-
Notifications
You must be signed in to change notification settings - Fork 24
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Revert "Eliminated "License" specific desciption on header lines."
This reverts commit 0ead9bc.
- Loading branch information
Showing
1 changed file
with
58 additions
and
57 deletions.
There are no files selected for viewing
115 changes: 58 additions & 57 deletions
115
subgroups/sbom-sg/outcomes/SPDX-Lite/Proposal_v3.0/SPDX-Lite.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,57 +1,58 @@ | ||
| SPDX-License-Identifier: Community-Spec-1.0 | ||
|
|
||
| # Lite | ||
|
|
||
| ## Summary | ||
|
|
||
| The Lite Profile defines the minimum set of information required for verifying the list of software package and ensureing compliance during the design phase, while maintaining interoperability with information documented using earlier SPDX syntax conventions. | ||
|
|
||
| ## Description | ||
|
|
||
| The Lite profile namespace contains only the additional requirements to comply with the various compliance processes required when considering the software supply chain. | ||
| This is intended to include the following information as minimum information: | ||
|
|
||
| - Creation information of the SBOM | ||
| - Package information | ||
| - License information for the package | ||
| - Relationship | ||
|
|
||
| ## Metadata | ||
|
|
||
| - id: https://rdf.spdx.org/v3/Lite | ||
| - name: Lite | ||
|
|
||
| ## External properties restrictions | ||
|
|
||
| - /Software/Sbom | ||
| - /Core/Element/creationInfo | ||
| * minCount: 1 (default) | ||
| - /Software/Package | ||
| - /Core/Element/spdxId | ||
| * minCount: 1 (default) | ||
| - /Software/Package | ||
| - /Core/Element/name | ||
| * minCount: 1 (default) | ||
| - /Software/Package | ||
| - /Core/Element/creationInfo | ||
| * minCount: 1 (default) | ||
| - /Software/Package | ||
| - /Core/Artifact/suppliedBy | ||
| * minCount: 1 | ||
| - /Software/Package/packageVersion | ||
| * minCount: 1 | ||
| - /Software/Package | ||
| - /Software/SoftwareArtifact/copyrightText | ||
| * minCount: 1 | ||
|
|
||
| - /Core/Relationship/relatoinshipType | ||
| * minCount: 1 (default) | ||
| - /Core/Relationship/from | ||
| * minCount: 1 (default) | ||
|
|
||
| - /SimpleLicensing/LicenseExpression/licenseExpression | ||
| * minCount: 1 (default) | ||
| - /SimpleLicensing/SimpleLicensingText/liecnseText | ||
| * minCount: 1 (default) | ||
|
|
||
| ## EOF | ||
| # Annex H SPDX Lite (Normative) | ||
|
|
||
| ## H.1 Explanation of SPDX Lite <a name="H.1"></a> | ||
|
|
||
| The SPDX Lite profile defines a subset of the SPDX specification, from the point of view of use cases in some industries. SPDX Lite aims at the balance between the SPDX standard and actual workflows in some industries. | ||
|
|
||
| The SPDX Lite profile consists of mandatory fields from the Document Creation and Package Information sections and other basic information. | ||
|
|
||
| The mandatory part of the Package information in SPDX Lite is basic but useful for complying with licenses. It is easy to understand licensing information by reading an SPDX Lite file. It is easy to create manually an SPDX Lite file by anyone who does not have enough knowledge about licensing information, so that tools are not necessarily required to create an SPDX Lite file. | ||
|
|
||
| SPDX Lite has affinity with SPDX tools due to its containing the mandatory part of the Document Creation and Package Information in the SPDX Lite definition. | ||
|
|
||
| An SPDX Lite document can be used in parallel with SPDX documents in software supply chains. | ||
|
|
||
| ## H.2 Format of SPDX Lite <a name="H.2"></a> | ||
|
|
||
| The SPDX Lite profile is a subset of the SPDX specification. SPDX Lite consists of mandatory fields of the Document Creation and Package Information sections and other basic information. Cardinality of each item is not changed. | ||
|
|
||
| The mandatory part of the Document Creation Information section (which consists of SPDX Version, Data License, SPDX Identifier, Document Name, SPDX Document Namespace, Creator and Created) is used for keeping compatibility with SPDX tools. | ||
|
|
||
| The main part of the Package Information (those are Package Name, Package Version, Package File Name, Package Download Location, Package Home Page, Concluded License, Declared License, Comments on License and Copyright Text) is used for exchanging license information. | ||
|
|
||
| In the Package Information, Package SPDX Identifier and Files Analyzed are used for keeping compatibility with SPDX tools. | ||
|
|
||
| Files Analyzed must be set to "false" when SPDX Lite is used. | ||
|
|
||
| Package Comment can be used to describe additional details, such as compiling options, where a license may change with a different compiling option. | ||
|
|
||
| The Other License information section (License Identifier, Extracted Text, License Name and License Comment) is used for exchanging license information for licenses that are not on the [SPDX License List](https://spdx.org/licenses). | ||
|
|
||
| ## H.3 Table of SPDX Lite fields <a name="H.3"></a> | ||
|
|
||
| | # | SPDX(v3.0) profile | SPDX(v3.0) subclause | SPDX(v2.3) subclause | Field Name | | ||
| |:-----:|:----:|:----:|:----:|:--------------------------| | ||
| |L1.1 | |x.x |6.1 | SPDX Version | | ||
| |L1.2 | |x.x |6.2 | Data License | | ||
| |L1.3 | |x.x |6.3 | SPDX Identifier | | ||
| |L1.4 | |x.x |6.4 | Document Name | | ||
| |L1.5 | |x.x |6.5 | SPDX Document Namespace | | ||
| |L1.6 | |x.x |6.8 | Creator | | ||
| |L1.7 | |x.x |6.9 | Created | | ||
| |L2.1 | Core |x.x |7.1 | Package Name | | ||
| |L2.2 | Core |x.x |7.2 | Package SPDX Identifier | | ||
| |L2.3 | Core |x.x |7.3 | Package Version | | ||
| |L2.4 | Software |x.x |7.4 | Package File Name | | ||
| |L2.5 | Software |x.x |7.7 | Package Download Location | | ||
| |L2.6 | Software |x.x |7.8 | Files Analyzed | | ||
| |L2.7 | Software |x.x |7.11 | Package Home Page | | ||
| |L2.8 | Licensing |N.2.4.2 | 7.13 | Concluded License | | ||
| |L2.9 | Licensing |N.2.4.1 | 7.15 | Declared License | | ||
| |L2.10 | Licensing |N.2.4.3 | 7.16 | Comments on License | | ||
| |L2.11 | Licensing |N.2.4.4 | 7.17 | Copyright Text | | ||
| |L2.12 | Software |x.x | 7.20 | Package Comment | | ||
| |L3.1 | Software |x.x |10.1 | License Identifier | | ||
| |L3.2 | Software |x.x |10.2 | Extracted Text | | ||
| |L3.3 | Software |x.x |10.3 | License Name | | ||
| |L3.4 | Software |x.x |10.5 | License Comment | | ||
| |Lx.x | Core |x.x | | Relationship | |