Jump to content

Software Package Data Exchange

From Wikipedia, the free encyclopedia
(Redirected from SPDX)
First publishedAugust 2011 (2011-08)
Latest version3.0
April 2024 (2024-04)
OrganizationLinux Foundation
CommitteeSPDX Project
DomainSoftware bill of materials

Software Package Data Exchange (SPDX) is an open standard for software bills of materials (SBOMs).[1] SPDX allows the expression of components, licenses, copyrights, security references and other metadata relating to software.[2] Its original purpose was to improve license compliance,[3] and it has since been expanded to facilitate additional use cases such as supply-chain transparency and security.[4] SPDX is authored by the community-driven SPDX Project under the auspices of the Linux Foundation.

The current version of the standard is 3.0.[5]


The SPDX standard defines an SBOM document, which contains SPDX metadata about software. The document itself can be expressed in multiple formats, including JSON, YAML, RDF/XML, tag–value, and spreadsheet. Each SPDX document describes one or more elements, which can be a software package, a specific file, or a snippet from a file. Each element is given a unique identifier, and metadata for an element can refer to other elements.[6]

Version history[edit]

Specification versions
Version number Publication date Notes References
1.0 August 2011 The first release of the SPDX specification; handles packages. [3]
1.1 August 2012 Fixed a flaw in the SPDX Package Verification Code (a cryptographic hash function) and added support for free-form comments. [7]
1.2 October 2013 Improved interaction with the SPDX License List, and added new fields for documenting extra information about software projects. [8]
2.0 May 2015 Added the ability to describe multiple packages and the relationships between different packages and files. [9]
2.1 November 2016 Added support for describing 'snippets' of code and the ability to reference non-SPDX data (such as CVEs). [10][11]
2.2 May 2020 Added 'SPDX-lite' profile for minimal software bill of materials and improved support for external references. [12]
2.2.1 October 2020 Functionally equivalent to SPDX 2.2 but with typesetting for publication as an ISO standard. [13]
2.2.2 April 2022 Functionally equivalent to SPDX 2.2.1 but with spelling, grammar and other editorial improvements. [14]
2.3 November 2022 Added new fields to improve the ability to capture security related information and interoperability with other SBOM formats. [15]
3.0 April 2024 Introduced profiles to support specific use cases including security and AI. [16]

The first version of the SPDX specification was intended to make compliance with software licenses easier,[3] but subsequent versions of the specification added capabilities intended for other use-cases, such as being able to contain references to known software vulnerabilities.[11] Recent versions of SPDX fulfill the NTIA's 'Minimum Elements For a Software Bill of Materials'.[17]

SPDX 2.2.1 was submitted to the International Organization for Standardization (ISO) in October, 2020, and was published as ISO/IEC 5962:2021 Information technology — SPDX® Specification V2.2.1 in August, 2021.[13][18]

License syntax[edit]

Each license is identified by a full name, such as "Mozilla Public License 2.0" and a short identifier, here "MPL-2.0". Licenses can be combined by operators AND and OR, and grouping (, ).

For example, (Apache-2.0 OR MIT) means that one can choose between Apache-2.0 (Apache License) or MIT (MIT license). On the other hand, (Apache-2.0 AND MIT) means that both licenses apply.

There is also a "+" operator which, when applied to a license, means that future versions of the license apply as well. For example, Apache-1.1+ means that Apache-1.1 and Apache-2.0 may apply (and future versions if any).

SPDX describes the exact terms under which a piece of software is licensed. It does not attempt to categorize licenses by type, for instance by describing licenses with similar terms to the BSD License as "BSD-like".[19]

In 2020, the European Commission published its Joinup Licensing Assistant,[20] which makes possible the selection and comparison of more than 50 licenses, with access to their SPDX identifier and full text.

Deprecated license identifiers[edit]

The GNU family of licenses (e.g., GNU General Public License version 2) have the choice of choosing a later version of the license built in. Sometimes, it was not clear whether the SPDX expression GPL-2.0 meant "exactly GPL version 2.0" or "GPL version 2.0 or any later version".[21] Thus, since version 3.0 of the SPDX License List, the GNU family of licenses got new names.[22] GPL-2.0-only means "exactly version 2.0" and GPL-2.0-or-later means "version 2.0 or any later version".


For licensing[edit]

The SPDX license identifier can be added to the top of source code files as a short string unambiguously declaring the license used. The SPDX-License-Identifier syntax, pioneered by Das U-Boot in 2013, became part of SPDX in version 2.1. In 2017, the FSFE launched REUSE, which provides tools to validate the comment and to efficiently extract copyright information.[23]

The SPDX license identifier is also used in a number of package managers such as npm,[24] Python,[25] and Rust cargo.[26] SPDX license expressions are used in RPM package metadata in Fedora Linux, replacing the earlier use of the Callaway system.[27] Debian uses a slightly different license specification.[28]

See also[edit]


  1. ^ Stewart, Kate (May 25, 2021). "SPDX: It's Already in Use for Global Software Bill of Materials (SBOM) and Supply Chain Security". Linux Foundation. Retrieved 2021-08-13.
  2. ^ "Survey of Existing SBOM Formats and Standards" (PDF). National Telecommunications and Information Administration. October 25, 2019. p. 9. Retrieved 2021-08-13.
  3. ^ a b c Bridgwater, Adrian (August 19, 2011). "Linux Foundation eases open source licensing woes". Computer Weekly. Retrieved 2021-08-13.
  4. ^ Rushgrove, Gareth (June 16, 2021). "Advancing SBOM standards: Snyk and SPDX". Retrieved 2021-08-14.
  5. ^ "SPDX Current version". spdx.dev. Retrieved 2022-11-22.
  6. ^ "SPDX and NTIA Minimum Elements for SBOM HOWTO". spdx.github.io.
  7. ^ "The Linux Foundation's SPDX Workgroup Releases New Version of Software Package Data Exchange Standard". Linux Foundation. August 30, 2012. Retrieved 2021-12-01.
  8. ^ "The Linux Foundation's SPDX Workgroup Releases New Version of Software Package Data Exchange Standard". Linux Foundation. October 22, 2013. Retrieved 2021-12-01.
  9. ^ "What's new in SPDX 2.0". LWN.net. May 20, 2015. Retrieved 2021-12-01.
  10. ^ "General Meeting/Minutes/2016-11-03". wiki.spdx.org. November 3, 2016. Retrieved 2021-12-01.
  11. ^ a b "The Linux Foundation's Open Compliance Initiative Releases New SPDX Specification". Linux Foundation. October 4, 2016. Retrieved 2021-12-01.
  12. ^ "SPDX 2.2 Specification Released". Linux Foundation. May 7, 2020. Retrieved 2021-12-01.
  13. ^ a b "ISO/IEC 5962:2021 Information technology — SPDX® Specification V2.2.1". iso.org. Retrieved 2021-12-01.
  14. ^ "Release v2.2.2". github.com/spdx. Retrieved 2022-06-11.
  15. ^ "Release v2.3". github.com/spdx. Retrieved 2022-11-22.
  16. ^ goneall. "Understanding SPDX Profiles – SPDX". Retrieved 2024-05-19.
  17. ^ "The Minimum Elements For a Software Bill of Materials (SBOM)" (PDF). National Telecommunications and Information Administration. Retrieved 2021-12-01.
  18. ^ Bernard, Allen (September 9, 2021). "SPDX becomes internationally recognized standard". TechRepublic. Retrieved 2021-12-01.
  19. ^ Odence, Phil (2010-06-23). "The Software Package Data Exchange (SPDX) Format". Dr Dobb's. Retrieved 2012-08-31.
  20. ^ "Joinup Licensing Assistant". Retrieved 31 March 2020.
  21. ^ Richard Stallman. "For Clarity's Sake, Please Don't Say "Licensed under GNU GPL 2"!". GNU. Retrieved 2018-05-24.
  22. ^ Jilayne Lovejoy (5 January 2018). "License List 3.0 Released!". spdx.dev. Archived from the original on 2018-01-05. Retrieved 2021-09-02.
  23. ^ "Solving License Compliance at the Source: Adding SPDX License IDs - Linux Foundation". www.linuxfoundation.org.
  24. ^ "package.json | npm Docs". docs.npmjs.com.
  25. ^ "PEP 639 – Improving License Clarity with Better Package Metadata". peps.python.org.
  26. ^ "The Manifest Format - The Cargo Book". doc.rust-lang.org.
  27. ^ "License: field in Spec File". Fedora Legal Documentation. Retrieved 30 July 2023.
  28. ^ "Machine-readable debian/copyright file". www.debian.org.

External links[edit]