SPDX clears confusion around software licenses

Software Package Data Exchange makes it easier to understand the rights and responsibilities granted by different software licenses.
426 readers like this.
8 ways to contribute to open source when you have no time

Opensource.com

Around this time every year, our minds turn to copyright. Or maybe they turn more to copyright. After all, open source works because of copyright law. As you may already know, copyright laws give the authors of works the exclusive right to copy (among other things) their work. These rights attach as soon as the work is fixed in a tangible medium (written down, saved to disk, etc.). So the rights that open source licenses grant rely on copyright law.

But what rights are specifically granted? That depends on which license the developer selects. Most projects use one of a few standard licenses, but they're not always clearly communicated. For example, a project may be released under "the GNU General Public License (GPL)." But which version? And can the recipient choose a later version if they wish?

The Software Package Data Exchange (SPDX) is a Linux Foundation project to help reduce the ambiguity of software by defining standards for reporting information. The license is one such piece of information. SPDX provides a format for listing the specific license variant and version that applies to a software package. With over 300 licenses, you're likely to find the one you use. The License List contains a human-friendly name, a short name, and a link to the full license text. SPDX also provides guidelines for matching the text of a license file to the official text of the license.

The SPDX Working Group recently released version 3.0 of the License List. This major revision includes clarified identifiers for GPL versions, improved matching guidance, and a new master format for the list. The new format replaces a spreadsheet and text files in favor of an XML-style template. This allows for richer expression of fields within the licenses.

Having an unambiguous license-communication mechanism might not seem very important to the developer, but it is to downstream developers. This is particularly true for commercial developers who may need to provide their customers a bill of materials that includes the component software packages. Or maybe the legal department wants to know what open source licenses are in use so they can help ensure compliance.

Whatever the reason, with the SPDX standard and tools such as the SPDX Working Group's own community-supported or commercial tools, developers have a way of communicating software licenses in a clearly understood way.

Tags
User profile image.
Ben Cotton is a meteorologist by training, but weather makes a great hobby. Ben works as the Fedora Program Manager at Red Hat. He is the author of Program Management for Open Source Projects. Find him on Twitter (@FunnelFiasco) or at FunnelFiasco.com.

2 Comments

Thanks for the article.

I think it would have been cool if the article would have shown examples on how to apply SPDX to source code in some prominent languages and/or project styles if appropriate.

Are there tools to see if a project really confirms to some SPDX license? Or to ensure that each file has a SPDX header?

How does SPDX work with the classical license headers that e.g. say "this is released under license XYZ and you may do bla blah" - is that still needed with SPDX?

Thanks
Heiko

Thanks for your comment, Heiko. The SPDX site has information on how to use it in a file header or as a separate information file: https://spdx.org/using-spdx

There are tools to search software for license issues, I believe they could be used to audit the correctness of SPDX info. SPDX provides a list of commercial and community tools at https://spdx.org/tools

In reply to by pilhuhn

Creative Commons LicenseThis work is licensed under a Creative Commons Attribution-Share Alike 4.0 International License.