Software Package Data Exchange

Last updated
SPDX 2023 logo.svg
AbbreviationSPDX
StatusPublished
First publishedAugust 2011 (2011-08)
Latest version2.3
November 2022 (2022-11)
Preview version3.0 RC [1]
16 May 2023 (2023-05-16)
OrganizationLinux Foundation
CommitteeSPDX Project
Domain Software bill of materials
LicenseCC-BY-3.0
Website spdx.dev

Software Package Data Exchange (SPDX) is an open standard for software bill of materials (SBOM). [2] SPDX allows the expression of components, licenses, copyrights, security references and other metadata relating to software. [3] Its original purpose was to improve license compliance, [4] and has since been expanded to facilitate additional use-cases, such as supply-chain transparency and security. [5] SPDX is authored by the community-driven SPDX Project under the auspices of the Linux Foundation.

Contents

The current version of the standard is 2.3. [6]

Structure

The SPDX standard defines an SBOM document, which contains SPDX metadata about software. The document itself can be expressed in multiple formats, including JSON, YAML, RDF/XML, tag-value, and spreadsheet. Each SPDX document describes one or more elements, which can be a software package, a specific file, or a snippet from a file. Each element is given a unique ID, so that they can reference each other. [7]

Version history

Specification versions
Version numberPublication dateNotesReferences
1.0August 2011The first release of the SPDX specification; handles packages. [4]
1.1August 2012Fixed a flaw in the SPDX Package Verification Code (a cryptographic hash function) and added support for free-form comments. [8]
1.2October 2013Improved interaction with the SPDX License List, and added new fields for documenting extra information about software projects. [9]
2.0May 2015Added the ability to describe multiple packages and the relationships between different packages and files. [10]
2.1November 2016Added support for describing 'snippets' of code and the ability to reference non-SPDX data (such as CVEs). [11] [12]
2.2May 2020Added 'SPDX-lite' profile for minimal software bill of materials and improved support for external references. [13]
2.2.1October 2020Functionally equivalent to SPDX 2.2 but with typesetting for publication as an ISO standard. [14]
2.2.2April 2022Functionally equivalent to SPDX 2.2.1 but with spelling, grammar and other editorial improvements. [15]
2.3November 2022Added new fields to improve the ability to capture security related information and interoperability with other SBOM formats. [16]

The first version of the SPDX specification was intended to make compliance with software licenses easier, [4] but subsequent versions of the specification added capabilities intended for other use-cases, such as being able to contain references to known software vulnerabilities. [12] Recent versions of SPDX fulfill the NTIA's 'Minimum Elements For a Software Bill of Materials'. [17]

SPDX 2.2.1 was submitted to the International Organization for Standardization (ISO) in October, 2020, and was published as ISO/IEC 5962:2021 Information technology — SPDX® Specification V2.2.1 in August, 2021. [14] [18]

License syntax

Each license is identified by a full name, such as "Mozilla Public License 2.0" and a short identifier, here "MPL-2.0". Licenses can be combined by operators AND and OR, and grouping (, ).

For example, (Apache-2.0 OR MIT) means that one can choose between Apache-2.0 (Apache License) or MIT (MIT license). On the other hand, (Apache-2.0 AND MIT) means that both licenses apply.

There is also a "+" operator which, when applied to a license, means that future versions of the license apply as well. For example, Apache-1.1+ means that Apache-1.1 and Apache-2.0 may apply (and future versions if any).

SPDX describes the exact terms under which a piece of software is licensed. It does not attempt to categorize licenses by type, for instance by describing licenses with similar terms to the BSD License as "BSD-like". [19]

In 2020, the European Commission published its Joinup Licensing Assistant, [20] which makes possible the selection and comparison of more than 50 licenses, with access to their SPDX identifier and full text.

Deprecated license identifiers

The GNU family of licenses (e.g., GNU General Public License version 2) have the choice of choosing a later version of the license built in. Sometimes, it was not clear whether the SPDX expression GPL-2.0 meant "exactly GPL version 2.0" or "GPL version 2.0 or any later version". [21] Thus, since version 3.0 of the SPDX License List, the GNU family of licenses got new names. [22] GPL-2.0-only means "exactly version 2.0" and GPL-2.0-or-later means "version 2.0 or any later version".

Adoption

For licensing

The SPDX license identifier can be added to the top of source code files as a short string unambiguously declaring the license used. The SPDX-License-Identifier syntax, pioneered by Das U-Boot in 2013, became part of SPDX in version 2.1. In 2017, the FSFE launched REUSE, which provides tools to validate the comment and to efficiently extract copyright information. [23]

The SPDX license identifier is also used in a number of package managers such as npm, [24] Python, [25] and Rust cargo. [26] SPDX license expressions are used in RPM package metadata in Fedora Linux, replacing the earlier use of the Callaway system. [27] Debian uses a slightly different license specification. [28]

See also

Related Research Articles

<span class="mw-page-title-main">Free software</span> Software licensed to be freely used, modified and distributed

Free software, libre software, or libreware is computer software distributed under terms that allow users to run the software for any purpose as well as to study, change, and distribute it and any adapted versions. Free software is a matter of liberty, not price; all users are legally free to do what they want with their copies of a free software regardless of how much is paid to obtain the program. Computer programs are deemed "free" if they give end-users ultimate control over the software and, subsequently, over their devices.

<span class="mw-page-title-main">GNU</span> Free software collection

GNU is an extensive collection of free software, which can be used as an operating system or can be used in parts with other operating systems. The use of the completed GNU tools led to the family of operating systems popularly known as Linux. Most of GNU is licensed under the GNU Project's own General Public License (GPL).

The MIT License is a permissive software license originating at the Massachusetts Institute of Technology (MIT) in the late 1980s. As a permissive license, it puts very few restrictions on reuse and therefore has high license compatibility.

<span class="mw-page-title-main">Apache License</span> Free software license

The Apache License is a permissive free software license written by the Apache Software Foundation (ASF). It allows users to use the software for any purpose, to distribute it, to modify it, and to distribute modified versions of the software under the terms of the license, without concern for royalties. The ASF and its projects release their software products under the Apache License. The license is also used by many non-ASF projects.

<span class="mw-page-title-main">Linux Standard Base</span> Former standard for Linux distributions

The Linux Standard Base (LSB) was a joint project by several Linux distributions under the organizational structure of the Linux Foundation to standardize the software system structure, including the Filesystem Hierarchy Standard. LSB was based on the POSIX specification, the Single UNIX Specification (SUS), and several other open standards, but extended them in certain areas.

The GNU C Library, commonly known as glibc, is the GNU Project's implementation of the C standard library. It is a wrapper around the system calls of the Linux kernel for application use. Despite its name, it now also directly supports C++. It was started in the 1980s by the Free Software Foundation (FSF) for the GNU operating system.

BeanShell is a small, free, embeddable Java source interpreter with object scripting language features, written in Java. It runs in the Java Runtime Environment (JRE), dynamically executes standard Java syntax and extends it with common scripting conveniences such as loose types, commands, and method closures, like those in Perl and JavaScript.

<span class="mw-page-title-main">LAMP (software bundle)</span> Acronym for a common web hosting solution

LAMP is an acronym denoting one of the most common software stacks for the web's most popular applications. Its generic software stack model has largely interchangeable components.

<span class="mw-page-title-main">Eclipse Public License</span> Free software license similar to the Common Public License

The Eclipse Public License (EPL) is a free and open source software license most notably used for the Eclipse IDE and other projects by the Eclipse Foundation. It replaces the Common Public License (CPL) and removes certain terms relating to litigations related to patents.

This comparison only covers software licenses which have a linked Wikipedia article for details and which are approved by at least one of the following expert groups: the Free Software Foundation, the Open Source Initiative, the Debian Project and the Fedora Project. For a list of licenses not specifically intended for software, see List of free-content licences.

<span class="mw-page-title-main">Public-domain-equivalent license</span> License that waives all copyright

Public-domain-equivalent license are licenses that grant public-domain-like rights and/or act as waivers. They are used to make copyrighted works usable by anyone without conditions, while avoiding the complexities of attribution or license compatibility that occur with other licenses.

The Ruby License is a Free and Open Source license applied to the Ruby programming language and also available to be used in other projects. It contains an explicit dual licensing clause, stating that software subject to its terms may be distributed under either the terms included in the Ruby License itself or under those of either the GNU General Public Licence v2, or the two-clause BSD License.

License compatibility is a legal framework that allows for pieces of software with different software licenses to be distributed together. The need for such a framework arises because the different licenses can contain contradictory requirements, rendering it impossible to legally combine source code from separately-licensed software in order to create and publish a new program. Proprietary licenses are generally program-specific and incompatible; authors must negotiate to combine code. Copyleft licenses are commonly deliberately incompatible with proprietary licenses, in order to prevent copyleft software from being re-licensed under a proprietary license, turning it into proprietary software. Many copyleft licenses explicitly allow relicensing under some other copyleft licenses. Permissive licenses are compatible with everything, including proprietary licenses; there is thus no guarantee that all derived works will remain under a permissive license.

Quilt is a software utility for managing a series of changes to the source code of any computer program. Such changes are often referred to as "patches" or "patch sets". Quilt can take an arbitrary number of patches as input and condense them into a single patch. In doing so, Quilt makes it easier for many programmers to test and evaluate the different changes amongst patches before they are permanently applied to the source code.

<span class="mw-page-title-main">Free-software license</span> License allowing software modification and redistribution

A free-software license is a notice that grants the recipient of a piece of software extensive rights to modify and redistribute that software. These actions are usually prohibited by copyright law, but the rights-holder of a piece of software can remove these restrictions by accompanying the software with a software license which grants the recipient these rights. Software using such a license is free software as conferred by the copyright holder. Free-software licenses are applied to software in source code and also binary object-code form, as the copyright law recognizes both forms.

BSD licenses are a family of permissive free software licenses, imposing minimal restrictions on the use and distribution of covered software. This is in contrast to copyleft licenses, which have share-alike requirements. The original BSD license was used for its namesake, the Berkeley Software Distribution (BSD), a Unix-like operating system. The original version has since been revised, and its descendants are referred to as modified BSD licenses.

<span class="mw-page-title-main">GNU General Public License</span> Series of free software licenses

The GNU General Public License is a series of widely used free software licenses, or copyleft, that guarantee end users the four freedoms to run, study, share, and modify the software. The license was the first copyleft for general use, and was originally written by Richard Stallman, the founder of the Free Software Foundation (FSF), for the GNU Project. The license grants the recipients of a computer program the rights of the Free Software Definition. The licenses in the GPL series are all copyleft licenses, which means that any derivative work must be distributed under the same or equivalent license terms. It is more restrictive than the Lesser General Public License, and even further distinct from the more widely-used permissive software licenses BSD, MIT, and Apache.

<span class="mw-page-title-main">GPL font exception</span>

The GPL font exception clause is an optional clause that can be added to the GNU General Public License permitting digital fonts shared with that license to be embedded within a digital document file without requiring the document itself to also be shared with GPL. Without the clause, conflicts may arise with open-source projects distributing digital fonts which may be used in desktop publishing. As explained by Dave Crossland in Libre Graphics Magazine: "A copyleft font may overreach into the documents that use it, unless an exception is made to the normal terms; an additional permission to allow people to combine parts of a font with a document without affecting the license of texts, photographs, illustrations and designs. Most libre fonts today have such a copyleft license – the SIL OFL or GNU GPL with the Font Exception described in the GPL FAQ."

The GNU All-permissive License is a lax, permissive (non-copyleft) free software license, compatible with the GNU General Public License, recommended by the Free Software Foundation for README and other small supporting files.

References

  1. "SPDX Announces 3.0 Release Candidate with New Use Cases". Software Package Data Exchange (SPDX). 16 May 2023.
  2. Stewart, Kate (May 25, 2021). "SPDX: It's Already in Use for Global Software Bill of Materials (SBOM) and Supply Chain Security". Linux Foundation. Retrieved 2021-08-13.
  3. "Survey of Existing SBOM Formats and Standards" (PDF). National Telecommunications and Information Administration. October 25, 2019. p. 9. Retrieved 2021-08-13.
  4. 1 2 3 Bridgwater, Adrian (August 19, 2011). "Linux Foundation eases open source licensing woes". Computer Weekly . Retrieved 2021-08-13.
  5. Rushgrove, Gareth (June 16, 2021). "Advancing SBOM standards: Snyk and SPDX" . Retrieved 2021-08-14.
  6. "SPDX Current version". spdx.dev. Retrieved 2022-11-22.
  7. "SPDX and NTIA Minimum Elements for SBOM HOWTO". spdx.github.io.
  8. "The Linux Foundation's SPDX Workgroup Releases New Version of Software Package Data Exchange Standard". Linux Foundation. August 30, 2012. Retrieved 2021-12-01.
  9. "The Linux Foundation's SPDX Workgroup Releases New Version of Software Package Data Exchange Standard". Linux Foundation. October 22, 2013. Retrieved 2021-12-01.
  10. "What's new in SPDX 2.0". LWN.net. May 20, 2015. Retrieved 2021-12-01.
  11. "General Meeting/Minutes/2016-11-03". wiki.spdx.org. November 3, 2016. Retrieved 2021-12-01.
  12. 1 2 "The Linux Foundation's Open Compliance Initiative Releases New SPDX Specification". Linux Foundation. October 4, 2016. Retrieved 2021-12-01.
  13. "SPDX 2.2 Specification Released". Linux Foundation. May 7, 2020. Retrieved 2021-12-01.
  14. 1 2 "ISO/IEC 5962:2021 Information technology — SPDX® Specification V2.2.1". iso.org. Retrieved 2021-12-01.
  15. "Release v2.2.2". github.com/spdx. Retrieved 2022-06-11.
  16. "Release v2.3". github.com/spdx. Retrieved 2022-11-22.
  17. "The Minimum Elements For a Software Bill of Materials (SBOM)" (PDF). National Telecommunications and Information Administration . Retrieved 2021-12-01.
  18. Bernard, Allen (September 9, 2021). "SPDX becomes internationally recognized standard". TechRepublic . Retrieved 2021-12-01.
  19. Odence, Phil (2010-06-23). "The Software Package Data Exchange (SPDX) Format". Dr Dobb's. Retrieved 2012-08-31.
  20. "Joinup Licensing Assistant" . Retrieved 31 March 2020.
  21. Richard Stallman. "For Clarity's Sake, Please Don't Say "Licensed under GNU GPL 2"!". GNU. Retrieved 2018-05-24.
  22. Jilayne Lovejoy (5 January 2018). "License List 3.0 Released!". spdx.dev. Archived from the original on 2018-01-05. Retrieved 2021-09-02.
  23. "Solving License Compliance at the Source: Adding SPDX License IDs - Linux Foundation". www.linuxfoundation.org.
  24. "package.json | npm Docs". docs.npmjs.com.
  25. "PEP 639 – Improving License Clarity with Better Package Metadata". peps.python.org.
  26. "The Manifest Format - The Cargo Book". doc.rust-lang.org.
  27. "License: field in Spec File". Fedora Legal Documentation. Retrieved 30 July 2023.
  28. "Machine-readable debian/copyright file". www.debian.org.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.