SPDX
   HOME

TheInfoList



OR:

Software Package Data Exchange (SPDX) is an
open standard An open standard is a standard that is openly accessible and usable by anyone. It is also a prerequisite to use open license, non-discrimination and extensibility. Typically, anybody can participate in the development. There is no single definition ...
for software bill of materials (SBOM). SPDX allows the expression of components, licenses, copyrights, security references and other
metadata Metadata is "data that provides information about other data", but not the content of the data, such as the text of a message or the image itself. There are many distinct types of metadata, including: * Descriptive metadata – the descriptive ...
relating to software. Its original purpose was to improve license compliance, and has since been expanded to facilitate additional use-cases, such as supply-chain transparency and security. SPDX is authored by the community-driven SPDX Project under the auspices of the
Linux Foundation The Linux Foundation (LF) is a non-profit technology consortium founded in 2000 as a merger between Open Source Development Labs and the Free Standards Group to standardize Linux, support its growth, and promote its commercial adoption. Additi ...
. The current version of the standard is 2.3.


Version history

The first version of the SPDX specification was intended to make compliance with
software licenses A software license is a legal instrument (usually by way of contract law, with or without printed material) governing the use or redistribution of software. Under United States copyright law, all software is copyright protected, in both source c ...
easier, but subsequent versions of the specification added capabilities intended for other use-cases, such as being able to contain references to known
software vulnerabilities Vulnerabilities are flaws in a computer system that weaken the overall security of the device/system. Vulnerabilities can be weaknesses in either the hardware itself, or the software that runs on the hardware. Vulnerabilities can be exploited by ...
. Recent versions of SPDX fulfill the NTIA's 'Minimum Elements For a Software Bill of Materials'. SPDX 2.2.1 was submitted to the
International Organization for Standardization The International Organization for Standardization (ISO ) is an international standard development organization composed of representatives from the national standards organizations of member countries. Membership requirements are given in Ar ...
(ISO) in October, 2020, and was published as ''ISO/IEC 5962:2021 Information technology — SPDX® Specification V2.2.1'' in August, 2021.


License syntax

Each license is identified by a full name, such as "Mozilla Public License 2.0" and a short identifier, here "MPL-2.0". Licenses can be combined by operators AND and OR, and grouping (, ). For example, (Apache-2.0 OR MIT) means that one can choose between Apache-2.0 ( Apache License) or MIT (
MIT license The MIT License is a permissive free software license originating at the Massachusetts Institute of Technology (MIT) in the late 1980s. As a permissive license, it puts only very limited restriction on reuse and has, therefore, high license comp ...
). On the other hand, (Apache-2.0 AND MIT) means that both licenses apply. There is also a "+" operator, when applied to a license, means that future versions of the license apply as well. For example, Apache-1.1+ means that Apache-1.1 and Apache-2.0 may apply (and future versions if any). SPDX describes the exact terms under which a piece of software is licensed. It does not attempt to categorize licenses by type, for instance by describing licenses with similar terms to the
BSD License BSD licenses are a family of permissive free software licenses, imposing minimal restrictions on the use and distribution of covered software. This is in contrast to copyleft licenses, which have share-alike requirements. The original BSD lic ...
as "BSD-like". In 2020, the European Commission publishes its Joinup Licensing Assistant, which makes possible the selection and comparison of more than 50 licenses, with access to their SPDX identifier and full text.


Deprecated license identifiers

The GNU family of licenses (e.g.,
GNU General Public License version 2 The GNU General Public License (GNU GPL or simply GPL) is a series of widely used free software licenses that guarantee end users the Four Freedoms (Free software), four freedoms to run, study, share, and modify the software. The license was th ...
) have the choice of choosing a later version of the license built in. Sometimes, it was not clear, whether the SPDX expression GPL-2.0 meant "exactly GPL version 2.0" or "GPL version 2.0 or any later version". Thus, since version 3.0 of the SPDX License List, the GNU family of licenses got new names. GPL-2.0-only means "exactly version 2.0" and GPL-2.0-or-later means "version 2.0 or any later version".


See also

*
License proliferation License proliferation is the phenomenon of an abundance of already existing and the continued creation of new software licenses for software and software packages in the FOSS ecosystem. License proliferation affects the whole FOSS ecosystem neg ...


References


External links

*
SPDX on the ISO website

Linux Foundation Open Compliance Program
* Nathan Willis
A SPDX case study
LWN.net {{Linux Computer standards Linux Foundation projects ISO standards IEC standards