Software Package Data Exchange® (SPDX®) is an open standard for communicating software bill of material information (including components, licenses, copyrights, and security references).
SPDX reduces redundant work by providing a common format for companies and communities to share important data about software licenses, copyrights, and security references, thereby streamlining and improving compliance.
The SPDX specification is developed by the SPDX workgroup, which is hosted by The Linux Foundation. The grass-roots effort includes representatives from more than 20 organizations—software, systems and tool vendors, foundations and systems integrators—all committed to creating a standard for software package data exchange formats.
Develop and promote adoption of a specification to enable any party in a software supply chain, from the original author to the final end user, to accurately communicate the licensing information for any piece of copyrightable material that such party may create, alter, combine, pass on, or receive, and to make such information available in a consistent, understandable, and re-usable fashion, with the aim of facilitating license and other policy compliance.
The vision of SPDX is achieve license compliance with minimal cost across the supply chain. Ideally, upstream component developers begin the process by supplying SPDX files as part of their downloads. Users of those components therefore have a starting point for the SPDX files they create for their "customers," and so on. If everything is working properly, the provenance of each piece of code is researched and documented only once during its journey through a supply chain, and that information is passed on in parallel with the code in the SPDX format.
Development of SPDX is run somewhat like an open source project: Those that participate influence. Decisions tend to be made by consensus. The spec itself is written by a technical team with input and support from business and legal teams. Although much of the the initial focus was on Linux and the project is under the auspices of the Linux Foundation, the strategy from the outset has been much broader to be applicable to anything open source. To accommodate a range of needs, SPDX can be implemented in XML or tag-value formats.
The SPDX "IP" is all housed on this site. Most of that is embodied in the spec itself, but we have developed a number of separate assets that complement the specification, including a standard license list, implementation guidelines and the SPDX compatible tools.
A Short History of SPDX
- 2010/02 - specification drafting began in a work-group of FOSSBazaar under Linux Foundation that came to be called "SPDX" .
- 2010/08 - "SPDX" announced as one of the pillars of the Linux Foundation's Open Compliance Program.
- 2011/08 - SPDX 1.0 specification released - handles packages.
- 2012/08 - SPDX 1.1 specification released - fixed flaw in verification algorithm
- 2013/10 - SPDX 1.2 specificaiton released - improved interaction with license list, additional fields for documenting project info.
- 2015/05 - SPDX 2.0 specification released - added ability to handle multiple packages, relationships between packages and files, annotations.