SPDX Updates Open Source License Compliance Standards

Software licenses aren’t very useful if no one adheres to them—and adhering to licenses gets tough quickly when you’re dealing with complex supply chains of software whose numerous, ever-moving parts are licensed differently. That’s why the Linux Foundation‘s Software Package Data Exchange (SPDX) working group has rolled out an updated specification designed to make open source licensing simpler.

SPDX provides a standard format for “communicating the components, licenses and copyrights associated with a software package,” and helps “facilitate compliance with free and open source software licenses by providing a uniform way license information is shared across the software supply chain,” according to the Linux Foundation.

Toward that end, version 2.0 of the specification, which the SPDX working group (which is hosted by the Linux Foundation and includes a number of major open source companies and organizations) released May 12 and which the Linux Foundation is calling “represents a major milestone for open source license compliance,” introduces several new features, including:

Most of the above is stuff that only programmers can fully appreciate. But for the broader open source world, SPDX is an important resource—even if it’s also one that’s hard to become excited about—since it makes it easier for developers to ensure that they are using open source licenses properly, and that their users do the same.

And because licenses—from the GNU General Public License to the Apache License to the FreeBSD licenses—serve as the bedrock of the free and open source software communities by defining what free and open source means, better licensing standards and tools are important for holding these communities together.