User:Seabass-labrax/Software Package Data Exchange

For networking protocol, see SPDY.

SPDX logo with black letters

Software Package Data Exchange (SPDX) is an open standard for software bill of materials (SBOM).^[1] SPDX allows the expression of components, licenses, copyrights, security references and other metadata relating to software.^[2] Its original purpose was to improve license compliance,^[3] and has since been expanded to facilitate additional use-cases, such as supply-chain transparency and security.^[4] SPDX is authored by the community-driven SPDX Project under the auspices of the Linux Foundation.

The current version of the standard is 2.2.^[5]

Version history

The current version of the standard is 2.2 and was ratified in May 2020.^[6]

The version 2.1 was ratified in November 2016.^[7]

License syntax

Each license is identified by a full name, such as "Mozilla Public License 2.0" and a short identifier, here "MPL-2.0". Licenses can be combined by operators AND and OR, and grouping (, ).

For example, (Apache-2.0 OR MIT) means that one can choose between Apache-2.0 (Apache License) or MIT (MIT license). On the other hand, (Apache-2.0 AND MIT) means that both licenses apply.

There is also a "+" operator, when applied to a license, means that future versions of the license apply as well. For example, Apache-1.1+ means that Apache-1.1 and Apache-2.0 may apply (and future versions if any).

In 2020, the European Commission publishes its Joinup Licensing Assistant,^[8] which makes possible the selection and comparison of more than 50 licenses, with access to their SPDX identifier and full text.

Deprecated license identifiers

The GNU family of licenses (e.g., GNU General Public License 2.0) have the choice of choosing a later version of the license built in. Sometimes, it was not clear, whether the SPDX expression GPL-2.0 meant "exactly GPL version 2.0" or "GPL version 2.0 or any later version".^[9] Thus, since version 3.0 of the SPDX License List, the GNU family of licenses got new names.^[10] GPL-2.0-only means "exactly version 2.0" and GPL-2.0-or-later means "version 2.0 or any later version".

See also

• License proliferation

References

1. Stewart, Kate (May 25, 2021). "SPDX: It's Already in Use for Global Software Bill of Materials (SBOM) and Supply Chain Security". Linux Foundation. Retrieved 2021-08-13.
2. "Survey of Existing SBOM Formats and Standards" (PDF). National Telecommunications and Information Administration. October 25, 2019. p. 9. Retrieved 2021-08-13.
3. Bridgwater, Adrian (August 19, 2011). "Linux Foundation eases open source licensing woes". Computer Weekly. Retrieved 2021-08-13.
4. Rushgrove, Gareth (June 16, 2021). "Advancing SBOM standards: Snyk and SPDX". Retrieved 2021-08-14.
5. "SPDX Current version". spdx.dev. Retrieved 2020-08-13.
6. "General Meeting/Minutes/2020-05-07 - SPDX Wiki". wiki.spdx.org. Retrieved 2020-08-13.
7. "General Meeting/Minutes/2016-11-03 - SPDX Wiki". wiki.spdx.org.
8. "Joinup Licensing Assistant". Retrieved 31 March 2020.
9. Richard Stallman. "For Clarity's Sake, Please Don't Say "Licensed under GNU GPL 2"!". www.gnu.org. Retrieved 2018-05-24.
10. Jilayne Lovejoy. "License List 3.0 Released!". spdx.org. Retrieved 2018-05-24.

External links

• Official website
• Linux Foundation Open Compliance Program
• Nathan Willis: A SPDX case study LWN.net

v t e Free and open-source software
General	Alternative terms for free software Comparison of open-source and closed-source software Comparison of source-code-hosting facilities Free software Free software project directories Gratis versus libre Long-term support Open-source software Open-source software development Outline Timeline
Software packages	Audio Bioinformatics Codecs Configuration management Drivers Graphics Wireless Health Mathematics Office suites Operating systems Routing Television Video games Web applications E-commerce Android apps iOS apps Commercial Formerly proprietary Formerly open-source
Community	Free software movement History Open-source-software movement Events Advocacy
Organisations	Free Software Movement of India Free Software Foundation
Licenses	AFL Apache APSL Artistic Beerware BSD Creative Commons CDDL EPL Free Software Foundation GNU GPL GNU AGPL GNU LGPL ISC MIT MPL Python Python Software Foundation License Shared Source Initiative Sleepycat Unlicense WTFPL zlib Types and standards Comparison of licenses Contributor License Agreement Copyleft Debian Free Software Guidelines Definition of Free Cultural Works Free license The Free Software Definition The Open Source Definition Open-source license Permissive software license Public domain Viral license
Challenges	Digital rights management License proliferation Mozilla software rebranding Proprietary device drivers Proprietary firmware Proprietary software SCO/Linux controversies Software patents Software security Trusted Computing
Related topics	Forking GNU Manifesto Microsoft Open Specification Promise Open-core model Open-source hardware Shared Source Initiative Source-available software The Cathedral and the Bazaar Revolution OS
Portal   Category

v t e Linux
Linux kernel	History Linus's law Linux-libre Booting process Kernel oops Tux more…
Controversies	Criticism of Linux Criticism of desktop Linux GNU/Linux naming controversy Tanenbaum–Torvalds debate SCO and Linux
Distributions	General comparison Distributions list Netbook-specific comparison Distributions that run from RAM Lightweight Security-focused operating system Package manager Package format List of software package managers
Organizations	LinuxChix Linux Counter Linux Documentation Project Linux Foundation Linux Mark Institute Linux User Group (LUG)
Adoption	Adopters Desktop Embedded Gaming Mobile Range of use Linux malware
Media	DistroWatch Free Software Magazine Full Circle Linux.com Linux Format Linux Gazette Linux Journal Linux Magazine LinuxUser Ubuntu User Linux Outlaws Linux Voice LugRadio LWN.net Phoronix Revolution OS The Code
Professional related certifications	CompTIA Linux+ Linux Foundation Red Hat Ubuntu
Linux portal   Free and open-source software portal   Category

Category:Computer standards Category:Linux Foundation projects