Login
Login

Software Package Data Exchange#License syntax

{{Short description|Open standard for software bill of materials}}

{{About|the standard for describing software bills of materials|the communications protocol|SPDY}}

{{Infobox technology standard

| title =

| long_name =

| image = File:SPDX 2023 logo.svg

| image_size =

| alt =

| caption =

| abbreviation = SPDX

| status = Published

| year_started =

| first_published = {{Start date|2011|08|df=y}}

| version = 3.0

| version_date = {{Start date|2024|4|df=y}}

| organization = Linux Foundation

| committee = SPDX Project

| series =

| editors =

| authors =

| base_standards =

| related_standards =

| predecessor =

| successor =

| domain = Software bill of materials

| license = CC-BY-3.0

| website = {{URL|https://spdx.dev}}

}}

System Package Data Exchange (SPDX, formerly Software Package Data Exchange) is an open standard capable of representing systems with digital components as bills of materials (BOMs).{{ cite web | last = Stewart | first = Kate | url = https://www.linuxfoundation.org/blog/spdx-its-already-in-use-for-global-software-bill-of-materials-sbom-and-supply-chain-security/ | title = SPDX: It's Already in Use for Global Software Bill of Materials (SBOM) and Supply Chain Security | publisher = Linux Foundation | date = May 25, 2021 | access-date = 2021-08-13 }} First designed to describe software components, SPDX can describe the components of software systems, AI models, software builds, security data, and other data packages. SPDX allows the expression of components, licenses, copyrights, security references and other metadata relating to systems.{{ cite web | url = https://www.ntia.gov/files/ntia/publications/ntia_sbom_formats_and_standards_whitepaper_-_version_20191025.pdf#page9 | title = Survey of Existing SBOM Formats and Standards | publisher = National Telecommunications and Information Administration | date = October 25, 2019 | page = 9 | access-date = 2021-08-13}}

The original purpose of SPDX was to improve license compliance,{{cite web | last = Bridgwater | first = Adrian | url = https://www.computerweekly.com/blog/Open-Source-Insider/Linux-Foundation-eases-open-source-licensing-woes |work=Open Source Insider | title = Linux Foundation eases open source licensing woes | publisher = Computer Weekly | date = August 19, 2011 | access-date = 2021-08-13 |url-status=dead |archive-url=https://web.archive.org/web/20210820144000/https://www.computerweekly.com/blog/Open-Source-Insider/Linux-Foundation-eases-open-source-licensing-woes |archive-date= Aug 20, 2021 }} and it has since been expanded to facilitate additional use cases such as supply-chain transparency and security.{{ cite web | last = Rushgrove | first = Gareth | url = https://snyk.io/blog/advancing-sbom-standards-snyk-spdx/ |website=Snyk | title = Advancing SBOM standards: Snyk and SPDX | date = June 16, 2021 | access-date = 2021-08-14}} SPDX is authored by the community-driven SPDX Project involving key industry experts, organizations, and open-source enthusiasts under the auspices of the Linux Foundation.

The SPDX specification is recognized as the international open standard for security, license compliance, and other software supply chain artifacts as ISO/IEC 5962:2021. The current{{when?|date=May 2025}} version of the standard is 3.0.{{cite web|url=https://spdx.dev/specifications/#current-version|title=Specifications - Current version|website=SPDX |access-date=2022-11-22}}

Structure

= Version 2.x =

The SPDX 2.x standard defines an SBOM document, which contains SPDX metadata about software. The document itself can be expressed in multiple formats, including JSON, YAML, RDF/XML, tag–value, and spreadsheet. Each SPDX document describes one or more elements, which can be a software package, a specific file, or a snippet from a file. Each element is given a unique identifier, and metadata for an element can refer to other elements.{{cite web |title=SPDX and NTIA Minimum Elements for SBOM HOWTO |url=https://spdx.github.io/spdx-ntia-sbom-howto/#_4_creating_an_ntia_minimum_elements_spdx_sbom |first1=Steve |last1=Winslow |date=2023-04-06 |website=spdx.github.io}}

= Version 3.0 =

SPDX 3.0 allows users to communicate information at a much more granular level without having to package it as "envelope" data. A key design principle in SPDX 3.0 is that all elements may be expressed and referenced independent of any other element. This independence is required to support a variety of content exchange and analysis use cases and makes it easier to communicate single elements of interest. The relationship structure has also been updated to be both more expressive and easier to understand compared to older versions of the spec.

The SPDX 3.0 data model is based on the Resource Description Framework (RDF). Data may be serialized in a variety of formats for storage and transmission, including formats defined in RDF 1.1 such as JSON-LD, Turtle (Terse RDF Triple Language), N-Triples, and RDF/XML.

== SPDX 3.0 Profiles ==

The 3.0 specification introduced profiles to support the expansion of use cases beyond software, without increasing overall complexity. Profiles allow users to define data for the use cases they need, while also increasing the amount of information that can be gathered directly from the SPDX data. There are eight profiles defined by SPDX 3.0:

  • Core: foundational concepts common to all profiles
  • Software: concepts related to software artifacts
  • Security: security-related metadata specific to a piece of software
  • Build: information required to describe an instance of a software build
  • AI: concepts and data elements related to an AI system and model
  • Dataset: concepts related to a dataset, including preparation process, characteristics, and access methods
  • Licensing: license information necessary for compliance with typical licensing use cases
  • Lite: subset of the SPDX specification aimed at balancing SPDX standard and actual workflows in some industries

Version history

{{clear}}

class="wikitable"

|+ Specification versions

Version numberPublication dateNotesReferences
3.0

|April 2024

|Introduced a comprehensive set of updates encompassing the model, specification, and license list, with the new addition of SPDX profiles to handle modern system use cases like security and AI.

|{{Cite web |last=goneall |title=Understanding SPDX Profiles |website=SPDX |date=October 9, 2023 |url=https://spdx.dev/understanding-spdx-profiles/ |access-date=2024-05-19 |language=en-US}}

2.3November 2022Added new fields to improve the ability to capture security related information and interoperability with other SBOM formats.{{cite web|url=https://github.com/spdx/spdx-spec/releases/tag/v2.3|title=Release v2.3|website=spdx/spdx-spec |publisher=GitHub |date=Nov 2, 2022 |last1=goneall |access-date=2022-11-22}}
2.2.2April 2022Functionally equivalent to SPDX 2.2.1 but with spelling, grammar and other editorial improvements.{{cite web|url=https://github.com/spdx/spdx-spec/releases/tag/v2.2.2|title=Release v2.2.2|website=spdx/spdx-spec |publisher=GitHub |date=Apr 27, 2022 |last1=kestewart |access-date=2022-06-11}}
2.2.1October 2020Functionally equivalent to SPDX 2.2 but with typesetting for publication as an ISO standard.{{cite web|url=https://www.iso.org/standard/81870.html |date=Aug 2021 |title=ISO/IEC 5962:2021 Information technology — SPDX® Specification V2.2.1|website=ISO |access-date=2021-12-01}}
2.2May 2020Added 'SPDX-lite' profile for minimal software bill of materials and improved support for external references.{{cite web|url=https://www.linuxfoundation.org/blog/spdx-2-2-specification-released/ |first1=Kate |last1=Stewart |title=SPDX 2.2 Specification Released|date=May 7, 2020|publisher=Linux Foundation|access-date=2021-12-01}}
2.1November 2016Added support for describing 'snippets' of code and the ability to reference non-SPDX data (such as CVEs).{{cite web|url=https://wiki.spdx.org/view/General_Meeting/Minutes/2016-11-03|title=General Meeting/Minutes/2016-11-03|date=November 3, 2016|website=SPDX Wiki |access-date=2021-12-01}}{{cite web|url=https://linuxfoundation.org/press-release/the-linux-foundations-open-compliance-initiative-releases-new-spdx-specification|title=The Linux Foundation's Open Compliance Initiative Releases New SPDX Specification|publisher=Linux Foundation|date=October 4, 2016|access-date=2021-12-01}}
2.0May 2015Added the ability to describe multiple packages and the relationships between different packages and files.{{cite web|url=https://lwn.net/Articles/644876/|title=What's new in SPDX 2.0|date=May 20, 2015|publisher=LWN.net|access-date=2021-12-01}}
1.2October 2013Improved interaction with the SPDX License List, and added new fields for documenting extra information about software projects.{{cite web|url=https://linuxfoundation.org/press-release/the-linux-foundations-spdx-workgroup-releases-new-version-of-software-package-data-exchange-standard/|title=The Linux Foundation's SPDX Workgroup Releases New Version of Software Package Data Exchange Standard|date=October 22, 2013|publisher=Linux Foundation|access-date=2021-12-01}}
1.1August 2012Fixed a flaw in the SPDX Package Verification Code (a cryptographic hash function) and added support for free-form comments.{{cite web|url=https://www.linuxfoundation.org/press-release/the-linux-foundations-spdx-workgroup-releases-new-version-of-software-package-data-exchange-standard-2|title=The Linux Foundation's SPDX Workgroup Releases New Version of Software Package Data Exchange Standard|date=August 30, 2012|publisher=Linux Foundation|access-date=2021-12-01}}
1.0August 2011The first release of the SPDX specification; handles packages.

The first version of the SPDX specification was intended to make compliance with software licenses easier, but subsequent versions of the specification added capabilities intended for other use-cases, such as being able to contain references to known software vulnerabilities. Recent versions of SPDX fulfill the NTIA's 'Minimum Elements For a Software Bill of Materials'.{{cite web|url=https://www.ntia.gov/files/ntia/publications/sbom_minimum_elements_report.pdf|title=The Minimum Elements For a Software Bill of Materials (SBOM)|publisher=National Telecommunications and Information Administration|access-date=2021-12-01}}

SPDX 2.2.1 was submitted to the International Organization for Standardization (ISO) in October, 2020, and was published as ISO/IEC 5962:2021 Information technology — SPDX® Specification V2.2.1 in August, 2021.{{cite web|url=https://www.techrepublic.com/article/spdx-becomes-internationally-recognized-standard|title=SPDX becomes internationally recognized standard|last=Bernard|first=Allen|date=September 9, 2021|access-date=2021-12-01|publisher=TechRepublic}}

SPDX-License-Identifier

= Syntax =

Each license is identified by a full name, such as "Mozilla Public License 2.0" and a short identifier, here "MPL-2.0".

Licenses can be combined by operators AND and OR, and grouping (, ).

For example, (Apache-2.0 OR MIT) means that one can choose between Apache-2.0 (Apache License) or MIT (MIT license). On the other hand, (Apache-2.0 AND MIT) means that both licenses apply.

There is also a "+" operator which, when applied to a license, means that future versions of the license apply as well. For example, Apache-1.1+ means that Apache-1.1 and Apache-2.0 may apply (and future versions if any).

SPDX describes the exact terms under which a piece of software is licensed. It does not attempt to categorize licenses by type, for instance by describing licenses with similar terms to the BSD License as "BSD-like".{{cite news | last = Odence | first = Phil | url = http://www.drdobbs.com/open-source/225701230;jsessionid=E4LFI1U1ELYDTQE1GHPCKH4ATMY32JVN | title = The Software Package Data Exchange (SPDX) Format | newspaper = Dr Dobb's | date = 2010-06-23 | access-date = 2012-08-31 }}

In 2020, the European Commission published its Joinup Licensing Assistant,{{cite web|url=https://joinup.ec.europa.eu/solution/joinup-licensing-assistant/joinup-licensing-assistant-jla|title=Joinup Licensing Assistant|access-date=31 March 2020}} which makes possible the selection and comparison of more than 50 licenses, with access to their SPDX identifier and full text.

= Deprecated license identifiers =

The GNU family of licenses (e.g., GNU General Public License version 2) have the choice of choosing a later version of the license built in. Sometimes, it was not clear whether the SPDX expression GPL-2.0 meant "exactly GPL version 2.0" or "GPL version 2.0 or any later version".{{cite web|url=https://www.gnu.org/licenses/identify-licenses-clearly.html|title=For Clarity's Sake, Please Don't Say "Licensed under GNU GPL 2"!|author=Richard Stallman|website=GNU |access-date = 2018-05-24}} Thus, since version 3.0 of the SPDX License List, the GNU family of licenses got new names.{{cite web|url=https://spdx.dev/license-list-3-0-released/|title=License List 3.0 Released!|website=spdx.dev|author=Jilayne Lovejoy|date=5 January 2018|access-date=2021-09-02|archive-url=https://web.archive.org/web/20180105185059/https://spdx.org/news/news/2018/01/license-list-30-released|archive-date=2018-01-05|url-status=live}} GPL-2.0-only means "exactly version 2.0" and GPL-2.0-or-later means "version 2.0 or any later version".

Adoption

= For licensing =

The SPDX license identifier can be added to the top of source code files as a short string unambiguously declaring the license used. The {{code|SPDX-License-Identifier}} syntax, pioneered by Das U-Boot in 2013, became part of SPDX in version 2.1. In 2017, the FSFE launched REUSE, which provides tools to validate the comment and to efficiently extract copyright information.{{cite web |title=Solving License Compliance at the Source: Adding SPDX License IDs - Linux Foundation |url=https://www.linuxfoundation.org/blog/blog/solving-license-compliance-at-the-source-adding-spdx-license-ids |website=www.linuxfoundation.org |language=en}}

The SPDX license identifier is also used in a number of package managers such as npm,{{cite web |title=package.json {{!}} npm Docs |url=https://docs.npmjs.com/cli/v8/configuring-npm/package-json#license |website=docs.npmjs.com |language=en}} Python,{{cite web |title=PEP 639 – Improving License Clarity with Better Package Metadata |url=https://peps.python.org/pep-0639/ |website=peps.python.org}} and Rust cargo.{{cite web |title=The Manifest Format - The Cargo Book |url=https://doc.rust-lang.org/cargo/reference/manifest.html#the-license-and-license-file-fields |website=doc.rust-lang.org}} SPDX license expressions are used in RPM package metadata in Fedora Linux, replacing the earlier use of the Callaway system.{{cite web |title=License: field in Spec File |url=https://docs.fedoraproject.org/en-US/legal/license-field/ |website=Fedora Legal Documentation |access-date=30 July 2023}} Debian uses a slightly different license specification.{{cite web |title=Machine-readable debian/copyright file |url=https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/ |website=www.debian.org}}

See also

References

{{reflist}}

External links

  • {{Official website|https://spdx.dev}}
  • {{GitHub|SPDX}}
  • Nathan Willis: [https://lwn.net/Articles/568286/ A SPDX case study] LWN.net

{{FLOSS}}

{{Linux}}

{{Linux Foundation}}

Category:Computer standards

Category:Linux Foundation projects

Category:ISO standards

Category:IEC standards