User:Seabass-labrax/Software Package Data Exchange

Software Package Data Exchange (SPDX) is an open standard for software bill of materials (SBOM). SPDX allows the expression of components, licenses, copyrights, security references and other metadata relating to software. Its original purpose was to improve license compliance, and has since been expanded to facilitate additional use-cases, such as supply-chain transparency and security. SPDX is authored by the community-driven SPDX Project under the auspices of the Linux Foundation.

The current version of the standard is 2.2.

Version history
The current version of the standard is 2.2 and was ratified in May 2020.

The version 2.1 was ratified in November 2016.

License syntax
Each license is identified by a full name, such as "Mozilla Public License 2.0" and a short identifier, here "MPL-2.0". Licenses can be combined by operators  and , and grouping  ,.

For example,  means that one can choose between   (Apache License) or   (MIT license). On the other hand,  means that both licenses apply.

There is also a "+" operator, when applied to a license, means that future versions of the license apply as well. For example,  means that   and   may apply (and future versions if any).

In 2020, the European Commission publishes its Joinup Licensing Assistant, which makes possible the selection and comparison of more than 50 licenses, with access to their SPDX identifier and full text.

Deprecated license identifiers
The GNU family of licenses (e.g., GNU General Public License 2.0) have the choice of choosing a later version of the license built in. Sometimes, it was not clear, whether the SPDX expression  meant "exactly GPL version 2.0" or "GPL version 2.0 or any later version". Thus, since version 3.0 of the SPDX License List, the GNU family of licenses got new names. means "exactly version 2.0" and  means "version 2.0 or any later version".