Licensing
Summary
The Licensing Profile defines a minimum set of license information to facilitate compliance with typical license use cases.
Description
The Licensing profile only contains the additional requirement that any
Software Artifact must have a Relationship
of type hasConcludedLicense
.
Classes and Property restrictions are defined in the SimpleLicensing Profile (Classes and Properties associated with license expression strings) and in the ExpandedLicensing Profile (Classes and Properties used for a fully parsed syntax tree of license expressions).
There are 2 relationship types related to licensing - hasDeclaredLicense
and
hasConcludedLicense
.
If the hasConcludedLicense
for a Software Artifact is not the same as its
hasDeclaredLicense
, a written explanation SHOULD be provided in the
hasConcludedLicense
relationship comment
field.
A written explanation of a relationship to a NoAssertionLicense
MAY be
provided in the comment
field for the relationship.
hasDeclaredLicense
A hasDeclaredLicense identifies the license information actually found in the Software Artifact, for example as detected by use of automated tooling.
This field is not intended to capture license information obtained from an external source, such as a package's website. Such information can be included, as needed, in the hasConcludedLicense field.
A hasDeclaredLicense may be expressed differently in practice for different types of Software Artifacts. For example:
- for Packages, it would include license info for the Package as a whole, found in the Package itself (e.g., LICENSE file, README file, metadata in the Package, etc.), but it would not include any license information that is not in the Package itself (e.g., license information from the project's website or from a third party repository or website).
- for Files, it would include license info found in the File itself (e.g., license header or notice, comments indicating the license, SPDX-License-Identifier expression), but it would not include license info found in a different file (e.g., LICENSE file in the top directory of a repository).
- for Snippets, it would include license info found in the Snippet itself (e.g., license notice, comments, SPDX-License-Identifier expression), but it would not include license info found elsewhere in the File or in a different File (e.g., comment at top of File if it is not within the Snippet, LICENSE file in the top directory of a repository).
A hasDeclaredLicense relationship to NoneLicense indicates that the corresponding Package, File or Snippet contains no license information whatsoever.
A hasDeclaredLicense relationship to NoAssertionLicense indicates that one of the following applies:
- the SPDX data creator has attempted to but cannot reach a reasonable objective determination;
- the SPDX data creator has made no attempt to determine this field; or
- the SPDX data creator has intentionally provided no information (no meaning should be implied by doing so).
If a hasDeclaredLicense relationship is not present, no assumptions can be made about whether or not a hasDeclaredLicense exists.
Note that a missing hasDeclaredLicense is not the same as a relationship to NoAssertionLicense since the latter is a "known unknown" whereas no assumptions can be made from a missing hasDeclaredLicense relationship.
hasConcludedLicense
A hasConcludedLicense is the license identified by the SPDX data creator, based on analyzing the license information in the Software Artifact and other information to arrive at a reasonably objective conclusion as to what license governs the Software Artifact.
A hasConcludedLicense relationship to NoneLicense indicates that the SPDX data creator has looked and did not find any license information for this Software Artifact.
A hasConcludedLicense relationship to NoAssertionLicense indicates that one of the following applies:
- the SPDX data creator has attempted to but cannot reach a reasonable objective determination;
- the SPDX data creator has made no attempt to determine this field; or
- the SPDX data creator has intentionally provided no information (no meaning should be implied by doing so).
If a hasConcludedLicense is not present, no assumptions can be made about whether or not a hasConcludedLicense exists.
Note that a missing hasConcludedLicense is not the same as a relationship to a NoAssertionLicense since the latter is a "known unknown" whereas no assumptions can be made from a missing hasConcludedLicense relationship.
Metadata
https://spdx.org/rdf/3.0.1/terms/Licensing
Name | Licensing |
Profile conformance
For an element collection to be conformant with this profile, the following has to hold:
- for every
/Software/SoftwareArtifact
there MUST exist exactly one/Core/Relationship
of typehasConcludedLicense
having that element as itsfrom
property and a/SimpleLicensing/AnyLicenseInfo
as itsto
property.