Software Package Data Exchange

From Wikipedia, the free encyclopedia
SPDX logo with black letters
First publishedAugust 2011 (2011-08)
Latest version2.3
November 2022 (2022-11)
Preview version3.0 RC[1]
16 May 2023 (2023-05-16)
OrganizationLinux Foundation
CommitteeSPDX Project
DomainSoftware bill of materials

Software Package Data Exchange (SPDX) is an open standard for software bill of materials (SBOM).[2] SPDX allows the expression of components, licenses, copyrights, security references and other metadata relating to software.[3] Its original purpose was to improve license compliance,[4] and has since been expanded to facilitate additional use-cases, such as supply-chain transparency and security.[5] SPDX is authored by the community-driven SPDX Project under the auspices of the Linux Foundation.

The current version of the standard is 2.3.[6]


The SPDX standard defines an SBOM document, which contains SPDX metadata about software. The document itself can be expressed in multiple formats, including JSON, YAML, RDF/XML, tag-value, and spreadsheet. Each SPDX document describes one or more elements, which can be a software package, a specific file, or a snippet from a file. Each element is given a unique ID, so that they can reference each other.[7]

Version history[edit]

Specification versions
Version number Publication date Notes References
1.0 August 2011 The first release of the SPDX specification; handles packages. [4]
1.1 August 2012 Fixed a flaw in the SPDX Package Verification Code (a cryptographic hash function) and added support for free-form comments. [8]
1.2 October 2013 Improved interaction with the SPDX License List, and added new fields for documenting extra information about software projects. [9]
2.0 May 2015 Added the ability to describe multiple packages and the relationships between different packages and files. [10]
2.1 November 2016 Added support for describing 'snippets' of code and the ability to reference non-SPDX data (such as CVEs). [11][12]
2.2 May 2020 Added 'SPDX-lite' profile for minimal software bill of materials and improved support for external references. [13]
2.2.1 October 2020 Functionally equivalent to SPDX 2.2 but with typesetting for publication as an ISO standard. [14]
2.2.2 April 2022 Functionally equivalent to SPDX 2.2.1 but with spelling, grammar and other editorial improvements. [15]
2.3 November 2022 Added new fields to improve the ability to capture security related information and interoperability with other SBOM formats. [16]

The first version of the SPDX specification was intended to make compliance with software licenses easier,[4] but subsequent versions of the specification added capabilities intended for other use-cases, such as being able to contain references to known software vulnerabilities.[12] Recent versions of SPDX fulfill the NTIA's 'Minimum Elements For a Software Bill of Materials'.[17]

SPDX 2.2.1 was submitted to the International Organization for Standardization (ISO) in October, 2020, and was published as ISO/IEC 5962:2021 Information technology — SPDX® Specification V2.2.1 in August, 2021.[14][18]

License syntax[edit]

Each license is identified by a full name, such as "Mozilla Public License 2.0" and a short identifier, here "MPL-2.0". Licenses can be combined by operators AND and OR, and grouping (, ).

For example, (Apache-2.0 OR MIT) means that one can choose between Apache-2.0 (Apache License) or MIT (MIT license). On the other hand, (Apache-2.0 AND MIT) means that both licenses apply.

There is also a "+" operator which, when applied to a license, means that future versions of the license apply as well. For example, Apache-1.1+ means that Apache-1.1 and Apache-2.0 may apply (and future versions if any).

SPDX describes the exact terms under which a piece of software is licensed. It does not attempt to categorize licenses by type, for instance by describing licenses with similar terms to the BSD License as "BSD-like".[19]

In 2020, the European Commission published its Joinup Licensing Assistant,[20] which makes possible the selection and comparison of more than 50 licenses, with access to their SPDX identifier and full text.

Deprecated license identifiers[edit]

The GNU family of licenses (e.g., GNU General Public License version 2) have the choice of choosing a later version of the license built in. Sometimes, it was not clear whether the SPDX expression GPL-2.0 meant "exactly GPL version 2.0" or "GPL version 2.0 or any later version".[21] Thus, since version 3.0 of the SPDX License List, the GNU family of licenses got new names.[22] GPL-2.0-only means "exactly version 2.0" and GPL-2.0-or-later means "version 2.0 or any later version".


For licensing[edit]

The SPDX license identifier can be added to the top of source code files as a short string unambiguously declaring the license used. The SPDX-License-Identifier syntax, pioneered by Das U-Boot in 2013, became part of SPDX in version 2.1. In 2017, the FSFE launched REUSE, which provides tools to validate the comment and to efficiently extract copyright information.[23]

The SPDX license identifier is also used in a number of package managers such as npm,[24] Python,[25] and Rust cargo.[26] SPDX license expressions are used in RPM package metadata in Fedora Linux, replacing the earlier use of the Callaway system.[27] Debian uses a slightly different license specification.[28]

See also[edit]


  1. ^ "SPDX Announces 3.0 Release Candidate with New Use Cases". Software Package Data Exchange (SPDX). 16 May 2023.
  2. ^ Stewart, Kate (May 25, 2021). "SPDX: It's Already in Use for Global Software Bill of Materials (SBOM) and Supply Chain Security". Linux Foundation. Retrieved 2021-08-13.
  3. ^ "Survey of Existing SBOM Formats and Standards" (PDF). National Telecommunications and Information Administration. October 25, 2019. p. 9. Retrieved 2021-08-13.
  4. ^ a b c Bridgwater, Adrian (August 19, 2011). "Linux Foundation eases open source licensing woes". Computer Weekly. Retrieved 2021-08-13.
  5. ^ Rushgrove, Gareth (June 16, 2021). "Advancing SBOM standards: Snyk and SPDX". Retrieved 2021-08-14.
  6. ^ "SPDX Current version". Retrieved 2022-11-22.
  7. ^ "SPDX and NTIA Minimum Elements for SBOM HOWTO".
  8. ^ "The Linux Foundation's SPDX Workgroup Releases New Version of Software Package Data Exchange Standard". Linux Foundation. August 30, 2012. Retrieved 2021-12-01.
  9. ^ "The Linux Foundation's SPDX Workgroup Releases New Version of Software Package Data Exchange Standard". Linux Foundation. October 22, 2013. Retrieved 2021-12-01.
  10. ^ "What's new in SPDX 2.0". May 20, 2015. Retrieved 2021-12-01.
  11. ^ "General Meeting/Minutes/2016-11-03". November 3, 2016. Retrieved 2021-12-01.
  12. ^ a b "The Linux Foundation's Open Compliance Initiative Releases New SPDX Specification". Linux Foundation. October 4, 2016. Retrieved 2021-12-01.
  13. ^ "SPDX 2.2 Specification Released". Linux Foundation. May 7, 2020. Retrieved 2021-12-01.
  14. ^ a b "ISO/IEC 5962:2021 Information technology — SPDX® Specification V2.2.1". Retrieved 2021-12-01.
  15. ^ "Release v2.2.2". Retrieved 2022-06-11.
  16. ^ "Release v2.3". Retrieved 2022-11-22.
  17. ^ "The Minimum Elements For a Software Bill of Materials (SBOM)" (PDF). National Telecommunications and Information Administration. Retrieved 2021-12-01.
  18. ^ Bernard, Allen (September 9, 2021). "SPDX becomes internationally recognized standard". TechRepublic. Retrieved 2021-12-01.
  19. ^ Odence, Phil (2010-06-23). "The Software Package Data Exchange (SPDX) Format". Dr Dobb's. Retrieved 2012-08-31.
  20. ^ "Joinup Licensing Assistant". Retrieved 31 March 2020.
  21. ^ Richard Stallman. "For Clarity's Sake, Please Don't Say "Licensed under GNU GPL 2"!". Retrieved 2018-05-24.
  22. ^ Jilayne Lovejoy (5 January 2018). "License List 3.0 Released!". Archived from the original on 2018-01-05. Retrieved 2021-09-02.
  23. ^ "Solving License Compliance at the Source: Adding SPDX License IDs - Linux Foundation".
  24. ^ "package.json | npm Docs".
  25. ^ "PEP 639 – Improving License Clarity with Better Package Metadata |".
  26. ^ "The Manifest Format - The Cargo Book".
  27. ^ "License: field in Spec File". Fedora Legal Documentation. Retrieved 30 July 2023.
  28. ^ "Machine-readable debian/copyright file".

External links[edit]