SPDX clears confusion around software licenses

SPDX clears confusion around software licenses

Software Package Data Exchange makes it easier to understand the rights and responsibilities granted by different software licenses.

Traffic circle with arrows pointing which way to go
Image by : 

Subscribe now

Get the highlights in your inbox every week.

Around this time every year, our minds turn to copyright. Or maybe they turn more to copyright. After all, open source works because of copyright law. As you may already know, copyright laws give the authors of works the exclusive right to copy (among other things) their work. These rights attach as soon as the work is fixed in a tangible medium (written down, saved to disk, etc.). So the rights that open source licenses grant rely on copyright law.

But what rights are specifically granted? That depends on which license the developer selects. Most projects use one of a few standard licenses, but they're not always clearly communicated. For example, a project may be released under "the GNU General Public License (GPL)." But which version? And can the recipient choose a later version if they wish?

The Software Package Data Exchange (SPDX) is a Linux Foundation project to help reduce the ambiguity of software by defining standards for reporting information. The license is one such piece of information. SPDX provides a format for listing the specific license variant and version that applies to a software package. With over 300 licenses, you're likely to find the one you use. The License List contains a human-friendly name, a short name, and a link to the full license text. SPDX also provides guidelines for matching the text of a license file to the official text of the license.

The SPDX Working Group recently released version 3.0 of the License List. This major revision includes clarified identifiers for GPL versions, improved matching guidance, and a new master format for the list. The new format replaces a spreadsheet and text files in favor of an XML-style template. This allows for richer expression of fields within the licenses.

Having an unambiguous license-communication mechanism might not seem very important to the developer, but it is to downstream developers. This is particularly true for commercial developers who may need to provide their customers a bill of materials that includes the component software packages. Or maybe the legal department wants to know what open source licenses are in use so they can help ensure compliance.

Whatever the reason, with the SPDX standard and tools such as the SPDX Working Group's own community-supported or commercial tools, developers have a way of communicating software licenses in a clearly understood way.


About the author

Ben Cotton - Ben Cotton is a meteorologist by training, but weather makes a great hobby. Ben works as the Fedora Program Manager at Red Hat. He co-founded a local open source meetup group, and is a member of the Open Source Initiative and a supporter of Software Freedom Conservancy. Find him on Twitter (@FunnelFiasco) or at FunnelFiasco.com.