Software Package Data Exchange

Software Package Data Exchange (SPDX) is an open standard for software bills of materials (SBOMs). SPDX allows the expression of components, licenses, copyrights, security references and other metadata relating to software. Its original purpose was to improve license compliance, and it has since been expanded to facilitate additional use cases such as supply-chain transparency and security. SPDX is authored by the community-driven SPDX Project under the auspices of the Linux Foundation.

The current version of the standard is 3.0.

Structure
The SPDX standard defines an SBOM document, which contains SPDX metadata about software. The document itself can be expressed in multiple formats, including JSON, YAML, RDF/XML, tag–value, and spreadsheet. Each SPDX document describes one or more elements, which can be a software package, a specific file, or a snippet from a file. Each element is given a unique identifier, and metadata for an element can refer to other elements.

Version history
The first version of the SPDX specification was intended to make compliance with software licenses easier, but subsequent versions of the specification added capabilities intended for other use-cases, such as being able to contain references to known software vulnerabilities. Recent versions of SPDX fulfill the NTIA's 'Minimum Elements For a Software Bill of Materials'.

SPDX 2.2.1 was submitted to the International Organization for Standardization (ISO) in October, 2020, and was published as ISO/IEC 5962:2021 Information technology — SPDX® Specification V2.2.1 in August, 2021.

License syntax
Each license is identified by a full name, such as "Mozilla Public License 2.0" and a short identifier, here "MPL-2.0". Licenses can be combined by operators  and , and grouping  ,.

For example,  means that one can choose between   (Apache License) or   (MIT license). On the other hand,  means that both licenses apply.

There is also a "+" operator which, when applied to a license, means that future versions of the license apply as well. For example,  means that   and   may apply (and future versions if any).

SPDX describes the exact terms under which a piece of software is licensed. It does not attempt to categorize licenses by type, for instance by describing licenses with similar terms to the BSD License as "BSD-like".

In 2020, the European Commission published its Joinup Licensing Assistant, which makes possible the selection and comparison of more than 50 licenses, with access to their SPDX identifier and full text.

Deprecated license identifiers
The GNU family of licenses (e.g., GNU General Public License version 2) have the choice of choosing a later version of the license built in. Sometimes, it was not clear whether the SPDX expression  meant "exactly GPL version 2.0" or "GPL version 2.0 or any later version". Thus, since version 3.0 of the SPDX License List, the GNU family of licenses got new names. means "exactly version 2.0" and  means "version 2.0 or any later version".

For licensing
The SPDX license identifier can be added to the top of source code files as a short string unambiguously declaring the license used. The SPDX-License-Identifier syntax, pioneered by Das U-Boot in 2013, became part of SPDX in version 2.1. In 2017, the FSFE launched REUSE, which provides tools to validate the comment and to efficiently extract copyright information.

The SPDX license identifier is also used in a number of package managers such as npm, Python, and Rust cargo. SPDX license expressions are used in RPM package metadata in Fedora Linux, replacing the earlier use of the Callaway system. Debian uses a slightly different license specification.