Software Package Data Exchange
Software Package Data Exchange (SPDX) is an open standard for software bill of materials (SBOM).[1] SPDX allows the expression of components, licenses, copyrights, security references and other metadata relating to software.[2] Its original purpose was to improve license compliance,[3] and has since been expanded to facilitate additional use-cases, such as supply-chain transparency and security.[4] SPDX is authored by the community-driven SPDX Project under the auspices of the Linux Foundation.
The current version of the standard is 2.2.[5]
Version history
The current version of the standard is 2.2 and was ratified in May 2020.[6]
The version 2.1 was ratified in November 2016.[7]
Since August 2021, SPDX is an ISO standard, ISO/IEC 5962:2021 Information technology — SPDX® Specification V2.2.1.
License syntax
Each license is identified by a full name, such as "Mozilla Public License 2.0" and a short identifier, here "MPL-2.0".
Licenses can be combined by operators AND and OR, and grouping (, ).
For example, (Apache-2.0 OR MIT) means that one can choose between Apache-2.0 (Apache License) or MIT (MIT license). On the other hand, (Apache-2.0 AND MIT) means that both licenses apply.
There is also a "+" operator, when applied to a license, means that future versions of the license apply as well. For example, Apache-1.1+ means that Apache-1.1 and Apache-2.0 may apply (and future versions if any).
SPDX describes the exact terms under which a piece of software is licensed. It does not attempt to categorize licenses by type, for instance by describing licenses with similar terms to the BSD License as "BSD-like".[8]
In 2020, the European Commission publishes its Joinup Licensing Assistant,[9] which makes possible the selection and comparison of more than 50 licenses, with access to their SPDX identifier and full text.
Deprecated license identifiers
The GNU family of licenses (e.g., GNU General Public License version 2) have the choice of choosing a later version of the license built in. Sometimes, it was not clear, whether the SPDX expression GPL-2.0 meant "exactly GPL version 2.0" or "GPL version 2.0 or any later version".[10] Thus, since version 3.0 of the SPDX License List, the GNU family of licenses got new names.[11] GPL-2.0-only means "exactly version 2.0" and GPL-2.0-or-later means "version 2.0 or any later version".
See also
References
- ^ Stewart, Kate (May 25, 2021). "SPDX: It's Already in Use for Global Software Bill of Materials (SBOM) and Supply Chain Security". Linux Foundation. Retrieved 2021-08-13.
- ^ "Survey of Existing SBOM Formats and Standards" (PDF). National Telecommunications and Information Administration. October 25, 2019. p. 9. Retrieved 2021-08-13.
- ^ Bridgwater, Adrian (August 19, 2011). "Linux Foundation eases open source licensing woes". Computer Weekly. Retrieved 2021-08-13.
- ^ Rushgrove, Gareth (June 16, 2021). "Advancing SBOM standards: Snyk and SPDX". Retrieved 2021-08-14.
- ^ "SPDX Current version". spdx.dev. Retrieved 2020-08-13.
- ^ "General Meeting/Minutes/2020-05-07 - SPDX Wiki". wiki.spdx.org. Retrieved 2020-08-13.
- ^ "General Meeting/Minutes/2016-11-03 - SPDX Wiki". wiki.spdx.org.
- ^ Odence, Phil (2010-06-23). "The Software Package Data Exchange (SPDX) Format". Dr Dobb's. Retrieved 2012-08-31.
- ^ "Joinup Licensing Assistant". Retrieved 31 March 2020.
- ^ Richard Stallman. "For Clarity's Sake, Please Don't Say "Licensed under GNU GPL 2"!". gnu.org. Retrieved 2018-05-24.
- ^ Jilayne Lovejoy (5 January 2018). "License List 3.0 Released!". spdx.dev. Archived from the original on 2018-01-05. Retrieved 2021-09-02.
External links
- Official website
- SPDX on the ISO website
- Linux Foundation Open Compliance Program
- Nathan Willis: A SPDX case study LWN.net
| General | |||
|---|---|---|---|
| Software packages | |||
| Community | |||
| Organisations | |||
| Licenses |
| ||
| Challenges | |||
| Related topics | |||
| Linux kernel | |
|---|---|
| Controversies | |
| Distributions | |
| Organizations | |
| Adoption | |
| Media | |
| Professional related certifications | |
