Software Package Data Exchange

From Wikipedia, the free encyclopedia
Jump to navigation Jump to search
SPDX logo with black letters

Software Package Data Exchange (SPDX)[1] is a file format used to document information on the software licenses under which a given piece of computer software is distributed. SPDX is authored by the SPDX Working Group, which represents more than twenty different organizations, under the auspices of the Linux Foundation.[2]

SPDX attempts to standardize the way in which organizations publish their metadata on software licenses and components in bills of material.[3]

SPDX describes the exact terms under which a piece of software is licensed. It does not attempt to categorize licenses by type, for instance by describing licenses with similar terms to the BSD License as "BSD-like".[1]

The current version of the standard is 2.2.[4]

Version history[edit]

The current version of the standard is 2.2 and was ratified in May 2020.[5]

The version 2.1 was ratified in November 2016.[6]

License syntax[edit]

Each license is identified by a full name, such as "Mozilla Public License 2.0" and a short identifier, here "MPL-2.0". Licenses can be combined by operators AND and OR, and grouping (, ).

For example, (Apache-2.0 OR MIT) means that one can choose between Apache-2.0 (Apache License) or MIT (MIT license). On the other hand, (Apache-2.0 AND MIT) means that both licenses apply.

The GNU family of licenses (e.g., GNU General Public License 2.0) have the choice of choosing a later version of the license built in. Sometimes, it was not clear, whether the SPDX expression GPL-2.0 meant "exactly GPL version 2.0" or "GPL version 2.0 or any later version".[7] Thus, since version 3.0 of the SPDX License List, the GNU family of licenses get new names.[8] GPL-2.0-only means "exactly version 2.0" and GPL-2.0-or-later "GPL version 2.0 or any later version".

In 2020, the European Commission publishes its Joinup Licensing Assistant,[9] which makes possible the selection and comparison of more than 50 licenses, with access to their SPDX identifier and full text.

Deprecated syntax[edit]

Starting version 2.0, it is no longer valid to use the + operator in a license identifier.[10] By removing this syntax, it left an undefined state for licenses accepting the current version and those after it, such as the GPL.[11] It was valid to use GPL-3.0-or-later, but it wasn't explicitly written in the specifications. This was fixed later with version 2.2.[12]

See also[edit]


  1. ^ a b Odence, Phil (2010-06-23). "The Software Package Data Exchange (SPDX) Format". Dr Dobb's. Retrieved 2012-08-31.
  2. ^ Stewart, Kate; Odence, Phil; Rockett, Esteban. "Software Package Data Exchange (SPDX™) Specification". International Free and Open Source Software Law Review. 2 (2). doi:10.5033/ifosslr.v2i2.45 (inactive 2021-01-10).CS1 maint: DOI inactive as of January 2021 (link)
  3. ^ Vaughan-Nichols, Steven (August 10, 2010). "Linux Foundation launches major open-source license compliance program". Computerworld. Retrieved 2012-08-31.
  4. ^ "SPDX Current version". Retrieved 2020-08-13.
  5. ^ "General Meeting/Minutes/2020-05-07 - SPDX Wiki". Retrieved 2020-08-13.
  6. ^ "General Meeting/Minutes/2016-11-03 - SPDX Wiki".
  7. ^ Richard Stallman. "For Clarity's Sake, Please Don't Say "Licensed under GNU GPL 2"!". Retrieved 2018-05-24.
  8. ^ Jilayne Lovejoy. "License List 3.0 Released!". Retrieved 2018-05-24.
  9. ^ "Joinup Licensing Assistant". Retrieved 31 March 2020.
  10. ^ "Section I.3 Deprecated Licenses (page 77)" (PDF). Retrieved 2020-08-13.
  11. ^ "Section I.1 Licenses with Short Form Identifiers (page 70)" (PDF). Retrieved 2020-08-13.
  12. ^ "Section I.1 Licenses with Short Identifiers". Retrieved 2020-08-13.

External links[edit]