Software Package Data Exchange

Software Package Data Exchange (SPDX)[1] is a file format used to document information on the software licenses under which a given piece of computer software is distributed. SPDX is authored by the SPDX Working Group, which represents more than twenty different organizations, under the auspices of the Linux Foundation.[2]

SPDX logo with black letters

SPDX attempts to standardize the way in which organizations publish their metadata on software licenses and components in bills of material.[3]

SPDX describes the exact terms under which a piece of software is licensed. It does not attempt to categorize licenses by type, for instance by describing licenses with similar terms to the BSD License as "BSD-like".[1]

The current version of the standard is 2.2.[4]

Version historyEdit

The current version of the standard is 2.2 and was ratified in May 2020.[5]

The version 2.1 was ratified in November 2016.[6]

License syntaxEdit

Each license is identified by a full name, such as "Mozilla Public License 2.0" and a short identifier, here "MPL-2.0". Licenses can be combined by operators AND and OR, and grouping (, ).

For example, (Apache-2.0 OR MIT) means that one can choose between Apache-2.0 (Apache License) or MIT (MIT license). On the other hand, (Apache-2.0 AND MIT) means that both licenses apply.

The GNU family of licenses (e.g., GNU General Public License 2.0) have the choice of choosing a later version of the license built in. Sometimes, it was not clear, whether the SPDX expression GPL-2.0 meant "exactly GPL version 2.0" or "GPL version 2.0 or any later version".[7] Thus, since version 3.0 of the SPDX License List, the GNU family of licenses get new names.[8] GPL-2.0-only means "exactly version 2.0" and GPL-2.0-or-later "GPL version 2.0 or any later version".

In 2020, the European Commission publishes its Joinup Licensing Assistant,[9] which makes possible the selection and comparison of more than 50 licenses, with access to their SPDX identifier and full text.

Deprecated syntaxEdit

Starting version 2.0, it is no longer valid to use the + operator in a license identifier.[10] By removing this syntax, it left an undefined state for licenses accepting the current version and those after it, such as the GPL.[11] It was valid to use GPL-3.0-or-later, but it wasn't explicitly written in the specifications. This was fixed later with version 2.2.[12]

See alsoEdit


  1. ^ a b Odence, Phil (2010-06-23). "The Software Package Data Exchange (SPDX) Format". Dr Dobb's. Retrieved 2012-08-31.
  2. ^ Stewart, Kate; Odence, Phil; Rockett, Esteban. "Software Package Data Exchange (SPDX™) Specification". International Free and Open Source Software Law Review. 2 (2). doi:10.5033/ifosslr.v2i2.45 (inactive 2021-01-10).CS1 maint: DOI inactive as of January 2021 (link)
  3. ^ Vaughan-Nichols, Steven (August 10, 2010). "Linux Foundation launches major open-source license compliance program". Computerworld. Retrieved 2012-08-31.
  4. ^ "SPDX Current version". Retrieved 2020-08-13.
  5. ^ "General Meeting/Minutes/2020-05-07 - SPDX Wiki". Retrieved 2020-08-13.
  6. ^ "General Meeting/Minutes/2016-11-03 - SPDX Wiki".
  7. ^ Richard Stallman. "For Clarity's Sake, Please Don't Say "Licensed under GNU GPL 2"!". Retrieved 2018-05-24.
  8. ^ Jilayne Lovejoy. "License List 3.0 Released!". Retrieved 2018-05-24.
  9. ^ "Joinup Licensing Assistant". Retrieved 31 March 2020.
  10. ^ "Section I.3 Deprecated Licenses (page 77)" (PDF). Retrieved 2020-08-13.
  11. ^ "Section I.1 Licenses with Short Form Identifiers (page 70)" (PDF). Retrieved 2020-08-13.
  12. ^ "Section I.1 Licenses with Short Identifiers". Retrieved 2020-08-13.

External linksEdit