The SPDX License List is a list of commonly found open source licenses and exceptions for the purposes of being able to easily and efficiently identify such licenses and exceptions in an SPDX document (or elsewhere). The SPDX License List includes a standardized short identifier, full name, vetted license text, other basic information, and a canonical permanent URL for each license and exception. By providing a short identifier, users can efficiently refer to a license without having to redundantly reproduce the full license. License exceptions can be used with the SPDX License Expression operator, "WITH" to identify a license with an exception. The SPDX License Expression operator and syntax can be found in the SPDX Specification.
By including a license or exception on this list, the SPDX workgroup makes no judgment about its suitability or desirability. The list is meant only to standardize references to commonly used, open source licenses and exceptions, not to promote or discourage the use of any license or exception. A license not on the SPDX License List can be included in an SPDX document by using a License Ref and including the full license text as per the specification.
This page describes the current principles for the inclusion of a license on the SPDX License List, as well as an explanation of the fields contained on the list.
SPDX License List links:
- SPDX License List: The list of commonly found open source licenses for the purposes of being able to easily and efficiently identify such licenses.
- License Exceptions: The list of commonly found exceptions to open source licenses, which can be used with the SPDX License Expression operator, "WITH" to identify a license with an exception operator.
- Master Files: The HTML pages you see at http://spdx.org/licenses/ are generated from the master files for the SPDX License List. The master files include a spreadsheet listing all the licenses, deprecated licenses, and license exceptions; and the text for each license in a .txt file.
- Matching Guidelines: Guidelines for what constitutes a license match to the SPDX License List. For licenses that include markup, the license text on the HTML pages at http://spdx.org/licenses/ will display omitable text in blue and replaceable text in red (see Guideline #2 for more information).
- Request New License: For instructions on how to propose additional licenses or license exceptions be added to the SPDX License List.
License Inclusion Principles
The Software Package Data Exchange® (SPDX®) specification is a standard format for communicating, among other things, the components, licenses, and copyrights associated with open source software packages. Use of this standard streamlines license identification across the supply chain while reducing redundant work.
The goal of SPDX is not to evaluate licensing information or to provide legal interpretations. The only goal is to reliably and consistently communicate and share objective factual information so that organizations using software components will have the information necessary to conduct their independent analysis and evaluation. Establishing a consistent, reliable, and reusable way to communicate license information for software components will facilitate open source license compliance along the supply chain.
Although SPDX has traditionally focused on open source licensing, software may contain a mix of open-source licensed, commercially-licensed, freeware licensed, and other varieties of licensed software. Thus, it is feasible that a future version of the standard may develop a standardized method of identifying non-open source licenses contained within software packages.
Because the present focus of SPDX is the collection and presentation of the open-source software licenses contained in a software package, any license that is a candidate for inclusion on the SPDX License List must have the general attributes of an "open source" license.
Open Source Definition
The terms "free software," "open source software," or their variants (FOSS, FLOSS, libre software, etc.) are defined differently by different organizations. At a minimum, all definitions of open source or free software include the characteristic that the source code be made available for inspection and modification and that the source code may be freely distributed. However, there are a number of other characteristics that vary depending on the policy focus of the defining organization. Even though the various definitions of open source software differ in some respects, there are certain fundamental characteristics commonly incorporated in all these definitions.
The SPDX Legal Team uses the definition promulgated by the Open Source Initiative (OSI) as the basis for analyzing candidate licenses for inclusion on the SPDX License List. That definition provides as follows:
Available at http://opensource.org/osd (March 14, 2013).
Candidate License Analysis
Determining whether a candidate license is deemed to be open source for purpose of inclusion on the SPDX License List requires the SPDX Legal Team to engage in a case-by-case evaluation of each candidate license. Candidate licenses that substantially comply with the open source definition will be added to the SPDX License List. Nevertheless, the SPDX Legal Team does not require (1) strict compliance with all elements of the OSI Definition; or (2) strict compliance with any particular element of the OSI Definition. Rather, it treats each element of the definition as a factor to be balanced in light of the totality of the candidate license and SPDX's goals and objectives. The SPDX Legal Team may also analyze “environmental” factors outside the open source definition, such as whether a candidate license is already included on the OSI license list or other such lists, whether the candidate license is in common use, or whether a commonly used open source project uses it (particularly where such open source project is a dependency on which other projects rely).
The SPDX Legal Team endeavors to explain its reasoning, analysis, and conclusions with respect to a candidate license as a means of developing precedent.
The following information describes how each field on the license and exception list (whether on the webpage or within the spreadsheet) is treated.
A) Full Name of License or Exception
- The full name may omit certain word, such as "the," for alphabetical sorting purposes
- No commas in full name of license or exception
- The word "version" is not spelled out; "v" or nothing is used to indicate license version (for space reasons)
- For version, use lower case v and no period or space between v and the number
- No abbreviations are included (in parenthesis) after the full name
B) License or Exception Identifier (aka "SPDX Short Identifier")
- Short identifier to be used to identify a license or exception match to licenses or exceptions contained on the SPDX License List in the context of an SPDX file
- Short identifiers have no spaces in them
- Short identifiers consist of an abbreviation based on a common short name or acronym for the license or exception
- Where applicable, the abbreviation will be followed by a dash and then the version number, in X.Y format
- Where applicable, and if possible, the short identifier should be harmonized with other well-known open source naming sources (i.e., OSI, Fedora, etc.)
- Short identifiers should be as short in length as possible while staying consistent with all other naming criteria
- Include url for the official text of the license or exception
- If the license is OSI approved, also include url for OSI license page
- Include another website that has text version of license, if neither of the first two options are available
- Link to the license or exception in its native language is used where specified (e.g. French for CeCILL). Link to English version where multiple, equivalent official translations (e.g. EUPL)
- Include date of release, if found, for licenses with multiple versions, using European date format: day - month - year
- Only factual information should be included here (e.g. the license has been deprecated).
- Does not contain information (or links to information) that includes any kind of interpretation or comment about the license (even if written by the license author)
- Links to other official language translations of the license
- For exceptions, includes a reference to the license(s) to which this exception typically applies
E) OSI Approved
- If the license is OSI approved, this field will indicate "yes," otherwise left blank
F) Standard License Header
- Should only include text intended to be put in the header of source files or other files as specified in the license or license appendix when specifically delineated
- Indicate if there is any variation in the header (i.e. for files developed by a contributor versus when applying license to original work)
- Do not include NOTICE info intended for a separate notice file
- Leave this field blank if there is no standard header as specifically defined in the license
- Full license text or, in the spreadsheet, reference to separate .txt file named by SPDX Short Identifier that contains full license or exception text
H) Example of Use
- For exceptions only, includes a URL to a specific open source licensed package where this exception is used
Any additional information or columns contained in the spreadsheet version of the SPDX License List are not part of the official SPDX License List and are included for tracking or informational purposes only.