record license notices or other such related notices found in the file. This might or might not include copyright statements. The metadata for the file notice field is shown in Table 48.
Table 48 — Metadata for the file notice field
Attribute | Value |
---|---|
Required | No |
Cardinality | 0..1 |
Format | Free form text that can span multiple lines |
8.13.2 Intent
Here, the intent is to provide the recipient of the SPDX document with notices that may require additional review or otherwise contribute to the determination of the Concluded License.
8.13.3 Examples
EXAMPLE 1 Tag: FileNotice:
In tag:value
format multiple lines are delimited by <text> .. </text>
.
FileNotice: <text>This file is licensed under GPL.</text>
EXAMPLE 2 RDF: Property noticeText
in class spdx:File
<File rdf:about="...">
<noticeText>
This file is licensed under GPL.
</noticeText>
</File>
8.14 File contributor field
8.14.1 Description
This field provides a place for the SPDX document creator to record file contributors. Contributors could include names of copyright holders and/or authors who might not be copyright holders, yet contributed to the file content. The metadata for the file contributor field is shown in Table 49.
Table 49 — Metadata for the file contributor field
Attribute | Value |
---|---|
Required | No |
Cardinality | 0..* |
Format | Free form text on a single line. |
8.14.2 Intent
Here, the intent is to provide the recipient of the SPDX document with a list of one or more contributors (credits). This is one way of providing acknowledgement to the contributors of a file. This would be useful, for example, if a recipient company wanted to contact copyright holders to inquire about alternate licensing.
8.14.3 Examples
EXAMPLE 1 Tag: FileContributor:
In tag:value
format single line per contributor.
FileContributor: Modified by Paul Mundt lethal@linux-sh.org
FileContributor: The Regents of the University of California
FileContributor: IBM Corporation
EXAMPLE 2 RDF: Property spdx:fileContributor
in class spdx:File
<File rdf:about="...">
<fileContributor> Modified by Paul Mundt lethal@linux-sh.org
</fileContributor>
<fileContributor> The Regents of the University of California
</fileContributor>
<fileContributor> IBM Corporation </fileContributor>
</File>
8.15 File attribution text field
8.15.1 Description
This field provides a place for the SPDX document creator to record, at the file level, acknowledgements that might be required to be communicated in some contexts. This is not meant to include the file's actual complete license text (see LicenseConcluded
and LicenseInfoInFile
), and might or might not include copyright notices (see also FileCopyrightText
). The SPDX document creator might use this field to record other acknowledgements, such as particular clauses from license texts, which might be necessary or desirable to reproduce. The metadata for the file attribution text field is shown in Table 50.
Table 50 — Metadata for the file attribution text field
Attribute | Value |
---|---|
Required | No |
Cardinality | 0..* |
Format | Free form text that can span multiple lines. |
8.15.2 Intent
The intent is to provide the recipient of the SPDX document with acknowledgement content at a file level, to assist redistributors of the file with reproducing those acknowledgements. This field does not necessarily indicate where, or in which contexts, the acknowledgements need to be reproduced (such as end-user documentation, advertising materials, etc.) and the SPDX document creator might or might not explain elsewhere how they intend for this field to be used.
8.15.3 Examples
EXAMPLE 1 Tag: FileAttributionText:
In tag:value
format multiple lines are delimited by <text> .. </text>
.
FileAttributionText: <text>
All advertising materials mentioning features or use of this software
must display the following acknowledgement: This product includes
software developed by the AT&T.
</text>
EXAMPLE 2 RDF: Property spdx:attributionText
in class spdx:File
<File rdf:about="...">
<attributionText>
All advertising materials mentioning features or use of
this software must display the following acknowledgement:
This product includes software developed by the AT&T.
</attributionText>
</File>
8.16 File dependencies field (deprecated)
This field is deprecated since SPDX 2.0 in favor of using Clause 11 which provides more granularity about relationships.
8.16.1 Description
The field provides a place for the SPDX document creator to record a list of other files (referenceable within this SPDX document) which the file is a derivative of and/or depends on for the build (e.g., source file or build script for a binary program or library). The list of files might not necessarily represent the list of all file dependencies, but possibly the ones that impact the licensing and/or might be needed as part of the file distribution obligation. The metadata for the file dependencies field is shown in Table 51.
Table 51 — Metadata for the file dependencies field
Attribute | Value |
---|---|
Required | No |
Cardinality | 0..* |
Format | Reference to the file within the SPDX document. For the tag:value format, this will be the filename. For the RDF format, it shall be a reference to the actual file node. |
8.16.2 Intent
Here, the intent is to provide the recipient of the SPDX document with file dependency information based on the build system that created the file. These other files might impact the licensing of the file and/or might be required to satisfy the distribution obligation of the file (e.g., source files subject to a copyleft license).
8.16.3 Examples
EXAMPLE 1 Tag: FileDependency:
FileDependency: ./busybox-1.20.2/shell/match.h
FileDependency: ./busybox-1.20.2/shell/match.c
FileDependency: ./busybox-1.20.2/shell/ash.c
EXAMPLE 2 RDF: Property spdx:fileDependency
in class spdx:File
<File rdf:nodeID="A0">
<fileName>./package/source1.java</fileName>
</File>
<File rdf:nodeID="A1">
<fileName>./package/source2.java</fileName>
</File>
<File rdf:nodeID="A3">
<fileName>./package/source3.java</fileName>
</File>
<File rdf:about="...">
<fileName>./package/mylibrary.jar</fileName>
<fileDependency rdf:nodeID="A0"/>
<fileDependency rdf:nodeID="A1"/>
<fileDependency rdf:nodeID="A2"/>
</File>