Software Package Data Exchange
Software Package Data Exchange (SPDX)[1] is a file format used to document information on the software licenses under which a given piece of computer software is distributed. SPDX is authored by the SPDX Working Group, which represents more than twenty different organizations, under the auspices of the Linux Foundation.[2]
SPDX attempts to standardize the way in which organizations publish their metadata on software licenses and components in bills of material.[3]
SPDX describes the exact terms under which a piece of software is licensed. It does not attempt to categorize licenses by type, for instance by describing licenses with similar terms to the BSD License as "BSD-like".[1]
The current version of the standard is 2.1, ratified in November 2016[4].
License syntax
Each license is identified by a full name, such as "Mozilla Public License 2.0" and a short identifier, here "MPL-2.0".
Licenses can be combined by operators AND
and OR
, and grouping (
, )
.
For example, (Apache-2.0 OR MIT)
means that you can choose between Apache-2.0
(Apache License) or MIT
(MIT license).
On the other hand, (Apache-2.0 AND MIT)
means that both licenses apply.
There is also a "+" operator, when applied to a license, means that future versions of the license apply. For example, Apache-1.1+
means that Apache-1.1
and Apache-2.0
may apply (and future versions if any).
The GNU family of licenses (e.g., GNU General Public License 2.0) have the choice of choosing a later version of the license built in. Sometimes, it was not clear, whether the SPDX expression GPL-2.0
meant "exactly GPL version 2.0" or "GPL version 2.0 or any later version"[5]. Thus, since version 3.0 of the SPDX License List, the GNU family of licenses get new names[6]. GPL-2.0-only
means "exactly version 2.0" and GPL-2.0-or-later
"GPL version 2.0 or any later version".
In 2020, the European Commission publishes its Joinup Licensing Assistant [7], which makes possible the selection and comparison of more than 50 licenses, with access to their SPDX identifier and full text.
See also
References
- Odence, Phil (2010-06-23). "The Software Package Data Exchange (SPDX) Format". Dr Dobb's. Retrieved 2012-08-31.
- Stewart, Kate; Odence, Phil; Rockett, Esteban. "Software Package Data Exchange (SPDX™) Specification". International Free and Open Source Software Law Review. 2 (2). doi:10.5033/ifosslr.v2i2.45 (inactive 2020-05-12).
- Vaughan-Nichols, Steven (August 10, 2010). "Linux Foundation launches major open-source license compliance program". Computerworld. Retrieved 2012-08-31.
- "General Meeting/Minutes/2016-11-03 - SPDX Wiki". wiki.spdx.org.
- Richard Stallman. "For Clarity's Sake, Please Don't Say "Licensed under GNU GPL 2"!". www.gnu.org. Retrieved 2018-05-24.
- Jilayne Lovejoy. "License List 3.0 Released!". spdx.org. Retrieved 2018-05-24.
- "Joinup Licensing Assistant". Retrieved 31 March 2020.
External links
- Official website
- Linux Foundation Open Compliance Program
- Nathan Willis: A SPDX case study LWN.net