DOKK Library

SPDX Specification 1.0

Authors Linux Foundation

License CC-BY-3.0

Plaintext
Software Package Data Exchange (SPDX™)
                             Specification

                                   Version: 1.0
                                                                                      Software Package Data Exchange (SPDX™) Specification




                                                  TABLE           OF      CONTENTS

1 RATIONALE..................................................................................................... 5
  1.1   CHARTER.................................................................................................................................... 5
  1.2   DEFINITION.................................................................................................................................. 5
  1.3   WHY IS A COMMON FORMAT FOR DATA EXCHANGE NEEDED?............................................................................5
  1.4   WHAT DOES THIS SPECIFICATION COVER?................................................................................................. 5
  1.5   WHAT IS NOT COVERED IN THE SPECIFICATION?.......................................................................................... 6
  1.6   FORMAT REQUIREMENTS:................................................................................................................... 6
  1.7   CONFORMANCE.............................................................................................................................. 7
2 SPDX DOCUMENT INFORMATION......................................................................8
  2.1 SPDX VERSION ........................................................................................................................... 8
  2.2 DATA LICENSE ............................................................................................................................ 8
3 CREATION INFORMATION...............................................................................10
  3.1 CREATOR.................................................................................................................................. 10
  3.2 CREATED................................................................................................................................... 10
  3.3 CREATOR COMMENTS..................................................................................................................... 11
4 PACKAGE INFORMATION................................................................................12
  4.1 FORMAL NAME........................................................................................................................... 12
  4.2 PACKAGE VERSION INFORMATION....................................................................................................... 12
  4.3 PACKAGE FILE NAME..................................................................................................................... 13
  4.4 PACKAGE SUPPLIER....................................................................................................................... 13
  4.5 PACKAGE ORIGINATOR.................................................................................................................... 14
  4.6 PACKAGE DOWNLOAD LOCATION........................................................................................................ 14
  4.7 PACKAGE VERIFICATION CODE........................................................................................................... 15
  4.8 PACKAGE CHECKSUM..................................................................................................................... 16
  4.9 SOURCE INFORMATION.................................................................................................................... 16
  4.10 CONCLUDED LICENSE................................................................................................................... 17
  4.11 ALL LICENSES INFORMATION FROM FILES.............................................................................................18
  4.12 DECLARED LICENSE..................................................................................................................... 19
  4.13 COMMENTS ON LICENSE ............................................................................................................... 20
  4.14 COPYRIGHT TEXT....................................................................................................................... 21
  4.15 PACKAGE SUMMARY DESCRIPTION..................................................................................................... 21
  4.16 PACKAGE DETAILED DESCRIPTION..................................................................................................... 22
5 OTHER LICENSING INFORMATION DETECTED...................................................23
  5.1 IDENTIFIER ASSIGNED..................................................................................................................... 23
  5.2 EXTRACTED TEXT                                    ......................................................................................23
6 FILE INFORMATION........................................................................................25
  6.1   FILE NAME................................................................................................................................ 25
  6.2   FILE TYPE.................................................................................................................................. 25
  6.3   FILE CHECKSUM........................................................................................................................... 26
  6.4   CONCLUDED LICENSE..................................................................................................................... 26
  6.5   LICENSE INFORMATION IN FILE........................................................................................................... 28
  6.6   COMMENTS ON LICENSE ................................................................................................................. 28
  6.7   COPYRIGHT TEXT......................................................................................................................... 29
                                                       Official SPDX Specification 1.0.
                                        Copyright © 2010-2011 Linux Foundation and its Contributors.
                                   Licensed under the Creative Commons Attribution License 3.0 Unported.
                                                   All other rights are expressly reserved.
                                                                 Page 3 of 64
                                                                                      Software Package Data Exchange (SPDX™) Specification



  6.8 ARTIFACT OF PROJECT NAME............................................................................................................ 30
  6.9 ARTIFACT OF PROJECT HOMEPAGE...................................................................................................... 30
  6.10 ARTIFACT OF PROJECT UNIFORM RESOURCE IDENTIFIER.............................................................................31
7 REVIEW INFORMATION...................................................................................32
  7.1 REVIEWER.................................................................................................................................. 32
  7.2 REVIEW DATE............................................................................................................................. 32
  7.3 REVIEW COMMENTS...................................................................................................................... 33
APPENDIX I. STANDARD LICENSE SHORT FORMS...............................................34
APPENDIX II. RDF DATA MODEL IMPLEMENTATION ..........................................38
   OVERVIEW...................................................................................................................................... 38
   VOCABULARY .................................................................................................................................. 39
   ABSTRACT...................................................................................................................................... 39
   CLASSES........................................................................................................................................ 39
   PROPERTIES..................................................................................................................................... 45
   INDIVIDUALS.................................................................................................................................... 58
   AGENT AND TOOL IDENTIFIERS............................................................................................................... 59
APPENDIX III. CREATIVE COMMONS ATTRIBUTION LICENSE 3.0 UNPORTED........61




                                                      Official SPDX Specification 1.0.
                                       Copyright © 2010-2011 Linux Foundation and its Contributors.
                                  Licensed under the Creative Commons Attribution License 3.0 Unported.
                                                  All other rights are expressly reserved.
                                                                Page 4 of 64
                                                                     Software Package Data Exchange (SPDX™) Specification




1 Rationale
     1.1     Charter
    To create a set of data exchange standards that enable companies and organizations to share license
    and component information (metadata) for software packages and related content with the aim of
    facilitating license and other policy compliance.

     1.2     Definition
    The Software Package Data Exchange (SPDX™) specification is a standard format for communicating
    the components, licenses and copyrights associated with a software package. An SPDX file is
    associated with a particular software package and contains information about that package in the SPDX
    format.

     1.3     Why is a common format for data exchange needed?
    Companies and organizations (collectively “Organizations”) are widely using and reusing open source
    and other software packages. Compliance with the associated licenses requires a set of analysis
    activities and due diligence that each Organization performs independently including a manual and/or
    automated scan of software and identification of associated licenses followed by manual verification.
    Software development teams across the globe use the same open source packages, but little
    infrastructure exists to facilitate collaboration on the analysis or share the results of these analysis
    activities. As a result, many groups are performing the same work leading to duplicated efforts and
    redundant information. The SPDX working group seeks to create a data exchange format so that
    information about software packages and related content may be collected and shared in a common
    format with the goal of saving time and improving data accuracy.

     1.4     What does this specification cover?
           1.4.1      SPDX Document Information: Meta data to associate analysis results with a specific
           version of the SPDX file and license for use.

           1.4.2      Creation Information: Information about how, when, and by whom the SPDX file was
           created.

           1.4.3      Package Information: Facts that are common properties of the entire package.

           1.4.4      License Information: A list of common licenses likely to be encountered and a
           standardized naming convention for referring to these licenses and other licenses also found
           within an SPDX document. This naming convention will also be the basis for extending this set of
           common licenses over time.

           1.4.5      File Information: Facts (e.g. copyrights, licenses) that are specific to each file included
           in the package.

           1.4.6      Reviewer Information: Information when and by whom the SPDX file was reviewed.

           1.4.7      Evolution hooks: A set of mechanisms that permit extending the specification in a
           structured manner under specific future versions of the specification.




                                            Official SPDX Specification 1.0.
                             Copyright © 2010-2011 Linux Foundation and its Contributors.
                        Licensed under the Creative Commons Attribution License 3.0 Unported.
                                        All other rights are expressly reserved.
                                                      Page 5 of 64
                                                               Software Package Data Exchange (SPDX™) Specification




  Figure 1. Overview of SPDX file contents.


1.5     What is not covered in the specification?
      1.5.1    Information that cannot be derived from an inspection (whether manual or using
      automated tools) of the package to be analyzed.
      1.5.2     How the data stored in an SPDX file is used by the recipient.

      1.5.3     Any identification of any patent(s) which may or may not relate to the package.

      1.5.4     Legal interpretation of the licenses or any compliance actions that have been or may
      need to be taken.

1.6     Format Requirements:
      1.6.1     Must be in a human readable form.

      1.6.2     Must be in a syntax that a software tool can read and write.

      1.6.3     Must be suitable to be checked for syntactic correctness independent of how it was
      generated (human or tool).


                                      Official SPDX Specification 1.0.
                       Copyright © 2010-2011 Linux Foundation and its Contributors.
                  Licensed under the Creative Commons Attribution License 3.0 Unported.
                                  All other rights are expressly reserved.
                                                Page 6 of 64
                                                                Software Package Data Exchange (SPDX™) Specification



      1.6.4      The SPDX file character set must support UTF-8 encoding.

      1.6.5      Must permit automated specification syntax validation.

      1.6.6     Resource Description Framework (RDF) can be used to represent this information, as
      can an annotate tag value flat text file.

      1.6.7      Interoperability with an annotate tag format and the RDF format will be preserved.

1.7     Conformance
      1.7.1    A file can be designated an SPDX file, if it is compliant with the requirements of the
      SPDX Trademark License (See http://www.spdx.org/trademark).

      1.7.2       The official copyright notice to be used with any verbatim reproduction and/or
      distribution of this SPDX Specification 1.0 is:

      "Official SPDX Specification 1.0. Copyright © 2010-2011 Linux Foundation and its Contributors.
      Licensed under the Creative Commons Attribution License 3.0 Unported. All other rights are
      expressly reserved."

      1.7.3       The official copyright notice to be used with any non-verbatim reproduction and/or
      distribution of this SPDX Specification, including without limitation any partial use or combining this
      SPDX Specification with another work, is:

      "This is not an official SPDX Specification. Portions herein have been reproduced from SPDX
      Specification 1.0 found at www.spdx.com. These portions are Copyright © 2010-2011 Linux
      Foundation and its Contributors, and are licensed under the Creative Commons Attribution
      License 3.0 Unported by the Linux Foundation and its Contributors. All other rights are expressly
      reserved by Linux Foundation and its Contributors."




                                       Official SPDX Specification 1.0.
                        Copyright © 2010-2011 Linux Foundation and its Contributors.
                   Licensed under the Creative Commons Attribution License 3.0 Unported.
                                   All other rights are expressly reserved.
                                                 Page 7 of 64
                                                                           Software Package Data Exchange (SPDX™) Specification




2 SPDX Document Information
One instance is required for each SPDX file produced. It provides the necessary information for forward and
backward compatibility for the processing tools.

Fields:

          2.1     SPDX Version
                2.1.1      Purpose: Provide a reference number that can be used to understand how to parse
                and interpret the rest of the file. It will enable both future changes to the specification and to
                support backward compatibility. The version number consists of a major and minor version
                indicator. The major field will be incremented when incompatible changes between versions are
                made (one or more sections are created, modified or deleted). The minor field will be incremented
                when backwards compatible changes are made.

                2.1.2     Intent: Here, parties exchanging information in accordance with SPDX specification
                need to provide 100% transparency as to which SPDX specification such Identification Information
                is conforming to.

                2.1.3      Cardinality: Mandatory, one.

                2.1.4      Data Format: “SPDX-M.N”
                           where:
                                  M is major version number
                                  N is minor version number.

                2.1.5      Tag: “SPDXVersion:”

                           Example:
                           SPDXVersion: SPDX-1.0

                2.1.6      RDF: spdx:specVersion

                           Example:
                           <SpdxDocument rdf:about”http://www.spdx.org/tools#SPDXANALYSIS”>
                             <specVersion> SPDX-1.0 </specVersion>
                           </SpdxDocument>


          2.2     Data License
                2.2.1        Purpose: Designates the license for the SPDX file itself. All content, including any
                data and any database, that may be in an SPDX file must be licensed under the Open Data
                Commons Public Domain Dedication and License 1.0 (“PDDL-1.0”). The PDDL-1.0 places data
                and databases in the public domain to ensure that all have the right to freely re-use the SPDX file
                without intellectual property restrictions. Nothing in this use of the PDDL-1.0 prevents a supplier of
                SPDX files from temporarily or permanently limiting, by a separate and independent agreement,
                their recipients from (i) distribution of the supplier’s specific aggregation of SPDX files to others or
                (ii) disclosing the supplier as the source and/or creator of any specific SPDX file(s).




                                                  Official SPDX Specification 1.0.
                                   Copyright © 2010-2011 Linux Foundation and its Contributors.
                              Licensed under the Creative Commons Attribution License 3.0 Unported.
                                              All other rights are expressly reserved.
                                                            Page 8 of 64
                                                          Software Package Data Exchange (SPDX™) Specification



2.2.2        Intent: This is to alleviate any concern that content (the data or database) in an SPDX
file is subject to any form of intellectual property right that could restrict the re-use of the
information or the creation of another SPDX file for the same project(s). This approach avoids
intellectual property and related restrictions over the SPDX file, however individuals can still
contract with each other to restrict release of specific collections of SPDX files (which map to
software bill of materials) and the identification of the supplier of SPDX files.

2.2.3     Cardinality: Mandatory, one.

2.2.4     Data Format: “PDDL-1.0”

2.2.5     Tag: “DataLicense:”

          Example:
          DataLicense: PDDL-1.0

2.2.6     RDF: spdx:dataLicense

          Example:
          <SpdxDocument rdf:about”http://www.spdx.org/tools#SPDXANALYSIS”>
             <dataLicense rdf:resource="http://spdx.org/licenses/PDDL-1.0" />
          </SpdxDocument>




                                 Official SPDX Specification 1.0.
                  Copyright © 2010-2011 Linux Foundation and its Contributors.
             Licensed under the Creative Commons Attribution License 3.0 Unported.
                             All other rights are expressly reserved.
                                           Page 9 of 64
                                                                          Software Package Data Exchange (SPDX™) Specification




3 Creation Information
One instance of the Creation Information field set is required per package instance.

Fields:

          3.1     Creator
                3.1.1      Purpose: Identify who (or what, in the case of a tool) created the SPDX file. If the
                SPDX file was created by an individual, indicate the person's name. If the SPDX file was created
                on behalf of a company or organization, indicate the entity name. If the SPDX file was created
                using a software tool, the file should indicate the name and version for that tool. If multiple
                participants or tools were involved, use multiple instances of this field. Person name or
                organization name may be designated as “anonymous” if appropriate.

                3.1.2     Intent: Here, the generation method will assist the recipient of the SPDX file in
                assessing the general reliability/accuracy of the analysis information.

                3.1.3      Cardinality: Mandatory, one or many.

                3.1.4      Data Format: single line of text with the following keywords:

                                   ”Person: person name” and optional “(email)”
                                   "Organization: organization” and optional “(email)”
                                   "Tool: tool identifier - version”

                3.1.5      Tag: “Creator:”

                           Example:
                           Creator: Person: Jane Doe (jane.doe@example.com)
                           Creator: Organization: ExampleCodeInspect (contact@example.com)
                           Creator: Tool: LicenseFind-1.0


                3.1.6      RDF: property spdx:creator in class spdx:CreationInfo

                           Example:
                           <CreationInfo>
                             <creator> Person: Jane Doe (jane.doe@example.com) </creator>
                             <creator> Organization: ExampleCodeInspect (contact@example.com) </creator>
                             <creator> Tool: LicenseFind-1.0 </creator>
                           </CreationInfo>


          3.2     Created
                3.2.1       Purpose: Identify when the SPDX file was originally created. The date is to be
                specified according to combined data and time in UTC format as specified in ISO 8601 standard.
                This field is distinct from the fields in section 7 which involves the addition of information during a
                subsequent review.

                3.2.2     Intent: Here, the time stamp can serve as a verification as to whether the analysis
                needs to be updated.

                3.2.3      Cardinality: Mandatory, one.


                                                 Official SPDX Specification 1.0.
                                  Copyright © 2010-2011 Linux Foundation and its Contributors.
                             Licensed under the Creative Commons Attribution License 3.0 Unported.
                                             All other rights are expressly reserved.
                                                           Page 10 of 64
                                                                Software Package Data Exchange (SPDX™) Specification



      3.2.4     Data Format: YYYY-MM-DDThh:mm:ssZ
                where:
                       YYYY is year
                       MM is month with leading zero
                       DD is day with leading zero
                       T is delimiter for time
                       hh is hours with leading zero in 24 hour time
                       mm is minutes with leading zero
                       ss is seconds with leading zero
                       Z is universal time indicator

      3.2.5     Tag: “Created:”

                Example:
                Created: 2010-01-29T18:30:22Z

      3.2.6     RDF: property spdx:created in class spdx:CreationInfo

                Example:
                <CreationInfo>
                  <created> 2010-01-29T18:30:22Z </created>
                </CreationInfo>


3.3     Creator Comments
      3.3.1     Purpose: An optional field for creators of the SPDX file to provide general comments
      about the creation of the SPDX file or any other relevant comment not included in the other fields.

      3.3.2       Intent: Here, the intent is to provide recipients of the SPDX file with comments by the
      creator of the SPDX file.

      3.3.3     Cardinality: Optional, one.

      3.3.4     Data Format: free form text that can span multiple lines.
                In tag format this is delimited by <text> .. </text>, in RDF, it is delimited by
                <rdfs:comment>.

      3.3.5     Tag: “CreatorComment:”

                Example:
                CreatorComment: <text>
                This package has been shipped in source and binary form.
                The binaries were created with gcc 4.5.1 and expect to link to
                compatible system run time libraries.
                </text>

      3.3.6     RDF: property rdfs:comment in class spdx:CreationInfo

                Example:
                <CreationInfo>
                  <rdfs:comment> This package has been shipped in source and binary form.
                  The binaries were created with gcc 4.5.1 and expect to link to
                  compatible system run time libraries. </rdfs:comment>
                </CreationInfo>


                                       Official SPDX Specification 1.0.
                        Copyright © 2010-2011 Linux Foundation and its Contributors.
                   Licensed under the Creative Commons Attribution License 3.0 Unported.
                                   All other rights are expressly reserved.
                                                 Page 11 of 64
                                                                          Software Package Data Exchange (SPDX™) Specification




4 Package Information
One instance of the Package Information is required per package being analyzed. A package can contain sub-
packages, but the information in this section is a reference to the entire contents of the package listed.

Fields:
          4.1      Formal Name
                4.1.1     Purpose: Identify the full name of the package as given by Package Originator.

                4.1.2        Intent: Here, the formal name of each package is an important conventional technical
                identifier to be maintained for each package.

                4.1.3     Cardinality: Mandatory, one.

                4.1.4     DataFormat: single line of text.

                4.1.5     Tag: “PackageName:”

                          Example:
                          PackageName: glibc

                4.1.6     RDF: property spdx:name in class spdx:Package

                          Example:
                          <Package rdf:about=”http://www.spdx.org/tools#SPDXANALYSIS?package”>
                            <name>glibc 2.11.1</name>
                          </Package>

          4.2      Package Version Information
                4.2.1     Purpose: Identify the version of the package.

                4.2.2       Intent: The versioning of a package is a useful for identification purposes and for
                indicating later changes for the package version.

                4.2.3     Cardinality: Optional, one.

                4.2.4     DataFormat: single line of text.

                4.2.5     Tag: “PackageVersion:”

                          Example:
                          PackageVersion: 2.11.1

                4.2.6     RDF: property spdx:versionInfo in class spdx:Package

                          Example:
                          <Package rdf:about=”http://www.spdx.org/tools#SPDXANALYSIS?package”>
                            <versionInfo>2.11.1</versionInfo>
                          </Package>




                                                 Official SPDX Specification 1.0.
                                  Copyright © 2010-2011 Linux Foundation and its Contributors.
                             Licensed under the Creative Commons Attribution License 3.0 Unported.
                                             All other rights are expressly reserved.
                                                           Page 12 of 64
                                                                Software Package Data Exchange (SPDX™) Specification



4.3     Package File Name
      4.3.1    Purpose: Provide the actual file name of the package. This may include the packaging
      and compression methods used as part of the file name.

      4.3.2      Intent: Here, the actual file name of the compressed file containing the package is a
      significant technical element that needs to be included with each package identification
      information.

      4.3.3      Cardinality: Mandatory, one.

      4.3.4      Data Format: single line of text.

      4.3.5      Tag: “PackageFileName:”

                 Example:
                 PackageFileName: glibc-2.11.1.tar.gz

      4.3.6      RDF: property spdx:packageFileName in class spdx:Package

                 Example:
                 <Package rdf:about=”http://www.spdx.org/tools#SPDXANALYSIS?package”>
                   <packageFileName>glibc 2.11.1</packageFileName>
                 </Package>


4.4     Package Supplier
      4.4.1          Purpose: Identify the actual distribution source for the package identified in the SPDX
      file. This may or may not be different from the originating distribution source for the package. The
      name of the Package Supplier must be an organization or recognized author and not a web site.
      For example, Sourceforge is a host website, not a supplier, the supplier for
      http://sourceforge.net/projects/bridge/ is "The Linux Foundation." NOASSERTION should be used
      if:
          (i) the SPDX file creator has attempted to but cannot reach a reasonable objective determinaion
          of who the supplier is;
          (ii) the project is orphaned and was obtained from a public website; or
          (iii) the SPDX file creator has intentionally provided no information (no meaning should be
          implied by doing so).

      4.4.2     Intent: This field assists with understanding the point of distribution for the code in the
      package. This field is vital for ensuring that a downstream package recipients can address any
      ambiguity or concerns that might arise with the information in the SPDX file or the contents of the
      package it documents.

      4.4.3      Cardinality: Optional, one.

      4.4.4      Data Format: single line of text with the following keywords | “NOASSERTION”

                         “Person:” person name and optional “(“email”)”
                         "Organization:” organization name and optional “(email)”

      4.4.5      Tag: “PackageSupplier:”

                 Example:
                 PackageSupplier: Person: Jane Doe (jane.doe@example.com)


                                       Official SPDX Specification 1.0.
                        Copyright © 2010-2011 Linux Foundation and its Contributors.
                   Licensed under the Creative Commons Attribution License 3.0 Unported.
                                   All other rights are expressly reserved.
                                                 Page 13 of 64
                                                                Software Package Data Exchange (SPDX™) Specification



      4.4.6     RDF: property spdx:supplier in class spdx:Package

                Example:
                <Package rdf:about=”http://www.spdx.org/tools#SPDXANALYSIS?package”>
                  <supplier>Person: Jane Doe (jane.doe@example.com </supplier>
                </Package>


4.5     Package Originator
      4.5.1        Purpose: If the package identified in the SPDX file originated from a different person
      or organization than identified as Package Supplier (see section 4.4 above), this field identifies
      from where or whom the package originally came. In some cases a package may be created
      and originally distributed by a different third party than the Package Supplier of the package. For
      example, the SPDX file identifies the package glibc and RedHat as the Package Supplier, but FSF
      is the Package Originator. NOASSERTION should be used if:
         (i) the SPDX file creator has attempted to but cannot reach a reasonable objective determinaion
         of who the supplier is;
         (ii) the project is orphaned and was obtained from a public website; or
         (iii) the SPDX file creator has intentionally provided no information (no meaning should be
         implied by doing so).

      4.5.2     Intent: This field assists with understanding the point of origin of the code in the
      package. This field is vital for understanding who originally distributed a package and should help
      in addressing any ambiguity or concerns that might arise with the information in the SPDX file or
      the contents of the Package it documents.

      4.5.3     Cardinality: Optional, one.

      4.5.4     Data Format: single line of text with the following keywords | “NOASSERTION”

                         ”Person:” person name and optional “(“email ”)”
                         "Organization:” organization name and optional “(“email”)”

      4.5.5     Tag: “PackageOriginator:”

                Example:
                PackageOriginator: Organization: ExampleCodeInspect (contact@example.com)

      4.5.6     RDF: property spdx:originator in class spdx:Package

                Example:
                <Package rdf:about=”http://www.spdx.org/tools#SPDXANALYSIS?package”>
                  <originator>Organization: ExampleCodeInspect (contact@example.com)
                  </originator>
                </Package>


4.6     Package Download Location
      4.6.1    Purpose: This field identifies the download Universal Resource Locator (URL) for the
      package at the time that the SPDX file was created. If there is no public URL, then it is explicitly
      marked as UNKNOWN.

      4.6.2       Intent: Here, where to download the exact package being referenced is a critical
      verification and tracking datum.


                                       Official SPDX Specification 1.0.
                        Copyright © 2010-2011 Linux Foundation and its Contributors.
                   Licensed under the Creative Commons Attribution License 3.0 Unported.
                                   All other rights are expressly reserved.
                                                 Page 14 of 64
                                                                Software Package Data Exchange (SPDX™) Specification



      4.6.3      Cardinality: Mandatory, one.

      4.6.4      Data Format: uniform resource locator | “UNKNOWN”

      4.6.5      Tag: “PackageDownloadLocation:”

                 Example:
                 PackageDownloadLocation: http://ftp.gnu.org/gnu/glibc/glibc-2.11.2.tar.gz


      4.6.6      RDF: property spdx:downloadLocation in class spdx:Package

                 Example:
                 <Package rdf:about=”http://www.spdx.org/tools#SPDXANALYSIS?package”>
                   <downloadLocation>http://ftp.gnu.org/gnu/glibc/ </downloadLocation>
                 </Package>


4.7     Package Verification Code
      4.7.1       Purpose: This field provides an independently reproducible mechanism identifying
      specific contents of a package based on the actual files (except the SPDX file itself, if it is included
      in the package) that make up each package and that correlates to the data in this SPDX file. This
      identifier enables a recipient to determine if any file in the original package (that the analysis was
      done on) has been changed and permits inclusion of an SPDX file as part of a package.

      4.7.2     Intent: Providing a unique identifier based on the files inside each package, eliminates
      confusion over which version or modification of a specific package the SPDX file refers to. The
      SPDX file can be embedded within the package without altering the identifier.

      4.7.3      Cardinality: Mandatory, one.

      4.7.4      Algorithm:
                 verificationcode = 0
                 filelist = “”
                 for all files in the package {
                            if file is an “excludes” file, skip it /* exclude SPDX analysis file(s) */
                            appended filelist with “SHA1(file)” || ”normalized_filename(file)\n”
                            }
                 sort filelist in ascending order by SHA1 value
                 verificationcode = SHA1(filelist)

                 Where SHA1(file) applies a SHA1 algorithm on the contents of file and returns the
                 result in lowercase hexadecimal digits.

                 Where normalized_filename(file) normalized file name is a relative file uri transformed
                 to remove all `..` and `.` path elements removed. For example, `normalized("./foo.c") =>
                 "foo.c"` and `normalized("foo/./bar/../important.c") => "foo/important.c"`.


      4.7.5      Data Format: single line of text with 160 bit binary represented as 40 hexidecimal digits

      4.7.6      Tag: “PackageVerifcationCode:” (and optionally “(excludes: normalized_filename)”)

                 Example:
                 PackageVerificationCode: d6a770ba38583ed4bb4525bd96e50461655d2758 (excludes: package.spdx)


                                       Official SPDX Specification 1.0.
                        Copyright © 2010-2011 Linux Foundation and its Contributors.
                   Licensed under the Creative Commons Attribution License 3.0 Unported.
                                   All other rights are expressly reserved.
                                                 Page 15 of 64
                                                                    Software Package Data Exchange (SPDX™) Specification




          4.7.7      RDF: spdx:packageVerificationCodeValue, spdx:packageVerificationCodeExcludedFile
          in class spdx:PackageVerificationCode

                    Example:
                    <Package rdf:about=”http://www.spdx.org/tools#SPDXANALYSIS?package ”>
                      <packageVerificationCode>
                       <PackageVerificationCode>
                          <packageVerificationCodeValue>d6a770ba38583ed4bb4525bd96e50461655d2758
                            </packageVerificationCodeValue>
                          <packageVerificationCodeExcludedFile> package.spdx
                            </packageVerificationCodeExcludesFile>
                       </PackageVerificationCode>
                     </packageVerificationCode>
                    </Package>



    4.8     Package Checksum
          4.8.1       Purpose: This field provides an independently reproducible mechanism that permits
          unique identification of a specific package that correlates to the data in this SPDX file. This
          identifier enables a recipient to determine if any file in the original package has been changed. If
          the SPDX file is to be included in a package, this value should not be calculated. The SHA-1
          algorithm will be used to provide the checksum by default.

          4.8.2     Intent: Here, by providing a unique identifier of each the package, confusion over
          which version or modification of a specific package the SPDX file references should be eliminated.

          4.8.3     Cardinality: Optional, one.

          4.8.4     Algorithm: SHA1 (http://tools.ietf.org/html/rfc3174) is to be used on on the package.

          4.8.5     Data Format: There are two components, an algorithm identifier(“SHA1”) and a 160 bit
          value represented as 40 lowercase hexadecimal digits.

          4.8.6     Tag: “PackageChecksum:”

                    Example:
                    PackageChecksum: SHA1: d6a770ba38583ed4bb4525bd96e50461655d2758

          4.8.7     RDF: properties spdx:algorithm, spdx:checksumValue in class spdx:checksum
,
                    Example:
                    <Package rdf:about=”http://www.spdx.org/tools#SPDXANALYSIS?package”>
                      <checksum>
                        <Checksum>
                           <algorithm rdf:resource="checksumAlgorithm_sha1"/>
                           <checksumValue> d6a770ba38583ed4bb4525bd96e50461655d2758
                           </checksumValue>
                        </Checksum>
                      </checksum>
                    </Package>


    4.9     Source Information



                                           Official SPDX Specification 1.0.
                            Copyright © 2010-2011 Linux Foundation and its Contributors.
                       Licensed under the Creative Commons Attribution License 3.0 Unported.
                                       All other rights are expressly reserved.
                                                     Page 16 of 64
                                                            Software Package Data Exchange (SPDX™) Specification



  4.9.1      Purpose: This field provides a place for the SPDX file creator to record any relevant
  background information or additional comments about the origin of the package. For example, this
  field might include comments indicating whether the package been pulled from a source code
  management system or has been repackaged.

  4.9.2      Intent: Here, by providing a comment field, the SPDX file creator can provide additional
  information to describe any anomalies or discoveries in the determination of the origin of the
  package.

  4.9.3     Cardinality: Optional, one.

  4.9.4     Data Format: free form text that can span multiple lines.
            In tag format this is delimited by <text> .. </text>.

  4.9.5     Tag: “PackageSourceInfo:”

            Example:
            PackageSourceInfo: uses glibc-2_11-branch from git://sourceware.org/git/glibc.git.

  4.9.6     RDF: spdx:sourceInfo

            Example:
            <Package rdf:about=”http://www.spdx.org/tools#SPDXANALYSIS?package”>
                   <sourceInfo>uses glibc-2_11-branch from git://sourceware.org/git/glibc.git.
                   </sourceInfo>
            </Package>


4.10 Concluded License
  4.10.1     Purpose: This field contains the license the SPDX file creator has concluded as
  governing the package or alternative values, if the governing license cannot be determined. The
  options to populate this field are limited to:
    (a) the SPDX License List short form identifier, if the concluded license is on the SPDX License
    List;
    (b) a reference to the license text denoted by the LicenseRef-#, if the concluded license is not
    on the SPDX License List;
    (c) NOASSERTION should be used if:
             (i) the SPDX file creator has attempted to but cannot reach a reasonable objective
             determination of the Concluded License;
             (ii) the SPDX file creator is uncomfortable concluding a license, despite some license
             information being available;
             (iii) the SPDX file creator has made no attempt to determine a Concluded License;
             (iv) the SPDX file creator has intentionally provided no information (no meaning should
             be implied by doing so); or
             (v) there is no licensing information from which to conclude a license for the package.

    With respect to (a) and (b) above, if there is more than one concluded license, all should be
    included. If the package recipient has a choice of multiple licenses, then each of the choices
    should be recited as a "disjunctive" license. If the Concluded License is not the same as the
    Declared License, a written explanation should be provided in the Comments on License field
    (section 4.13). With respect to (c), a written explanation in the Comments on License field
    (section 4.13) is preferred.

  4.10.2   Intent: Here, the intent is for the SPDX file creator to analyze the license information in
  package, and other objective information, e.g., COPYING.txt file, together with the results from
  any scanning tools, to arrive at a reasonably objective conclusion as to what license governs the
  package.


                                   Official SPDX Specification 1.0.
                    Copyright © 2010-2011 Linux Foundation and its Contributors.
               Licensed under the Creative Commons Attribution License 3.0 Unported.
                               All other rights are expressly reserved.
                                             Page 17 of 64
                                                             Software Package Data Exchange (SPDX™) Specification



   4.10.3    Cardinality: Mandatory, one.

   4.10.4    Data Format: <short form identifier in Appendix I> | "LicenseRef"-N | “NOASSERTION”
   | “NONE” | <license set>

   4.10.5    Tag: “PackageLicenseConcluded:”
             For a license set, when there is a choice between licenses (“disjunctive license”), they
             should be separated with “or” and enclosed in parentheses. When multiple licenses
             apply (“conjunctive license”), they should be separated with an “and” and enclosed in
             parentheses.

             Example:
             PackageLicenseConcluded: LGPL-2.0

             Example:
             PackageLicenseConcluded: (LGPL-2.0 or LicenseRef-3)


   4.10.6    RDF: property spdx:licenseConcluded in class spdx:Package

             Example:
             <Package rdf:about=”http://www.spdx.org/tools#SPDXANALYSIS?package”>
                    <licenseConcluded> rdf:resource="http://spdx.org/licenses/LGPL-2.0" />
             </Package>

             Example:
             <Package rdf:about=”http://www.spdx.org/tools#SPDXANALYSIS?package”>
                 <licenseConcluded>
                       <DisjunctiveLicenseSet>
                              <member rdf:resource="http://spdx.org/licenses/LGPL-2.0" />
                              <member rdf:resource="_:licenseRef-3" />
                      </DisjunctiveLicenseSet>
                </licenseConcluded>
             </Package>



4.11 All Licenses Information from Files
   4.11.1      Purpose: This field is to contain a list of all licenses found in the package. The
   relationship between licenses (i.e., conjunctive, disjunctive) is not specified in this field – it is
   simply a listing of all licenses found. The options to populate this list are limited to:
               (a) the SPDX License List short form identifier, if a detected license is on
               the SPDX License List;
               (b) a reference to the license, denoted by LicenseRef-#, if the detected license is
               not on the SPDX License List;
               (c) NONE, if no license information is detected in any of the files; or
               (d) NOASSERTION, if the SPDX file creator has not examined the contents
               of the actual files or if the SPDX file creator has intentionally provided no information
               (no meaning should be implied by doing so).

   4.11.2    Intent: Here, the intention is to capture all license information detected in the actual
   files.

   4.11.3    Cardinality: Mandatory, one or many.



                                    Official SPDX Specification 1.0.
                     Copyright © 2010-2011 Linux Foundation and its Contributors.
                Licensed under the Creative Commons Attribution License 3.0 Unported.
                                All other rights are expressly reserved.
                                              Page 18 of 64
                                                            Software Package Data Exchange (SPDX™) Specification



  4.11.4 Data Format: <short form identifier in Appendix I> | "LicenseRef"-N | “NONE” |
  “NOASSERTION”

  4.11.5    Tag: “PackageLicenseInfoFromFiles:”

            Example:
            PackageLicenseInfoFromFiles: GPL-2.0
            PackageLicenseInfoFromFiles: LicenseRef-1
            PackageLicenseInfoFromFiles: LicenseRef-2

  4.11.6    RDF: property spdx:licenseInfoFromFiles in class spdx:Package

            Example:
            <Package rdf:about=”http://www.spdx.org/tools#SPDXANALYSIS?package”>
                   <licenseInfoFromFiles rdf:resource="http://spdx.org/licenses/GPL-2.0" />
                   <licenseInfoFromFiles rdf:resource="_:licenseRef-1" />
                   <licenseInfoFromFiles rdf:resource="_:licenseRef-2" />
            </Package>


4.12 Declared License
  4.12.1     Purpose: This field lists the licenses that have been declared by the authors of the
  package. Any license information that does not originate from the package authors, e.g. license
  information from a third party repository, should not be included in this field. The options to
  populate this field are limited to:
             (a) the SPDX License List short form identifier, if the license is on the SPDX License
             List;
             (b) a reference to the license, denoted by LicenseRef-#, if the declared license is not on
             the SPDX License List;
             (c) NONE, if no license information is detected in any of the files; or
             (d) NOASSERTION, if the SPDX file creator has not examined the contents of the
             package or if the SPDX file creator has intentionally provided no information (no
             meaning should be implied by doing so).

    With respect to “a” and “b” above, if license information for more than one license is contained
    in the file, all should be reflected in this field. If the license information offers the package
    recipient a choice of licenses, then each of the choices should be recited as a "disjunctive"
    licenses.


  4.12.2     Intent: This is simply the license identified in text in one or more files (for example
  COPYING file) in the source code package. This field is not intended to capture license
  information obtained from an external source, such as the package website. Such information can
  be included in 4.7 Concluded License. This field may have multiple declared licenses, if multiple
  licenses are declared at the package level.

  4.12.3    Cardinality: Mandatory, one.

  4.12.4 Data Format: <short form identifier in Appendix I> | "LicenseRef"-N | “NONE” |
  “NOASSERTION” | <license set>




                                   Official SPDX Specification 1.0.
                    Copyright © 2010-2011 Linux Foundation and its Contributors.
               Licensed under the Creative Commons Attribution License 3.0 Unported.
                               All other rights are expressly reserved.
                                             Page 19 of 64
                                                            Software Package Data Exchange (SPDX™) Specification



  4.12.5    Tag: “PackageLicenseDeclared:”
            For a license set, when there is a choice between licenses (“disjunctive license”), they
            should be separated with “or” and enclosed in brackets. Similarly, when multiple
            licenses need to be applied (“conjunctive license”), they should be separated with “and”
            and enclosed in brackets.

            Example:
            PackageLicenseDeclared: LGPL-2.0

            Example:
            PackageLicenseDeclared: (LGPL-2.0 and LicenseRef-3)


  4.12.6    RDF: property spdx:licenseDeclared in class spdx:Package

            Example:
            <Package rdf:about=”http://www.spdx.org/tools#SPDXANALYSIS?package”>
                   <licenseDeclared rdf:resource="http://spdx.org/licenses/LGPL-2.0" />
            </Package>

            Example:
            <Package rdf:about=”http://www.spdx.org/tools#SPDXANALYSIS?package”>
               <licenseDeclared>
                 <DisjunctiveLicenseSet>
                    <member rdf:resource="http://spdx.org/licenses/LGPL-2.0" />
                    <member rdf:resource="_:licenseRef-3" />
                </DisjunctiveLicenseSet>
              </licenseDeclared>
            </Package>



4.13 Comments on License
  4.13.1     Purpose: This field provides a place for the SPDX file creator to record any relevant
  background information or analysis that went in to arriving at the Concluded License for a
  package. If the Concluded License does not match the Declared License or License Information
  from Files, this should be explained by the SPDX file creator. Its is also preferable to include an
  explanation here when the Concluded License is NOASSERTION.

  4.13.2     Intent: Here, the intent is to provide the recipient of the SPDX file with a detailed
  explanation of how the Concluded License was determined if it does not match the License
  Information from the files or the source code package, is marked NOASSERTION, or other helpful
  information relevant to determining the license of the package.

  4.13.3    Cardinality: Optional, one.

  4.13.4    Data Format: free form text that can span multiple lines.
            In tag format this is delimited by <text> .. </text>,
            in RDF, it is delimited by <rdfs:comment>.

  4.13.5    Tag: “PackageLicenseComments:”




                                   Official SPDX Specification 1.0.
                    Copyright © 2010-2011 Linux Foundation and its Contributors.
               Licensed under the Creative Commons Attribution License 3.0 Unported.
                               All other rights are expressly reserved.
                                             Page 20 of 64
                                                            Software Package Data Exchange (SPDX™) Specification



             Example:
             PackageLicenseComments: <text>
             The license for this project changed with the release of version x.y. The version of the
             project included here post-dates the license change.
             </text>

   4.13.6    RDF: property spdx:licenseComments in class spdx:Package

             Example:
             <Package rdf:about=”http://www.spdx.org/tools#SPDXANALYSIS?package”>
               <licenseComments>
                  This package has been shipped in source and binary form.
                  The binaries were created with gcc 4.5.1 and expect to link to
                  compatible system run time libraries.
               </licenseComments>
             </Package>


4.14 Copyright Text
   4.14.1     Purpose: Identify the copyright holders of the package, as well as any dates present.
   This will be a free form text field extracted from the package information files. The options to
   populate this field are limited to:
              (a) any text related to a copyright notice, even if not complete;
              (b) NONE if the package contains no license information whatsoever; or
              (c) NOASSERTION, if the SPDX file creator has not examined the contents of the
              package or if the SPDX file creator has intentionally provided no information(no
              meaning should be implied by doing so).


   4.14.2    Intent: Record any copyright notices for the package.

   4.14.3    Cardinality: Mandatory, one.

   4.14.4    Data Format: free form text that can span multiple lines | "NOASSERTION” | “NONE”

   4.14.5    Tag: "PackageCopyrightText:"
             In tag format multiple lines are delimited by <text> .. </text>.

             Example:
             PackageCopyrightText: <text>
             Copyright 2008-2010 John Smith
             </text>

   4.14.6    RDF: property spdx:copyrightText in class spdx:Package

             Example:
             <Package rdf:about=”http://www.spdx.org/tools#SPDXANALYSIS?package”>
               <copyrightText>
               Copyright 2008-2010 John Smith
               </copyrightText>
             </Package>


4.15 Package Summary Description


                                   Official SPDX Specification 1.0.
                    Copyright © 2010-2011 Linux Foundation and its Contributors.
               Licensed under the Creative Commons Attribution License 3.0 Unported.
                               All other rights are expressly reserved.
                                             Page 21 of 64
                                                             Software Package Data Exchange (SPDX™) Specification



   4.15.1    Purpose: This field is a short description of the package

   4.15.2     Intent: Here, the intent is to allow the recipient of the SPDX file to quickly understand
   the function or use of the package without having to parse the source code of the actual package.

   4.15.3    Cardinality: Optional, one.

   4.15.4    Data Format: free form text that can span multiple lines.

   4.15.5    Tag: “PackageSummary:”
             In tag format multiple lines are delimited by <text> .. </text>.

             Example:
             PackageSummary: <text> gnu c library </text>

   4.15.6    RDF: property spdx:summary in class spdx:Package

             Example:
             <Package rdf:about=”http://www.spdx.org/tools#SPDXANALYSIS?package”>
               <summary> gnu c library </summary>
             </Package>



4.16 Package Detailed Description
   4.16.1     Purpose: This field is a more detailed description of the package. It may also be
   extracted from the packages itself.

   4.16.2     Intent: Here, the intent is to provide recipients of the SPDX file with a detailed
   technical explanation of the functionality, anticipated use, and anticipated implementation of the
   package. This field may also include a description of improvements over prior versions of the
   package.

   4.16.3    Cardinality: Optional, one.

   4.16.4    Data Format: free form text than can span multiple lines.

   4.16.5    Tag: “PackageDescription:”
             In tag format multiple lines are delimited by <text> .. </text>.

             Example:
             PackageDescription: <text>
             This package provides the gnu c library, ….
             </text>

   4.16.6    RDF: property spdx:description in class spdx:Package

             Example:
             <Package rdf:about=”http://www.spdx.org/tools#SPDXANALYSIS?package”>
               <description>
               This package provides the gnu c library, ….
               </description>
             </Package>




                                    Official SPDX Specification 1.0.
                     Copyright © 2010-2011 Linux Foundation and its Contributors.
                Licensed under the Creative Commons Attribution License 3.0 Unported.
                                All other rights are expressly reserved.
                                              Page 22 of 64
                                                                          Software Package Data Exchange (SPDX™) Specification




5 Other Licensing Information Detected
This section is used for any detected, declared or concluded licenses that are NOT on the SPDX License List.
For the most up-to-date version of the list see: http://spdx.org/licenses/. The SPDX License List can also be
found here in Appendix I.

One instance should be created for every unique license or licensing information reference detected in package
that does not match one of the licenses on the SPDX License List. Each license instance should have the
following fields.

Fields:

          5.1     Identifier Assigned
                5.1.1     Purpose: Provide a unique identifier to refer to licenses that are not found on the SPDX
                License List. This unique identifier can then be used in the packages and files sections of the
                SPDX file (sections 4 and 6, respectively).

                5.1.2     Intent: Create a short form license identifier for license not on the SPDX License List.

                5.1.3     Cardinality: Conditional (mandatory, one) if license is not on SPDX License List.

                5.1.4     Data Format: "LicenseRef-"N where N is a unique numeric value.

                5.1.5     Tag: "LicenseID:"

                          Example:
                          LicenseID: LicenseRef-1

                5.1.6     RDF: property spdx:licenseID in class spdx:ExtractedLicensingInfo

                          Example:
                          <ExtractedLicensingInfo rdf:about=””_:licenseRef-1>
                                  <licenseId> LicenseRef-1 </licenseId>
                          </ExtractedLicensingInfo>


          5.2     Extracted Text
                5.2.1    Purpose: Provide a copy of the actual text of the license reference extracted from the
                package or file that is associated with the License ID to aid in future analysis.

                5.2.2    Intent: Provide the actual text as found in the package or file for a license that is not on
                the SPDX License List.

                5.2.3     Cardinality: Conditional (Mandatory, one) if there is an Identifier Assigned.

                5.2.4     Data Format: free form text field that may span multiple lines.

                5.2.5     Tag: “ExtractedText:”
                          In tag format multiple lines are delimited by <text> .. </text>.

                          Example:
                          ExtractedText: <text>"THE BEER-WARE LICENSE" (Revision 42):
                          <phk@FreeBSD.ORG> wrote this file. As long as you retain this notice you
                          can do whatever you want with this stuff. If we meet some day, and you think this stuff
                                                 Official SPDX Specification 1.0.
                                  Copyright © 2010-2011 Linux Foundation and its Contributors.
                             Licensed under the Creative Commons Attribution License 3.0 Unported.
                                             All other rights are expressly reserved.
                                                           Page 23 of 64
                                                       Software Package Data Exchange (SPDX™) Specification



        is worth it, you can buy me a beer in return Poul-Henning Kamp </text>

5.2.6   RDF: property spdx:extractedText in class spdx:ExtractedLicensingInfo

        Example:
        <ExtractedLicensingInfo rdf:about=”_:licenseRef-1>
                <licenseId> LicenseRef-1 </licenseId>
                <extractedText> "THE BEER-WARE LICENSE" (Revision 42):
                <phk@FreeBSD.ORG> wrote this file. As long as you retain this notice you
                can do whatever you want with this stuff. If we meet some day, and you think
                this stuff is worth it, you can buy me a beer in return Poul-Henning Kamp
                </extractedText>
        </ExtractedLicensingInfo>




                              Official SPDX Specification 1.0.
               Copyright © 2010-2011 Linux Foundation and its Contributors.
          Licensed under the Creative Commons Attribution License 3.0 Unported.
                          All other rights are expressly reserved.
                                        Page 24 of 64
                                                                          Software Package Data Exchange (SPDX™) Specification




6 File Information
One instance of the File Information is required for each file in the software package. It provides important meta
information about a given file including licenses and copyright. Each instance should include the following fields.

Fields:

          6.1     File Name
                6.1.1      Purpose: Identify the full path and filename that corresponds to the file information in
                this section.

                6.1.2     Intent: To aid finding the correct file which corresponds to the file information.

                6.1.3     Cardinality: Mandatory, one.

                6.1.4       Data Format: A relative filename with the root of the package archive or directory. See
                http://tools.ietf.org/html/rfc1738 for syntax.

                6.1.5     Tag: “FileName:”

                          Example:
                          FileName: ./package/foo.c

                6.1.6     RDF: property spdx:fileName in class spdx:File

                          Example:
                          <File rdf:about=”http://www.spdx.org/tools#SPDXANALYSIS?file”>
                                   <fileName>./package/foo.c</fileName>
                          </File>


          6.2     File Type
                6.2.1       Purpose: This field provides information about the type of file identified. This
                information can be determinative of license compliance requirements. The options to populate this
                field are limited to:
                            (a) SOURCE if the file is human readable source code (.c, .html, etc.);
                            (b) BINARY if the file is a compiled object or binary executable (.o, .a, etc.);
                            (c) ARCHIVE if the file represents an archive (.tar, .jar, etc.); or
                            (d) OTHER if the file doesn't fit into the above categories (pictures, audio, data files,
                            etc.)

                6.2.2     Intent: Here, this field is a reasonable estimation of the file type, from a developer
                perspective.

                6.2.3     Cardinality: Optional, one.

                6.2.4     Data Format: “SOURCE” | “BINARY” | “ARCHIVE” | “OTHER”

                6.2.5     Tag: "FileType:"

                          Example:
                          FileType: BINARY


                                                 Official SPDX Specification 1.0.
                                  Copyright © 2010-2011 Linux Foundation and its Contributors.
                             Licensed under the Creative Commons Attribution License 3.0 Unported.
                                             All other rights are expressly reserved.
                                                           Page 25 of 64
                                                                Software Package Data Exchange (SPDX™) Specification



      6.2.6     RDF: property spdx:fileType in class spdx:File

                Example:
                <File rdf:about=”http://www.spdx.org/tools#SPDXANALYSIS?file”>
                         <fileType rdf:resource="fileType_binary" />
                </File>


6.3     File Checksum
      6.3.1       Purpose: Provide a unique identifier to match analysis information on each specific
      filein a package.

      6.3.2     Intent: Here, by providing a unique identifier of each file, confusion over which
      version/modification of a specific file should be eliminated.

      6.3.3     Cardinality: Mandatory, one.

      6.3.4     Algorithm: SHA1 (http://tools.ietf.org/html/rfc3174) is to be used on the file.

      6.3.5      Data Format: There are two components, an algorithm identifier (SHA-1), a separator
      (“:”) and a 160 bit value represented as 40 hexadecimal digits.

      6.3.6     Tag: “FileChecksum:”

                Example:
                FileChecksum: SHA1: d6a770ba38583ed4bb4525bd96e50461655d2758

      6.3.7     RDF: property spdx:Checksum in class spdx:File

                Example:
                <File rdf:about=”http://www.spdx.org/tools#SPDXANALYSIS?file”>
                  <checksum>
                    <Checksum>
                      <algorithm>SHA1</algorithm>
                      <checksumValue>d6a770ba38583ed4bb4525bd96e50461655d2758
                      </checksumValue>
                    </Checksum>
                  </checksum>
                </File>

6.4     Concluded License
      6.4.1       Purpose: This field contains the license the SPDX file creator has concluded as
      governing the file or alternative values if the governing license cannot be determined. The options
      to populate this field are limited to:
         (a) the SPDX standardized license short form identifier, if the concluded license is on the SPDX
         License List;
         (b) a reference to the licenses, denoted by LicenseRef-#, if the concluded license is not on the
         SPDX License List;
         (c) NOASSERTION should be used if:
                  (i) the SPDX file creator has attempted to but cannot reach a reasonable objective
                  determination of the concluded license;
                  (ii) the SPDX file creator is uncomfortable concluding a license, despite some license
                  information being available;
                  (iii) the SPDX file creator has made no attempt to arrive at a concluded license;
                  (iv) the SPDX file creator has intentionally provided no information (no meaning should
                  be implied by doing so); or
                  (v) there is no license information from which to conclude a license for the file.
                                       Official SPDX Specification 1.0.
                        Copyright © 2010-2011 Linux Foundation and its Contributors.
                   Licensed under the Creative Commons Attribution License 3.0 Unported.
                                   All other rights are expressly reserved.
                                                 Page 26 of 64
                                                          Software Package Data Exchange (SPDX™) Specification




  With respect to “a” and “b” above, if there is more than one concluded license, all should be
  included. If the package recipient has a choice of multiple licenses, then each of the choices
  should be recited as a "disjunctive" license. If the Concluded License is not the same as the
  License Information in File, a written explanation should be provided in the Comments on
  License field (section 6.6). With respect to (c), a written explanation in the Comments on
  License field is preferred.

6.4.2       Intent: Here, the intent is for the SPDX file creator to analyze the License Information in
file (section 6.5) and other objective information, e.g., “COPYING FILE,” along with the results
from any scanning tools, to arrive at a reasonably objective conclusion as to what license governs
the file.

6.4.3      Cardinality: Mandatory, one.

6.4.4      Data Format: <short form identifier in Appendix I> | "LicenseRef"-N | “NOASSERTION”
           | “NONE” | <license set>

6.4.5      Tag: “LicenseConcluded:”
           For a license set, when there is a choice between licenses (“disjunctive license”), they
           should be separated with “or” and enclosed in brackets. Similarly when multiple
           licenses need to be applied (“conjunctive license”), they should be separated with “and”
           and enclosed in brackets.

           Example:
           LicenseConcluded: LGPL-2.0

           Example:
           LicenseConcluded: (LGPL-2.0 or LicenseRef-2)

6.4.6      RDF: property spdx:licenseConcluded in class spdx:File

           Example:
           <File rdf:about=”http://www.spdx.org/tools#SPDXANALYSIS?file”>
                    <licenseConcluded> LGPL-2.0 </licenseConcluded>
           </File>

           Example:
           <File rdf:about=”http://www.spdx.org/tools#SPDXANALYSIS?file”>
                  <licenseConcluded>
                      <ConjunctiveLicenseSet>
                            <member rdf:resource="http://spdx.org/licenses/LGPL-2.0”/>
                            <member rdf:nodeID="LicenseRef-2"/>
                      </ConjunctiveLicenseSet>
                 </licenseConcluded>
           </File>




                                 Official SPDX Specification 1.0.
                  Copyright © 2010-2011 Linux Foundation and its Contributors.
             Licensed under the Creative Commons Attribution License 3.0 Unported.
                             All other rights are expressly reserved.
                                           Page 27 of 64
                                                                Software Package Data Exchange (SPDX™) Specification



6.5     License Information in File
      6.5.1       Purpose: This field contains the license information actually found in the file, if any. Any
      license information not actually in the file, e.g., “COPYING.txt” file in a toplevel directory, should
      not be reflected in this field. This information is most commonly found in the header of the file,
      although it may be in other areas of the actual file. The options to populate this field are limited to:
         (a) the SPDX License List short form identifier, if the license is on the SPDX License List;
         (b) a reference to the license, denoted by LicenseRef-#, if the license is not on the SPDX
         License List;
         (c) NONE, if the actual file contains no license information whatsoever; or
         (d) NOASSERTION, if the SPDX file creator has not examined the contents of the actual file or
         the SPDX file creator has intentionally provided no information (no meaning should be implied
         by doing so).

        With respect to “a” and “b” above, if license information for more than one license is contained
        in the file or if the license information offers the package recipient a choice of licenses, then
        each of the choices should be listed as a separate entry.

      6.5.2    Intent: Here, the intent is to provide the license information actually in the file, as
      compared to the Concluded License field.

      6.5.3      Cardinality: Mandatory, one or many.

      6.5.4  Data Format: <short form identifier in Appendix I> | "LicenseRef"-N | “NONE” |
      “NOASSERTION”

      6.5.5      Tag: “LicenseInfoInFile:”

                 Example:
                 LicenseInfoInFile: GPL-2.0
                 LicenseInfoInFile: LicenseRef-2

      6.5.6      RDF: property spdx:licenseInfoInFile in class spdx:File

                 Example:
                 <File rdf:about=”http://www.spdx.org/tools#SPDXANALYSIS?file”>
                          <licenseInfoInFile rdf:resource="http://spdx.org/licenses/GPL-2.0" />
                          <licenseInfoInFile rdf:resource="_:licenseRef-2" />
                 </File>


6.6     Comments on License
      6.6.1      Purpose: This field provides a place for the SPDX file creator to record any relevant
      background references or analysis that went in to arriving at the Concluded License for a file. If
      the Concluded License does not match the License Information in File, this should be explained by
      the SPDX file creator. It is also preferable to include an explanation here when the Concluded
      License is NOASSERTION.

      6.6.2      Intent: Here, the intent is to provide the recipient of the SPDX file with a detailed
      explanation of how the Concluded License was determined if it does not match the License
      Information in File, is marked NOASSERTION, or other helpful information relevant to determining
      the license of the file.

      6.6.3      Cardinality: Optional, one.

      6.6.4      Data Format: free form text that can span multiple lines



                                       Official SPDX Specification 1.0.
                        Copyright © 2010-2011 Linux Foundation and its Contributors.
                   Licensed under the Creative Commons Attribution License 3.0 Unported.
                                   All other rights are expressly reserved.
                                                 Page 28 of 64
                                                                Software Package Data Exchange (SPDX™) Specification



      6.6.5     Tag: “LicenseComments:”
                In tag format multiple lines are delimited by <text> .. </text>.

                Example:
                LicenseComments: <text>
                The concluded license was taken from the package level that the file was included in.
                This information was found in the COPYING.txt file in the xyz directory.
                </text>

      6.6.6     RDF: property spdx:licenseComments in class spdx:File

                Example:
                <File:about=”http://www.spdx.org/tools#SPDXANALYSIS?file”>
                  <licenseComments>
                      The concluded license was taken from the package level that the file
                      was included in. This information was found in the COPYING.txt file
                      in the xyz directory. This package has been shipped in source and binary form.
                  </licenseComments>
                </File>


6.7     Copyright Text
      6.7.1       Purpose: Identify the copyright holder of the file, as well as any dates present. This
      will be a freeform text field extracted from the actual file. The options to populate this field are
      limited to:
          (a) any text relating to a copyright notice, even if not complete;
          (b) NONE, if the file contains no license information whatsoever; or
          (c) NOASSERTION, if the SPDX creator has not examined the contents of the actual file or if
          the SPDX creator has intentionally provided no information(no meaning should be implied
          from the absence of an assertion).

      6.7.2     Intent: Record any copyright notice for the package.

      6.7.3     Cardinality: Mandatory, one.

      6.7.4     Data Format: free form text that can span multiple lines | "NONE" | “NOASSERTION”

      6.7.5     Tag: “FileCopyrightText:”
                In tag format multiple lines are delimited by <text> .. </text>.

                Example:
                FileCopyrightText: <text> Copyright 2008-2010 John Smith </text>

      6.7.6     RDF: property spdx:copyrightText in class spdx:File

                Example:
                <File rdf:about=”http://www.spdx.org/tools#SPDXANALYSIS?file”>
                  <copyrightText>
                  Copyright 2008-2010 John Smith
                  </copyrightText>
                </File>




                                       Official SPDX Specification 1.0.
                        Copyright © 2010-2011 Linux Foundation and its Contributors.
                   Licensed under the Creative Commons Attribution License 3.0 Unported.
                                   All other rights are expressly reserved.
                                                 Page 29 of 64
                                                                Software Package Data Exchange (SPDX™) Specification



6.8     Artifact of Project Name
      6.8.1     Purpose: To indicate that a file has been derived from a specific project.

      6.8.2      Intent: To make it easier for recipients of the SPDX file to determine the original
      source of the identified file.

      6.8.3     Cardinality: Optional, one.

      6.8.4     Data Format: single line of text

      6.8.5     Tag: "ArtifactOfProjectName:”

                Example:
                ArtifactOfProjectName: Jena

      6.8.6     RDF: property spdx:artifactOf/doap:Project/doap:name

                Example:
                <File>
                    <artifactOf>
                          <doap:Project>
                                 <doap:name>Jena</doap:name>
                         </doap:Project>
                   </artifactOf>
                 </File>



6.9     Artifact of Project Homepage
      6.9.1     Purpose: To indicate the location of the project from which the file has been derived.

      6.9.2        Intent: To make it easier for consumers of the report to determine the original source
      of the file.

      6.9.3     Cardinality: Optional, one.

      6.9.4     Data Format: uniform resource locator | “UNKNOWN”

      6.9.5     Tag: "ArtifactOfProjectHomePage:"

                Example:
                ArtifactOfProjectHomePage: http://www.openjena.org/

      6.9.6     RDF: spdx:artifactOf/doap:Project/doap:homepage

                Example:
                <File>
                     <artifactOf>
                         <doap:Project>
                                  <doap:homepage rdf:resource="http://www.openjena.org/" />
                         </doap:Project>
                     </artifactOf>
                </File>


                                       Official SPDX Specification 1.0.
                        Copyright © 2010-2011 Linux Foundation and its Contributors.
                   Licensed under the Creative Commons Attribution License 3.0 Unported.
                                   All other rights are expressly reserved.
                                                 Page 30 of 64
                                                             Software Package Data Exchange (SPDX™) Specification




6.10 Artifact of Project Uniform Resource Identifier
   6.10.1    Purpose: To provide a linkage to the project resource in the doap document and permit
   interoperability between the different formats supported.

   6.10.2       Intent: To make it easier for consumers of the report to determine the original source
   of the file.

   6.10.3    Cardinality: Optional, one.

   6.10.4    Data Format: uniform resource identifier

   6.10.5    Tag: "ArtifactOfProjectURI:"

             Example:
             ArtifactOfProjectURI: http://svn.apache.org/repos/asf/httpd/site/trunk/docs/doap.rdf

   6.10.6    RDF: spdx:artifactOf/doap

             Example:
             <File>
               <artifactOf
                   rdf:resoure="http://svn.apache.org/repos/asf/httpd/site/trunk/docs/doap.rdf" />
             </File>




                                    Official SPDX Specification 1.0.
                     Copyright © 2010-2011 Linux Foundation and its Contributors.
                Licensed under the Creative Commons Attribution License 3.0 Unported.
                                All other rights are expressly reserved.
                                              Page 31 of 64
                                                                          Software Package Data Exchange (SPDX™) Specification




7 Review Information
Review information can be added after the initial SPDX file has been created. The set of fields are optional and
multiple instances can be added. Once a Reviewer entry is added, the Review Date associated with the review
is mandatory. The Created date should not be modified as a result of the addition of information regarding the
conduct of a review. A Review Comments is optional.

Fields:

          7.1     Reviewer
                7.1.1      Purpose: This field identifies the person, organization or tool that has reviewed the
                SPDX file. This field is optional and thus there is no requirement for any reviewer to add an set of
                review information to the file. This can be considered as an equivalent to “signed off” or “reviewed
                by.” Additional reviewers can be added after the original version of the SPDX file is created and
                be appended to the original file.

                7.1.2      Intent: Here, as time progresses certain reviewers will begin to gain credibility as
                reliable. This field intends to make such information transparent. It may also be important for
                participants in the software supply chain to validate whether upstream providers have reviewed
                the SPDX file

                7.1.3     Cardinality: Optional, one.

                7.1.4     Data Format: single line of text with the following keywords.
                                 ”Person: person name” and optional “(email)”
                                 "Organization: organization” and optional “(email)”
                                 "Tool: tool identifier - version”

                7.1.5     Tag: “Reviewer:”

                          Example:
                          Reviewer: Person: Jane Doe (jane.doe@example.com)

                7.1.6     RDF: property spdx:reviewer in class spdx:Review

                          Example:
                          <Review>
                                 <reviewer> Person: Jane Doe (jane@example.com) </reviewer>
                          </Review>

          7.2     Review Date
                7.2.1    Purpose: Identify when the review was done. This is to be specified according to the
                combined date and time in the UTC format, as specified in the ISO 8601 standard.

                7.2.2     Intent: Here, the ReviewDate can serve as a verification as to when the actual review
                was done.

                7.2.3     Cardinality: Conditional(Mandatory, one), if there is a Reviewer.

                7.2.4     Data Format: YYYY-MM-DDThh:mm:ssZ
                          where:
                                 YYYY is year
                                 MM is month with leading zero
                                 DD is day with leading zero
                                                 Official SPDX Specification 1.0.
                                  Copyright © 2010-2011 Linux Foundation and its Contributors.
                             Licensed under the Creative Commons Attribution License 3.0 Unported.
                                             All other rights are expressly reserved.
                                                           Page 32 of 64
                                                               Software Package Data Exchange (SPDX™) Specification



                        T is delimiter for time
                        hh is hours with leading zero in 24 hour time
                        mm is minutes with leading zero
                        ss is seconds with leading zero
                        Z is universal time indicator

      7.2.5     Tag: "ReviewDate:"

                Example:
                ReviewDate: 2010-01-29T18:30:22Z

      7.2.6     RDF: property spdx:reviewDate in class spdx:Review

                Example:
                <Review>
                  <reviewDate> 2010-01-29T18:30:22Z </reviewDate>
                </Review>

7.3     Review Comments
      7.3.1     Purpose: This optional free form text field permits the reviewer to provide commentary
      on the analysis.

      7.3.2     Intent: This allows the reviewer to provide independent assessment and note any
      points where there is disagreement with the analysis.

      7.3.3     Cardinality: Optional, one.

      7.3.4     Data Format: free form text that can span multiple lines.

      7.3.5     Tag: “ReviewComments:”
                In tag format multiple lines are delimited by <text> .. </text>.

                Example:
                ReviewComments: <text>
                All of the licenses seen in the file, are matching what was seen during manual
                inspection. There are some terms that can influence the concluded license, and some
                alternatives may be possible, but the conluded license is one of the options.
                </text>

      7.3.6     RDF: property spdx:comment in class spdx:Review

                Example:
                <Review>
                  <rdfs:comment>
                      All of the licenses seen in the file, are matching what was seen during manual
                      inspection. There are some terms that can influence the concluded license, and
                     some alternatives may be possible, but the conluded license is one of the options.
                  </rdfs:comment>
                </Review>




                                      Official SPDX Specification 1.0.
                       Copyright © 2010-2011 Linux Foundation and its Contributors.
                  Licensed under the Creative Commons Attribution License 3.0 Unported.
                                  All other rights are expressly reserved.
                                                Page 33 of 64
                                                                       Software Package Data Exchange (SPDX™) Specification




    Appendix I. Standard License Short Forms
The following table contains the licenses with standardized short forms that should be recognized by programs
which comply to this version of the specification.   The short forms have been derived from common usage
identifiers, followed by the version number when known. The identifier and version number should be separated
by a “-“.

Additional licenses may be added to this list in subsequent versions of the SPDX Specification by following the
process at: http://www.spdx.org/addlicense.           For the most up to date list, please see
http://www.spdx.org/licenses.

Exact match, of the formal license is expected unless indicated otherwise on the SPDX.org web site.


  License Identifier                                         Full name of License
AFL-1.1                          Academic Free License v1.1
AFL-1.2                          Academic Free License v1.2
AFL-2.0                          Academic Free License v2.0
AFL-2.1                          Academic Free License v2.1
AFL-3.0                          Academic Free License v3.0
APL-1.0                          Adaptive Public License 1.0
ANTLR-PD                         ANTLR Software Rights Notice
Apache-1.0                       Apache License 1.0
Apache-1.1                       Apache License 1.1
Apache-2.0                       Apache License 2.0
APSL-1.0                         Apple Public Source License 1.0
APSL-1.1                         Apple Public Source License 1.1
APSL-1.2                         Apple Public Source License 1.2
APSL-2.0                         Apple Public Source License 2.0
Artistic-1.0                     Artistic License 1.0
Artistic-2.0                     Artistic License 2.0
AAL                              Attribution Assurance License
BSL-1.0                          Boost Software License 1.0
BSD-2-Clause                     BSD 2-clause "Simplified" or "FreeBSD" License
BSD-3-Clause                     BSD 3-clause "New" or "Revised" License
BSD-4-Clause                     BSD 4-clause "Original" or "Old" License
CECILL-1.0                       CeCILL Free Software License Agreement v1.0
CECILL-1.1                       CeCILL Free Software License Agreement v1.1
CECILL-2.0                       CeCILL Free Software License Agreement v2.0
CECILL-B                         CeCILL-B Free Software License Agreement
CECILL-C                         CeCILL-C Free Software License Agreement
ClArtistic                       Clarified Artistic License
CDDL-1.0                         Common Development and Distribution License 1.0
CPAL-1.0                         Common Public Attribution License 1.0
CPL-1.0                          Common Public License 1.0
CATOSL-1.1                       Computer Associates Trusted Open Source License 1.1
CC-BY-1.0                        Creative Commons Attribution 1.0
                                              Official SPDX Specification 1.0.
                               Copyright © 2010-2011 Linux Foundation and its Contributors.
                          Licensed under the Creative Commons Attribution License 3.0 Unported.
                                          All other rights are expressly reserved.
                                                        Page 34 of 64
                                                                        Software Package Data Exchange (SPDX™) Specification



CC-BY-2.0                         Creative Commons Attribution 2.0
CC-BY-2.5                         Creative Commons Attribution 2.5
CC-BY-3.0                         Creative Commons Attribution 3.0
CC-BY-ND-1.0                      Creative Commons Attribution No Derivatives 1.0
CC-BY-ND-2.0                      Creative Commons Attribution No Derivatives 2.0
CC-BY-ND-2.5                      Creative Commons Attribution No Derivatives 2.5
CC-BY-ND-3.0                      Creative Commons Attribution No Derivatives 3.0
CC-BY-NC-1.0                      Creative Commons Attribution Non Commercial 1.0
CC-BY-NC-2.0                      Creative Commons Attribution Non Commercial 2.0
CC-BY-NC-2.5                      Creative Commons Attribution Non Commercial 2.5
CC-BY-NC-3.0                      Creative Commons Attribution Non Commercial 3.0
CC-BY-NC-ND-                      Creative Commons Attribution Non Commercial No Derivatives 1.0
CC-BY-NC-ND-2.0                   Creative Commons Attribution Non Commercial No Derivatives 2.0
CC-BY-NC-ND-2.5                   Creative Commons Attribution Non Commercial No Derivatives 2.5
CC-BY-NC-ND-3.0                   Creative Commons Attribution Non Commercial No Derivatives 3.0
CC-BY-NC-SA-1.0                   Creative Commons Attribution Non Commercial Share Alike 1.0
CC-BY-NC-SA-2.0                   Creative Commons Attribution Non Commercial Share Alike 2.0
CC-BY-NC-SA-2.5                   Creative Commons Attribution Non Commercial Share Alike 2.5
CC-BY-NC-SA-3.0                   Creative Commons Attribution Non Commercial Share Alike 3.0
CC-BY-SA-1.0                      Creative Commons Attribution Share Alike 1.0
CC-BY-SA-2.0                      Creative Commons Attribution Share Alike 2.0
CC-BY-SA-2.5                      Creative Commons Attribution Share Alike 2.5
CC-BY-SA-3.0                      Creative Commons Attribution Share Alike 3.0
CC0-1.0                           Creative Commons Zero v1.0 Universal
CUA-OPL-1.0                       CUA Office Public License v1.0
EPL-1.0                           Eclipse Public License 1.0
eCos-2.0                          eCos license version 2.0
ECL-1.0                           Educational Community License v1.0
ECL-2.0                           Educational Community License v2.0
EFL-1.0                           Eiffel Forum License v1.0
EFL-2.0                           Eiffel Forum License v2.0
Entessa                           Entessa Public License
ErlPL-1.1                         Erlang Public License v1.1
EUDatagrid                        EU DataGrid Software License
EUPL-1.0                          European Union Public License 1.0
EUPL-1.1                          European Union Public License 1.1
Fair                              Fair License
Frameworx-1.0                     Frameworx Open License 1.0
AGPL-3.0                          GNU Affero General Public License v3
GFDL-1.1                          GNU Free Documentation License v1.1
GFDL-1.2                          GNU Free Documentation License v1.2
GFDL-1.3                          GNU Free Documentation License v1.3
GPL-1.0                           GNU General Public License v1.0 only
GPL-1.0+                          GNU General Public License v1.0 or later
GPL-2.0                           GNU General Public License v2.0 only
GPL-2.0+                          GNU General Public License v2.0 or later
GPL-2.0-with-autoconf-exception   GNU General Public License v2.0 w/Autoconf exception
                                               Official SPDX Specification 1.0.
                                Copyright © 2010-2011 Linux Foundation and its Contributors.
                           Licensed under the Creative Commons Attribution License 3.0 Unported.
                                           All other rights are expressly reserved.
                                                         Page 35 of 64
                                                                         Software Package Data Exchange (SPDX™) Specification



GPL-2.0-with-bison-exception       GNU General Public License v2.0 w/Bison exception
GPL-2.0-with-classpath-exception   GNU General Public License v2.0 w/Classpath exception
GPL-2.0-with-font-exception        GNU General Public License v2.0 w/Font exception
GPL-2.0-with-GCC-exception         GNU General Public License v2.0 w/GCC Runtime Library exception
GPL-3.0                            GNU General Public License v3.0 only
GPL-3.0+                           GNU General Public License v3.0 or later
GPL-3.0-with-autoconf-exception    GNU General Public License v3.0 w/Autoconf exception
GPL-3.0-with-GCC-exception         GNU General Public License v3.0 w/GCC Runtime Library exception
LGPL-2.1                           GNU Lesser General Public License v2.1 only
LGPL-2.1+                          GNU Lesser General Public License v2.1 or later
LGPL-3.0                           GNU Lesser General Public License v3.0 only
LGPL-3.0+                          GNU Lesser General Public License v3.0 or later
LGPL-2.0                           GNU Library General Public License v2 only
LGPL-2.0+                          GNU Library General Public License v2 or later
gSOAP-1.3b                         gSOAP Public License v1.b
HPND                               Historic Permission Notice and Disclaimer
IPL-1.0                            IBM Public License v1.0
IPA                                IPA Font License
ISC                                ISC License (Bind, DHCP Server)
LPPL-1.0                           LaTeX Project Public License v1.0
LPPL-1.1                           LaTeX Project Public License v1.1
LPPL-1.2                           LaTeX Project Public License v1.2
LPPL-1.3c                          LaTeX Project Public License v1.3c
Libpng                             libpng License
LPL-1.02                           Lucent Public License v1.02 (Plan9)
MS-PL                              Microsoft Public License
MS-RL                              Microsoft Reciprocal License
MirOS                              MirOS Licence
MIT                                MIT license (also X11)
Motosoto                           Motosoto License
MPL-1.0                            Mozilla Public License 1.0
MPL-1.1                            Mozilla Public License 1.1
Multics                            Multics License
NASA-1.3                           NASA Open Source Agreement 1.3
Nauman                             Naumen Public License
NGPL                               Nethack General Public License
Nokia                              Nokia Open Source License
NPOSL-3.0                          Non-Profit Open Software License 3.0
NTP                                NTP License
OCLC-2.0                           OCLC Research Public License 2.0
ODbL-1.0                           ODC Open Database License v1.0
PDDL-1.0                           ODC Public Domain Dedication & License 1.0
OGTSL                              Open Group Test Suite License
OSL-1.0                            Open Software License 1.0
OSL-2.0                            Open Software License 2.0
OSL-3.0                            Open Software License 3.0
OLDAP-2.8                          OpenLDAP Public License v2.8
                                                Official SPDX Specification 1.0.
                                 Copyright © 2010-2011 Linux Foundation and its Contributors.
                            Licensed under the Creative Commons Attribution License 3.0 Unported.
                                            All other rights are expressly reserved.
                                                          Page 36 of 64
                                                              Software Package Data Exchange (SPDX™) Specification



OpenSSL                 OpenSSL License
PHP-3.01                PHP License v3.01
PostgreSQL              PostgreSQL License
Python-2.0              Python License 2.0
QPL-1.0                 Q Public License 1.0
RPSL-1.0                RealNetworks Public Source License v1.0
RPL-1.5                 Reciprocal Public License 1.5
RHeCos-1.1              Red Hat eCos Public License v1.1
RSCPL                   Ricoh Source Code Public License
Ruby                    Ruby License
SAX-PD                  Sax Public Domain Notice
OFL-1.1                 SIL Open Font License 1.1
SimPL-2.0               Simple Public License 2.0
Sleepycat               Sleepycat License
SugarCRM-1.1.3          SugarCRM Public License v1.1.3
SPL-1.0                 Sun Public License v1.0
Watcom-1.0              Sybase Open Watcom Public License 1.0
NCSA                    University of Illinois/NCSA Open Source License
VSL-1.0                 Vovida Software License v1.0
W3C                     W3C Software and Notice License
WXwindows               wxWindows Library License
Xnet                    X.Net License
XFree86-1.1             XFree86 License 1.1
YPL-1.1                 Yahoo! Public License v1.1
Zimbra-1.3              Zimbra Publice License v1.3
Zlib                    zlib License
ZPL-1.1                 Zope Public License 1.1
ZPL-2.0                 Zope Public License 2.0
ZPL-2.1                 Zope Public License 2.1




                                     Official SPDX Specification 1.0.
                      Copyright © 2010-2011 Linux Foundation and its Contributors.
                 Licensed under the Creative Commons Attribution License 3.0 Unported.
                                 All other rights are expressly reserved.
                                               Page 37 of 64
                                                                        Software Package Data Exchange (SPDX™) Specification



Vocabulary
Version:
      DRAFT (17 Aug 2011 03:13 UTC master 4651f6 with corrections)

Latest Version:
      http://spdx.org/rdf/terms

Copyright © 2010-2011 Linux Foundation and its Contributors. All other rights are expressly reserved.

Licensed under the Creative Commons Attribution License 3.0 unported.

Abstract

This specification describes the SPDX language, defined as a dictionary of named properties and classes using
W3C's RDF Technology.

SPDX is a designed to allow the exchange of data about software package. This information includes general
information about the package, licensing information about the package as a whole, a manifest of files contained
in the package and licensing information related to the contained files.

The spdx prefix used in this document expands to http://spdx.org/rdf/terms#. Any terms in this
document without an explicit prefix may be assumed to be in the spdx namespace.

Other vocabularies used by this one are: DOAP

Classes

       SpdxDocument
       CreationInfo
       Package
       ExtractedLicensingInfo
       Checksum
       PackageVerificationCode
       File
       Review
       License
       ConjunctiveLicenseSet
       DisjunctiveLicenseSet
       AnyLicenseInfo
       SimpleLicenseInfo


Class: SpdxDocument

An SdpxDocument is a summary of the contents, provenance, ownership and licensing analysis of a specific
software package. This is, effectively, the top level of SPDX information.

Status:
      stable

                                               Official SPDX Specification 1.0.
                                Copyright © 2010-2011 Linux Foundation and its Contributors.
                           Licensed under the Creative Commons Attribution License 3.0 Unported.
                                           All other rights are expressly reserved.
                                                         Page 39 of 64
                                                                        Software Package Data Exchange (SPDX™) Specification



Properties:
     specVersion
        Cardinality: Mandatory, one

     dataLicense
      Cardinality: Mandatory, one

     creationInfo
      Cardinality: Mandatory, one

     describesPackage
      Cardinality: Mandatory, one

     hasExtractedLicensingInfo
      Cardinality: Optional, zero or more

     referencesFile
      Cardinality: Mandatory, one or more

     reviewed
      Cardinality: Optional, zero or more.



Class: CreationInfo

A CreationInfo provides information about the individuals, organizations and tools involved in the creation of
an SpdxDocument.

Status:
      stable
Properties:
             creator
              Cardinality: Mandatory, one or more

            created
             Cardinality: Mandatory, one

            rdfs:comment
             Cardinality: Optional, zero or one



Class: Package

A Package represents a collection of software files that are delivered as a single functional component.

Status:
      stable
Properties:
             name
                                               Official SPDX Specification 1.0.
                                Copyright © 2010-2011 Linux Foundation and its Contributors.
                           Licensed under the Creative Commons Attribution License 3.0 Unported.
                                           All other rights are expressly reserved.
                                                         Page 40 of 64
                                                            Software Package Data Exchange (SPDX™) Specification



   Cardinality: Mandatory, one

 versionInfo
  Cardinality: Optional, zero or one

 packageFileName
  Cardinality: Mandatory, one

 supplier
  Cardinality: Optional, zero or one

 originator
  Cardinality: Optional, zero or one

 downloadLocation
  Cardinality: Mandatory, one

 packageVerificationCode
  Cardinality: Mandatory, one

 checksum
  Cardinality: Optional, zero or one

 sourceInfo
  Cardinality: Optional, zero or one

 licenseConcluded
  Cardinality: Mandatory, one

 licenseInfoFromFiles
  Cardinality: Mandatory, one or more

 licenseDeclared
  Cardinality: Mandatory, one

 licenseComments
  Cardinality: Optional, zero or one

 copyrightText
  Cardinality: Mandatory, one

 summary
  Cardinality: Optional, zero or one

 description
  Cardinality: Optional, zero or one

 hasFile
  Cardinality: Mandatory, one or more

                                   Official SPDX Specification 1.0.
                    Copyright © 2010-2011 Linux Foundation and its Contributors.
               Licensed under the Creative Commons Attribution License 3.0 Unported.
                               All other rights are expressly reserved.
                                             Page 41 of 64
                                                                       Software Package Data Exchange (SPDX™) Specification




Class: ExtractedLicensingInfo

An ExtractedLicensingInfo represents a license or licensing notice that was found in the package. Any
license text that is recognized as a license may be represented as a License rather than an
ExtractedLicensingInfo.

Status:
      stable
Properties:
             licenseId
              Cardinality: Mandatory, one

           extractedText
            Cardinality: Mandatory, one



Class: File

A File represents a named sequence of information that is contained in a software package.

Status:
      stable
Properties:
             fileName
              Cardinality: Mandatory, one

           fileType
            Cardinality: Optional, zero or one

           checksum
            Cardinality: Mandatory, one

           licenseConcluded
            Cardinality: Mandatory, one

           licenseInfoInFile
            Cardinality: Mandatory, one or more

           licenseComments
            Cardinality: Optional, zero or one

           copyrightText
            Cardinality: Mandatory, one

           artifactOf
            Cardinality: Optional, zero or one



                                              Official SPDX Specification 1.0.
                               Copyright © 2010-2011 Linux Foundation and its Contributors.
                          Licensed under the Creative Commons Attribution License 3.0 Unported.
                                          All other rights are expressly reserved.
                                                        Page 42 of 64
                                                                       Software Package Data Exchange (SPDX™) Specification




Class: Review

A Review represents an audit and signoff by an individual, organization or tool on the information in an
SpdxDocument.

Status:
      stable
Properties:
             reviewer
              Cardinality: Mandatory, one

           reviewDate
            Cardinality: Mandatory, one

           rdfs:comment
            Cardinality: Optional, zero or one



Class: License

A License represents a software copyright license. This class is used by the SPDX license list to represent
standard licenses.

Status:
      stable
Properties:
             licenseId
              Cardinality: Mandatory, one

           licenseText
            Cardinality: Mandatory, one



Class: Checksum

A Checksum is simple value that allows the contents of a file to be authenticated. Even small changes to the
content of the file will change it's checksum value.

Status:
      stable
Properties:
             algorithm
              Cardinality: Mandatory, one

           checksumValue
            Cardinality: Mandatory, one


                                              Official SPDX Specification 1.0.
                               Copyright © 2010-2011 Linux Foundation and its Contributors.
                          Licensed under the Creative Commons Attribution License 3.0 Unported.
                                          All other rights are expressly reserved.
                                                        Page 43 of 64
                                                                        Software Package Data Exchange (SPDX™) Specification




Class: PackageVerificationCode

A PackageVerificationCode is a value that allows authentication of the package. This differs from the
Checksum in that it uses an algorithm that allows the SPDX file to be embedded in the package. This verification
code is produced using a cryptographic hash algorithm applied to a manifest of the package. Some files in the
package (e.g. the SPDX files) are explicitly excluded from the verification code. This allows those excluded files
to not impact the verification code.

Status:
      stable
Properties:
             packageVerificationCodeExcludedFile
              Cardinality: Optional, zero or more

            packageVerificationCodeValue
             Cardinality: Mandatory, one



Class: ConjunctiveLicenseSet

A ConjunctiveLicenseSet represents a set of licensing information all of which apply.

This class refines rdfs:Container.

Status:
      stable
Properties:
             member
              Cardinality: Mandatory, two or more.



Class: DisjunctiveLicenseSet

A DisjunctiveLicenseSet represents a set of licensing information where only one license applies at a
time. This class implies that the recipient gets to choose one of these licenses they would prefer to use.

This class refines rdfs:Container.

Status:
      stable
Properties:
             member
              Cardinality: Mandatory, two or more.




                                               Official SPDX Specification 1.0.
                                Copyright © 2010-2011 Linux Foundation and its Contributors.
                           Licensed under the Creative Commons Attribution License 3.0 Unported.
                                           All other rights are expressly reserved.
                                                         Page 44 of 64
                                                                        Software Package Data Exchange (SPDX™) Specification




Class: AnyLicenseInfo

The AnyLicenseInfo class includes all resources that represent licensing information.

Status:
      stable
Members
      All resources in any of the following classes:
             License
             ExtractedLicensingInfo
             ConjunctiveLicenseSet
             DisjunctiveLicenseSet



Class: SimpleLicenseInfo

The SimpleLicenseInfo class includes all resources that represent simple, atomic, licensing information.

Status:
      stable
Members
      All resources in any of the following classes:
             License
             ExtractedLicensingInfo




Properties

       algorithm
       artifactOf
       checksum
       checksumValue
       copyrightText
       created
       creationInfo
       creator
       dataLicense
       describesPackage
       description
       downloadLocation
       extractedText
       fileName
       fileType
       hasExtractedLicensingInfo
       hasFile
       licenseComments
       licenseConcluded
                                               Official SPDX Specification 1.0.
                                Copyright © 2010-2011 Linux Foundation and its Contributors.
                           Licensed under the Creative Commons Attribution License 3.0 Unported.
                                           All other rights are expressly reserved.
                                                         Page 45 of 64
                                                                          Software Package Data Exchange (SPDX™) Specification



        licenseDeclared
        licenseId
        licenseText
        licenseInfoFromFiles
        licenseInfoInFile
        member
        name
        originator
        packageFileName
        packageVerificationCode
        packageVerificationCodeExcludedFile
        packageVerificationCodeValue
        referencesFile
        reviewDate
        reviewed
        reviewer
        sourceInfo
        specVerison
        summary
        supplier
        versionInfo




Property: algorithm

Identifies the algorithm used to produce the subject checksum.

Currently, SHA-1 is the only supported algorithm. It is anticipated that other algorithms will be supported at a
later time.

Status:
      stable
Domain:
      Checksum
Range:
      spdx:checksumAlgorithm_sha1



Property: artifactOf

Indicates the project in which the file originated.

Tools must preserve doap:hompage and doap:name properties and the URI (if one is known) of
doap:Project resources that are values of this property. All other properties of doap:Projects are not
directly supported by SPDX and may be dropped when translating to or from some SPDX formats.

Status:
      stable
Domain:
                                                 Official SPDX Specification 1.0.
                                  Copyright © 2010-2011 Linux Foundation and its Contributors.
                             Licensed under the Creative Commons Attribution License 3.0 Unported.
                                             All other rights are expressly reserved.
                                                           Page 46 of 64
                                                                         Software Package Data Exchange (SPDX™) Specification



     File
Range:
     doap:Project




Property: checksum

The checksum property provides a mechanism that can be used to verify that the contents of a File or Package
have not changed.

Status:
      stable
Domain:
      Any of:
            Package
            File
Range:
      Checksum

Property: checksumValue

The checksumValue property provides a lower case hexidecimal encoded digest value produced using a
specific algorithm.

Status:
      stable
Domain:
      Checksum
Range:
      xsd:hexBinary

Property: created

The date and time at which the SpdxDocument was created. This value must in UTC and have 'Z' as its
timezone indicator.

Status:
      stable
Domain:
      CreationInfo
Range:
      xsd:dateTime

Property: copyrightText

The text of copyright declarations recited in tthe Package or File.

Status:
      stable
Domain:
      Any of:
                                                Official SPDX Specification 1.0.
                                 Copyright © 2010-2011 Linux Foundation and its Contributors.
                            Licensed under the Creative Commons Attribution License 3.0 Unported.
                                            All other rights are expressly reserved.
                                                          Page 47 of 64
                                                                        Software Package Data Exchange (SPDX™) Specification



            Package
            File
Range:
     Any of:
          rdfs:Literal
          spdx:none
          spdx:noassertion



Property: creationInfo

The creationInfo property relates an SpdxDocument to a set of information about the creation of the
SpdxDocument.

Status:
      stable
Domain:
      SpdxDocument
Range:
      CreationInfo



Property: creator

The name and, optionally, contact information of a person, organization or tool that created, or was used to
create, the SpdxDocument.

Status:
      stable
Domain:
      CreationInfo
Range:
      xsd:string

Property: dataLicense

The licensing under which the creator of this SPDX document allows related data to be reproduced.

The only valid value for this property is http://spdx.org/licenses/PDDL-1.0. This is to alleviate any
concern that content (the data) in an SPDX file is subject to any form of intellectual property right that could
restrict the re-use of the information or the creation of another SPDX file for the same project(s). This approach
avoids intellectual property and related restrictions over the SPDX file, however individuals can still contract one
to one to restrict release of specific collections of SPDX files (which map to software bill of materials) and the
identification of the supplier of SPDX files.

Status:
      stable
Domain:
      SpdxDocument
Range:
                                               Official SPDX Specification 1.0.
                                Copyright © 2010-2011 Linux Foundation and its Contributors.
                           Licensed under the Creative Commons Attribution License 3.0 Unported.
                                           All other rights are expressly reserved.
                                                         Page 48 of 64
                                                                        Software Package Data Exchange (SPDX™) Specification



      AnyLicenseInfo

Property: describesPackage

The describesPackage property relates an SpdxDocument to the package which it describes.

Status:
      stable
Domain:
      SpdxDocument
Range:
      Package



Property: description

Provides a detailed description of the package.

Status:
      stable
Domain:
      Package
Range:
      xsd:string



Property: downloadLocation

The URI at which this package is available for download. Private (i.e., not publicly reachable) URIs are
acceptable as values of this property.

The values http://spdx.org/rdf/terms#none and http://spdx.org/rdf/terms#noassertion
may be used to specify that the package is not downloadable or that no attempt was made to determine its
download location, respectively.

Status:
      stable
Domain:
      Package
Range:
      xsd:anyURI



Property: extractedText

Verbatim license or licensing notice text that was discovered.

Status:
      stable
                                               Official SPDX Specification 1.0.
                                Copyright © 2010-2011 Linux Foundation and its Contributors.
                           Licensed under the Creative Commons Attribution License 3.0 Unported.
                                           All other rights are expressly reserved.
                                                         Page 49 of 64
                                                                          Software Package Data Exchange (SPDX™) Specification



Domain:
     ExtractedLicensingInfo
Range:
     xsd:string



Property: fileName

The name of the file relative to the root of the package.

Status:
      stable
Domain:
      File
Range:
      xsd:string



Property: fileType

The type of the file.

Status:
      stable
Domain:
      File
Range:
      One of:
            spdx:fileType_source

               Indicates the file is a source code file.

             spdx:fileType_archive

               Indicates the file is an archive file.

             spdx:fileType_binary

               Indicates the file is not a text file. filetype_archive is preferred for archive files even though
               they are binary.

             spdx:fileType_other

               Indicates the file did not fall into any of the other categories.




                                                 Official SPDX Specification 1.0.
                                  Copyright © 2010-2011 Linux Foundation and its Contributors.
                             Licensed under the Creative Commons Attribution License 3.0 Unported.
                                             All other rights are expressly reserved.
                                                           Page 50 of 64
                                                                       Software Package Data Exchange (SPDX™) Specification




Property: hasExtractedLicensingInfo

Indicates that a particular ExtractedLicensingInfo was defined in the subject SpdxDocument.

Status:
      stable
Domain:
      SpdxDocument
Range:
      ExtractedLicensingInfo



Property: hasFile

Indicates that a particular file belongs to a package.

Status:
      stable
Domain:
      Package
Range:
      File



Property: licenseComments

The licenseComments property allows the preparer of the SPDX document to describe why the licensing in
spdx:licenseConcluded was chosen.

Status:
      stable
Domain:
      Any of:
            Package
            File
Range:
      xsd:string



Property: licenseConcluded

The licensing that the preparer of this SPDX document has concluded, based on the evidence, actually applies
to the package.

Status:
      stable
Domain:
                                              Official SPDX Specification 1.0.
                               Copyright © 2010-2011 Linux Foundation and its Contributors.
                          Licensed under the Creative Commons Attribution License 3.0 Unported.
                                          All other rights are expressly reserved.
                                                        Page 51 of 64
                                                                             Software Package Data Exchange (SPDX™) Specification



     Any of:
              Package
              File
Range:
     Any of:
              AnyLicenseInfo
              spdx:none
              spdx:noassertion



Property: licenseDeclared

The licensing that is declared by the authors of the package.

Status:
      stable
Domain:
      Package
Range:
      Any of:
            AnyLicenseInfo
            spdx:none
            spdx:noassertion



Property: licenseId

A short name for the license that is at least 3 characters long and made up of the characters from the set 'a'-'z',
'A'-'Z', '0'-'9', '+', '_', '.', and '-'. Formally, all licenseId values must match the regular expression: [-+_.a-zA-
Z0-9]{3,}

Status:
      stable
Domain:
            License
            ExtractedLicensingInfo
Range:
      xsd:string



Property: licenseText

The full text of the license.

Status:
      stable
Domain:
      License
Range:
                                                    Official SPDX Specification 1.0.
                                     Copyright © 2010-2011 Linux Foundation and its Contributors.
                                Licensed under the Creative Commons Attribution License 3.0 Unported.
                                                All other rights are expressly reserved.
                                                              Page 52 of 64
                                                                         Software Package Data Exchange (SPDX™) Specification



      xsd:string



Property: licenseInfoFromFiles

The licensing information that was discovered directly within the package. There will be an instance of this
property for each distinct value of all licenseInfoInFile properties of all the files contained in the package.

Status:
      stable
Domain:
      Package
Range:
      Any of:
            SimpleLicenseInfo
            spdx:none
            spdx:noassertion



Property: licenseInfoInFile

Licensing information that was discovered directly in the subject File.

Status:
      stable
Domain:
      File
Range:
      Any of:
            SimpleLicenseInfo
            spdx:none
            spdx:noassertion



Property: member

A license, or other licensing information, that is a member of the subject license set.

Status:
      stable
Domain:
      Any of:
            ConjunctiveLicenseSet
            DisjunctiveLicenseSet
Range:
      AnyLicenseInfo
Refines:
      rdfs:member

                                                Official SPDX Specification 1.0.
                                 Copyright © 2010-2011 Linux Foundation and its Contributors.
                            Licensed under the Creative Commons Attribution License 3.0 Unported.
                                            All other rights are expressly reserved.
                                                          Page 53 of 64
                                                                         Software Package Data Exchange (SPDX™) Specification




Property: name

The full name of the package including version information.

Status:
      stable
Domain:
      Package
Range:
      xsd:string



Property: packageFileName

The base name of the package file name. For example, zlib-1.2.5.tar.gz.

Status:
      stable
Domain:
      Package
Range:
      xsd:string

Property: packageVerificationCode

A manifest based verification code (the algorithm is defined in section 4.7 of the full specification) of the
package. This allows consumers of this data and/or database to determine if a package they have in hand is
identical to the package from which the data was produced. This algorithm works even if the SPDX document is
included in the package. This algorithm is described in detail in the SPDX specification.

Status:
      stable
Domain:
      Package
Range:
      PackageVerificationCode



Property: packageVerificationCodeExcludedFile

A file that was excluded when calculating the package verification code. This is usually a file containing SPDX
data regarding the package. If a package contains more than one SPDX file all SPDX files must be excluded
from the package verification code. If this is not done it would be impossible to correctly calculate the verification
codes in both files.

Status:
      stable
Domain:

                                                Official SPDX Specification 1.0.
                                 Copyright © 2010-2011 Linux Foundation and its Contributors.
                            Licensed under the Creative Commons Attribution License 3.0 Unported.
                                            All other rights are expressly reserved.
                                                          Page 54 of 64
                                                                        Software Package Data Exchange (SPDX™) Specification



     PackageVerificationCode
Range:
     xsd:string



Property: packageVerificationCodeValue

The actual package verification code as a hex encoded value.

Status:
      stable
Domain:
      PackageVerificationCode
Range:
      xsd:hexBinary



Property: originator

The name and, optionally, contact information of the person or organization that originally created the package.

Status:
      stable
Domain:
      Package
Range:
      Any of:
            xsd:string
            spdx:noassertion




Property: referencesFile

Indicates that a particular file belongs as part of the set of analyzed files in SpdxDocument.

Status:
      stable
Domain:
      SpdxDocument
Range:
      File



Property: reviewDate

The date and time at which the SpdxDocument was reviewed. This value must be in UTC and have 'Z' as its
timezone indicator.

                                               Official SPDX Specification 1.0.
                                Copyright © 2010-2011 Linux Foundation and its Contributors.
                           Licensed under the Creative Commons Attribution License 3.0 Unported.
                                           All other rights are expressly reserved.
                                                         Page 55 of 64
                                                                       Software Package Data Exchange (SPDX™) Specification



Status:
      stable
Domain:
      Review
Range:
      xsd:dateTime



Property: reviewed

The review property relates a SpdxDocument to the review history.

Status:
      stable
Domain:
      SpdxDocument
Range:
      Review



Property: reviewer

The name and, optionally, contact information of the person who performed the review.

Status:
      stable
Domain:
      Review
Range:
      xsd:string



Property: sourceInfo

Allows the producer(s) of the SPDX document to describe how the package was acquired and/or changed from
the original source.

Status:
      stable
Domain:
      Package
Range:
      xsd:string



Property: specVersion

Identifies the version of this specification that was used to produce this SPDX document. Currently the only
                                              Official SPDX Specification 1.0.
                               Copyright © 2010-2011 Linux Foundation and its Contributors.
                          Licensed under the Creative Commons Attribution License 3.0 Unported.
                                          All other rights are expressly reserved.
                                                        Page 56 of 64
                                                                        Software Package Data Exchange (SPDX™) Specification



supported value is SPDX-1.0.

Status:
      stable
Domain:
      SpdxDocument
Range:
      xsd:string



Property: summary

Provides a short description of the package.

Status:
      stable
Domain:
      Package
Range:
      xsd:string




Property: supplier

The name, and optionally the contact information, of the person or organization who was the immediate supplier
of the package to the recipient. The supplier may be different than originator when the software has been
repackaged.

Values of this property must conform to the agent and tool syntax.

Status:
      stable
Domain:
      Package
Range:
      Any of:
            xsd:string
            spdx:noassertion




Property: versionInfo

Provides an indication of the version of the package that is described by this SpdxDocument.

Status:
      stable
Domain:
      Package
Range:
                                               Official SPDX Specification 1.0.
                                Copyright © 2010-2011 Linux Foundation and its Contributors.
                           Licensed under the Creative Commons Attribution License 3.0 Unported.
                                           All other rights are expressly reserved.
                                                         Page 57 of 64
                                                                           Software Package Data Exchange (SPDX™) Specification



         xsd:string




Individuals

         checksumAlgorithm_sha1
         fileType_archive
         fileType_binary
         fileType_other
         fileType_source
         noassertion
         none




Individual: checksumAlgorithm_sha1

Indicates the algorithm used was SHA-1

Status:
      stable



Individual: fileType_archive

Indicates the file is an archive file.

Status:
      stable



Individual: fileType_binary

Indicates the file is not a text file. spdx:filetype_archive is preferred for archive files even though they are
binary.

Status:
      stable



Individual: fileType_other

Indicates the file is not a source, archive or binary file.
                                                  Official SPDX Specification 1.0.
                                   Copyright © 2010-2011 Linux Foundation and its Contributors.
                              Licensed under the Creative Commons Attribution License 3.0 Unported.
                                              All other rights are expressly reserved.
                                                            Page 58 of 64
                                                                          Software Package Data Exchange (SPDX™) Specification



Status:
      stable



Individual: fileType_source

Indicates the file is a source code file.

Status:
      stable



Individual: none

When this value is used as the object of a property it indicates that the preparer of the SpdxDocument believes
that there is no value for the property. This value should only be used if there is sufficient evidence to support
this assertion.

Status:
      stable



Individual: noassertion

Indicates that the preparer of the SPDX document is not making any assertion regarding the value of this field.

Status:
      stable




Agent and Tool Identifiers
Fields that identify entities that have acted in relation to the SPDX file are single line of text which name the
agent or tool and, optionally, provide contact information. For example, "Person: Jane Doe
(jane.doe@example.com)", "Organization: ExampleCodeInspect (contact@example.com)" and "Tool:
LicenseFind - 1.0". The exact syntax of agent and tool identifications is described below in ABNF.

 Agent                = person / organization

 person               =   "Person: " name 0*1contact-info
 organization         =   "Organization: " name 0*1contact-info
 name                 =   1*( unreserved ) / U+0022 1*( vchar-sans-quote ) U+0022
 contact-info         =   " (" email-addr ")"
 email-addr           =   *( atext / "." ) atext "@" ldh-str 1*( "." ldh-str )

 tool                 = "Tool: " name 0*1( " " dash " " version)
 version              = 1*vchar-sans-quote

 dash                 = U+2010 / U+2212 / ; hyphen, minus,
                                                 Official SPDX Specification 1.0.
                                  Copyright © 2010-2011 Linux Foundation and its Contributors.
                             Licensed under the Creative Commons Attribution License 3.0 Unported.
                                             All other rights are expressly reserved.
                                                           Page 59 of 64
                                                               Software Package Data Exchange (SPDX™) Specification



               U+2013 / U+2014           ; em dash and en dash

unreserved    = U+0020-U+0027 / ; visible unicode characters
                U+0029-U+0080 / ; except '(' and dashes
                U+00A0-U+200F /
                U+2011-U+2027 /
                U+202A-U+2211 /
                U+2213-U+E01EF

vchar-sans-quote = U+0020-U+0021 / ; visible unicode characters
                U+0023-U+0080 /    ; except quotation mark
                U+00a0-U+E01EF

atext         = ALPHA / DIGIT /; Printable US-ASCII
                "!" / "#" / ; characters not including

                "$"   /   "%"   / ; specials. Used for atoms.
                "&"   /   "'"   /
                "*"   /   "+"   /
                "-"   /   "/"   /
                "="   /   "?"   /
                "^"   /   "_"   /
                "`"   /   "{"   /
                "|"   /   "}"   /
                "~"

ldh-str          = ALPHA / DIGIT / "-"




                                      Official SPDX Specification 1.0.
                       Copyright © 2010-2011 Linux Foundation and its Contributors.
                  Licensed under the Creative Commons Attribution License 3.0 Unported.
                                  All other rights are expressly reserved.
                                                Page 60 of 64
                                                                        Software Package Data Exchange (SPDX™) Specification




    Appendix III. Creative Commons Attribution License 3.0 Unported

License
THE WORK (AS DEFINED BELOW) IS PROVIDED UNDER THE TERMS OF THIS CREATIVE COMMONS
PUBLIC LICENSE ("CCPL" OR "LICENSE"). THE WORK IS PROTECTED BY COPYRIGHT AND/OR OTHER
APPLICABLE LAW. ANY USE OF THE WORK OTHER THAN AS AUTHORIZED UNDER THIS LICENSE OR
COPYRIGHT LAW IS PROHIBITED.

BY EXERCISING ANY RIGHTS TO THE WORK PROVIDED HERE, YOU ACCEPT AND AGREE TO BE
BOUND BY THE TERMS OF THIS LICENSE. TO THE EXTENT THIS LICENSE MAY BE CONSIDERED TO
BE A CONTRACT, THE LICENSOR GRANTS YOU THE RIGHTS CONTAINED HERE IN CONSIDERATION
OF YOUR ACCEPTANCE OF SUCH TERMS AND CONDITIONS.

1. Definitions

    a. "Adaptation" means a work based upon the Work, or upon the Work and other pre-existing works,
       such as a translation, adaptation, derivative work, arrangement of music or other alterations of a literary
       or artistic work, or phonogram or performance and includes cinematographic adaptations or any other
       form in which the Work may be recast, transformed, or adapted including in any form recognizably
       derived from the original, except that a work that constitutes a Collection will not be considered an
       Adaptation for the purpose of this License. For the avoidance of doubt, where the Work is a musical
       work, performance or phonogram, the synchronization of the Work in timed-relation with a moving image
       ("synching") will be considered an Adaptation for the purpose of this License.
    b. "Collection" means a collection of literary or artistic works, such as encyclopedias and anthologies, or
       performances, phonograms or broadcasts, or other works or subject matter other than works listed in
       Section 1(f) below, which, by reason of the selection and arrangement of their contents, constitute
       intellectual creations, in which the Work is included in its entirety in unmodified form along with one or
       more other contributions, each constituting separate and independent works in themselves, which
       together are assembled into a collective whole. A work that constitutes a Collection will not be
       considered an Adaptation (as defined above) for the purposes of this License.
    c. "Distribute" means to make available to the public the original and copies of the Work or Adaptation, as
       appropriate, through sale or other transfer of ownership.
    d. "Licensor" means the individual, individuals, entity or entities that offer(s) the Work under the terms of
       this License.
    e. "Original Author" means, in the case of a literary or artistic work, the individual, individuals, entity or
       entities who created the Work or if no individual or entity can be identified, the publisher; and in addition
       (i) in the case of a performance the actors, singers, musicians, dancers, and other persons who act,
       sing, deliver, declaim, play in, interpret or otherwise perform literary or artistic works or expressions of
       folklore; (ii) in the case of a phonogram the producer being the person or legal entity who first fixes the
       sounds of a performance or other sounds; and, (iii) in the case of broadcasts, the organization that
       transmits the broadcast.
    f. "Work" means the literary and/or artistic work offered under the terms of this License including without
       limitation any production in the literary, scientific and artistic domain, whatever may be the mode or form
       of its expression including digital form, such as a book, pamphlet and other writing; a lecture, address,
       sermon or other work of the same nature; a dramatic or dramatico-musical work; a choreographic work
       or entertainment in dumb show; a musical composition with or without words; a cinematographic work to
       which are assimilated works expressed by a process analogous to cinematography; a work of drawing,
       painting, architecture, sculpture, engraving or lithography; a photographic work to which are assimilated
       works expressed by a process analogous to photography; a work of applied art; an illustration, map,
       plan, sketch or three-dimensional work relative to geography, topography, architecture or science; a
       performance; a broadcast; a phonogram; a compilation of data to the extent it is protected as a
       copyrightable work; or a work performed by a variety or circus performer to the extent it is not otherwise
       considered a literary or artistic work.
                                               Official SPDX Specification 1.0.
                                Copyright © 2010-2011 Linux Foundation and its Contributors.
                           Licensed under the Creative Commons Attribution License 3.0 Unported.
                                           All other rights are expressly reserved.
                                                         Page 61 of 64
                                                                         Software Package Data Exchange (SPDX™) Specification



    g. "You" means an individual or entity exercising rights under this License who has not previously violated
       the terms of this License with respect to the Work, or who has received express permission from the
       Licensor to exercise rights under this License despite a previous violation.
    h. "Publicly Perform" means to perform public recitations of the Work and to communicate to the public
       those public recitations, by any means or process, including by wire or wireless means or public digital
       performances; to make available to the public Works in such a way that members of the public may
       access these Works from a place and at a place individually chosen by them; to perform the Work to the
       public by any means or process and the communication to the public of the performances of the Work,
       including by public digital performance; to broadcast and rebroadcast the Work by any means including
       signs, sounds or images.
    i. "Reproduce" means to make copies of the Work by any means including without limitation by sound or
       visual recordings and the right of fixation and reproducing fixations of the Work, including storage of a
       protected performance or phonogram in digital form or other electronic medium.

2. Fair Dealing Rights. Nothing in this License is intended to reduce, limit, or restrict any uses free from
copyright or rights arising from limitations or exceptions that are provided for in connection with the copyright
protection under copyright law or other applicable laws.

3. License Grant. Subject to the terms and conditions of this License, Licensor hereby grants You a worldwide,
royalty-free, non-exclusive, perpetual (for the duration of the applicable copyright) license to exercise the rights
in the Work as stated below:

    a. to Reproduce the Work, to incorporate the Work into one or more Collections, and to Reproduce the
       Work as incorporated in the Collections;
    b. to create and Reproduce Adaptations provided that any such Adaptation, including any translation in
       any medium, takes reasonable steps to clearly label, demarcate or otherwise identify that changes were
       made to the original Work. For example, a translation could be marked "The original work was translated
       from English to Spanish," or a modification could indicate "The original work has been modified.";
    c. to Distribute and Publicly Perform the Work including as incorporated in Collections; and,
    d. to Distribute and Publicly Perform Adaptations.
    e. For the avoidance of doubt:

             i. Non-waivable Compulsory License Schemes. In those jurisdictions in which the right to
                  collect royalties through any statutory or compulsory licensing scheme cannot be waived, the
                  Licensor reserves the exclusive right to collect such royalties for any exercise by You of the
                  rights granted under this License;
             ii. Waivable Compulsory License Schemes. In those jurisdictions in which the right to collect
                  royalties through any statutory or compulsory licensing scheme can be waived, the Licensor
                  waives the exclusive right to collect such royalties for any exercise by You of the rights granted
                  under this License; and,
             iii. Voluntary License Schemes. The Licensor waives the right to collect royalties, whether
                  individually or, in the event that the Licensor is a member of a collecting society that administers
                  voluntary licensing schemes, via that society, from any exercise by You of the rights granted
                  under this License.

The above rights may be exercised in all media and formats whether now known or hereafter devised. The
above rights include the right to make such modifications as are technically necessary to exercise the rights in
other media and formats. Subject to Section 8(f), all rights not expressly granted by Licensor are hereby
reserved.

4. Restrictions. The license granted in Section 3 above is expressly made subject to and limited by the
following restrictions:


                                                Official SPDX Specification 1.0.
                                 Copyright © 2010-2011 Linux Foundation and its Contributors.
                            Licensed under the Creative Commons Attribution License 3.0 Unported.
                                            All other rights are expressly reserved.
                                                          Page 62 of 64
                                                                         Software Package Data Exchange (SPDX™) Specification



    a. You may Distribute or Publicly Perform the Work only under the terms of this License. You must include
       a copy of, or the Uniform Resource Identifier (URI) for, this License with every copy of the Work You
       Distribute or Publicly Perform. You may not offer or impose any terms on the Work that restrict the terms
       of this License or the ability of the recipient of the Work to exercise the rights granted to that recipient
       under the terms of the License. You may not sublicense the Work. You must keep intact all notices that
       refer to this License and to the disclaimer of warranties with every copy of the Work You Distribute or
       Publicly Perform. When You Distribute or Publicly Perform the Work, You may not impose any effective
       technological measures on the Work that restrict the ability of a recipient of the Work from You to
       exercise the rights granted to that recipient under the terms of the License. This Section 4(a) applies to
       the Work as incorporated in a Collection, but this does not require the Collection apart from the Work
       itself to be made subject to the terms of this License. If You create a Collection, upon notice from any
       Licensor You must, to the extent practicable, remove from the Collection any credit as required by
       Section 4(b), as requested. If You create an Adaptation, upon notice from any Licensor You must, to the
       extent practicable, remove from the Adaptation any credit as required by Section 4(b), as requested.
    b. If You Distribute, or Publicly Perform the Work or any Adaptations or Collections, You must, unless a
       request has been made pursuant to Section 4(a), keep intact all copyright notices for the Work and
       provide, reasonable to the medium or means You are utilizing: (i) the name of the Original Author (or
       pseudonym, if applicable) if supplied, and/or if the Original Author and/or Licensor designate another
       party or parties (e.g., a sponsor institute, publishing entity, journal) for attribution ("Attribution Parties") in
       Licensor's copyright notice, terms of service or by other reasonable means, the name of such party or
       parties; (ii) the title of the Work if supplied; (iii) to the extent reasonably practicable, the URI, if any, that
       Licensor specifies to be associated with the Work, unless such URI does not refer to the copyright
       notice or licensing information for the Work; and (iv) , consistent with Section 3(b), in the case of an
       Adaptation, a credit identifying the use of the Work in the Adaptation (e.g., "French translation of the
       Work by Original Author," or "Screenplay based on original Work by Original Author"). The credit
       required by this Section 4 (b) may be implemented in any reasonable manner; provided, however, that
       in the case of a Adaptation or Collection, at a minimum such credit will appear, if a credit for all
       contributing authors of the Adaptation or Collection appears, then as part of these credits and in a
       manner at least as prominent as the credits for the other contributing authors. For the avoidance of
       doubt, You may only use the credit required by this Section for the purpose of attribution in the manner
       set out above and, by exercising Your rights under this License, You may not implicitly or explicitly
       assert or imply any connection with, sponsorship or endorsement by the Original Author, Licensor
       and/or Attribution Parties, as appropriate, of You or Your use of the Work, without the separate, express
       prior written permission of the Original Author, Licensor and/or Attribution Parties.
    c. Except as otherwise agreed in writing by the Licensor or as may be otherwise permitted by applicable
       law, if You Reproduce, Distribute or Publicly Perform the Work either by itself or as part of any
       Adaptations or Collections, You must not distort, mutilate, modify or take other derogatory action in
       relation to the Work which would be prejudicial to the Original Author's honor or reputation. Licensor
       agrees that in those jurisdictions (e.g. Japan), in which any exercise of the right granted in Section 3(b)
       of this License (the right to make Adaptations) would be deemed to be a distortion, mutilation,
       modification or other derogatory action prejudicial to the Original Author's honor and reputation, the
       Licensor will waive or not assert, as appropriate, this Section, to the fullest extent permitted by the
       applicable national law, to enable You to reasonably exercise Your right under Section 3(b) of this
       License (right to make Adaptations) but not otherwise.

5. Representations, Warranties and Disclaimer

UNLESS OTHERWISE MUTUALLY AGREED TO BY THE PARTIES IN WRITING, LICENSOR OFFERS THE
WORK AS-IS AND MAKES NO REPRESENTATIONS OR WARRANTIES OF ANY KIND CONCERNING THE
WORK, EXPRESS, IMPLIED, STATUTORY OR OTHERWISE, INCLUDING, WITHOUT LIMITATION,
WARRANTIES OF TITLE, MERCHANTIBILITY, FITNESS FOR A PARTICULAR PURPOSE,
NONINFRINGEMENT, OR THE ABSENCE OF LATENT OR OTHER DEFECTS, ACCURACY, OR THE
PRESENCE OF ABSENCE OF ERRORS, WHETHER OR NOT DISCOVERABLE. SOME JURISDICTIONS DO
NOT ALLOW THE EXCLUSION OF IMPLIED WARRANTIES, SO SUCH EXCLUSION MAY NOT APPLY TO

                                                Official SPDX Specification 1.0.
                                 Copyright © 2010-2011 Linux Foundation and its Contributors.
                            Licensed under the Creative Commons Attribution License 3.0 Unported.
                                            All other rights are expressly reserved.
                                                          Page 63 of 64
                                                                        Software Package Data Exchange (SPDX™) Specification



YOU.

6. Limitation on Liability. EXCEPT TO THE EXTENT REQUIRED BY APPLICABLE LAW, IN NO EVENT
WILL LICENSOR BE LIABLE TO YOU ON ANY LEGAL THEORY FOR ANY SPECIAL, INCIDENTAL,
CONSEQUENTIAL, PUNITIVE OR EXEMPLARY DAMAGES ARISING OUT OF THIS LICENSE OR THE USE
OF THE WORK, EVEN IF LICENSOR HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

7. Termination

    a. This License and the rights granted hereunder will terminate automatically upon any breach by You of
       the terms of this License. Individuals or entities who have received Adaptations or Collections from You
       under this License, however, will not have their licenses terminated provided such individuals or entities
       remain in full compliance with those licenses. Sections 1, 2, 5, 6, 7, and 8 will survive any termination of
       this License.
    b. Subject to the above terms and conditions, the license granted here is perpetual (for the duration of the
       applicable copyright in the Work). Notwithstanding the above, Licensor reserves the right to release the
       Work under different license terms or to stop distributing the Work at any time; provided, however that
       any such election will not serve to withdraw this License (or any other license that has been, or is
       required to be, granted under the terms of this License), and this License will continue in full force and
       effect unless terminated as stated above.

8. Miscellaneous

    a. Each time You Distribute or Publicly Perform the Work or a Collection, the Licensor offers to the
       recipient a license to the Work on the same terms and conditions as the license granted to You under
       this License.
    b. Each time You Distribute or Publicly Perform an Adaptation, Licensor offers to the recipient a license to
       the original Work on the same terms and conditions as the license granted to You under this License.
    c. If any provision of this License is invalid or unenforceable under applicable law, it shall not affect the
       validity or enforceability of the remainder of the terms of this License, and without further action by the
       parties to this agreement, such provision shall be reformed to the minimum extent necessary to make
       such provision valid and enforceable.
    d. No term or provision of this License shall be deemed waived and no breach consented to unless such
       waiver or consent shall be in writing and signed by the party to be charged with such waiver or consent.
    e. This License constitutes the entire agreement between the parties with respect to the Work licensed
       here. There are no understandings, agreements or representations with respect to the Work not
       specified here. Licensor shall not be bound by any additional provisions that may appear in any
       communication from You. This License may not be modified without the mutual written agreement of the
       Licensor and You.
    f. The rights granted under, and the subject matter referenced, in this License were drafted utilizing the
       terminology of the Berne Convention for the Protection of Literary and Artistic Works (as amended on
       September 28, 1979), the Rome Convention of 1961, the WIPO Copyright Treaty of 1996, the WIPO
       Performances and Phonograms Treaty of 1996 and the Universal Copyright Convention (as revised on
       July 24, 1971). These rights and subject matter take effect in the relevant jurisdiction in which the
       License terms are sought to be enforced according to the corresponding provisions of the
       implementation of those treaty provisions in the applicable national law. If the standard suite of rights
       granted under applicable copyright law includes additional rights not granted under this License, such
       additional rights are deemed to be included in the License; this License is not intended to restrict the
       license of any rights under applicable law.




                                               Official SPDX Specification 1.0.
                                Copyright © 2010-2011 Linux Foundation and its Contributors.
                           Licensed under the Creative Commons Attribution License 3.0 Unported.
                                           All other rights are expressly reserved.
                                                         Page 64 of 64