Skip to main content

Linux Foundation’s SPDX Workgroup Announces New Open Compliance Standard

By 2015-05-128月 22nd, 2017Press Release

SPDX 2.0 provides companies with three-dimensional view of critical license dependencies, ensuring ease with open source license compliance

SAN FRANCISCO, Calif. May 12, 2015 – The SPDX® workgroup, hosted by The Linux Foundation, today announced the release of version 2.0 of its Software Package Data Exchange (SPDX) specification, which includes a three-dimensional view of license dependencies that will make exchange of open source and license data more simple and compliance with open source licenses much easier.

SPDX 2.0 represents a major milestone for open source license compliance. New features include the ability to relate SPDX documents to each other, making it more useful for a broader range of uses, including exchanging clear data about software and modules in companies’ supply chains. For example, with SPDX 2.0 a device manufacturer can easily understand what open source software has been used to build the device components, what versions of that software are being used and what modules have been integrated. This allows companies to more efficiently understand the open source compliance obligations or vulnerabilities and address them before shipment.

The relationship view of license dependencies is made possible through new features that include a deeper level of description and context in files and packages, including those external to the SPDX specification. This allows managers to better understand the open source code in their products, as well as third-party open source code bases that have been integrated with the existing software. This helps to create taxonomy for modules that can be used not only for compliance but identifying potential security vulnerabilities.

“With SPDX 2.0, companies can be more confident than ever before in their open source license compliance,” said Black Duck’s Phil Odence, chair, SPDX workgroup. “With new features that provide contextual reference across packages and files, including those external to SPDX documents, the SPDX specification becomes an even more valuable resource to the increasing number of companies around the world using open source software in their products.”

The Software Package Data Exchange® (SPDX®) specification is a standard format for communicating the components, licenses and copyrights associated with a software package.

The SPDX specification helps facilitate compliance with free and open source software licenses by providing a uniform way license information is shared across the software supply chain. The SPDX specification is developed by the SPDX workgroup, which is hosted by The Linux Foundation. The effort includes representatives from more than 20 organizations—software, systems and tool vendors, foundations and systems integrators—all committed to creating a specification for software package data exchange formats.

Other new features in SPDX 2.0 include:

  • Descriptions of multiple packages in a single SPDX document, allowing aggregation of information that should be kept together.
  • Annotations have been expanded and include replacing ‘review’ comments and can be provided on any specific element in an SPDX document. This increases flexibility.
  • A new license expression syntax has been introduced with improved license matching guidelines. The improved syntax makes it much easier and more reliable to capture complex licensing in a file.
  • Additional file types and checksum algorithms are now supported. The file types have been expanded, allowing for more precise identification of a file.
  • SPDX can now reference software pulled from version control systems, in addition to software served as downloads. This recognizes alternative ways of distributing software.

“License compliance is a priority for the Linux and open source community and benefits the technology industry overall, especially as the adoption of open technologies continues to increase,” said Jim Zemlin, executive director at The Linux Foundation. “With the release of SPDX 2.0, compliance is easier than ever before.”

SPDX is developed with individuals associated with a wide range of industry and open source community heavyweights, including: Alcatel-Lucent, ARM, Black Duck Software, Cisco, HP, Linaro, Micro Focus, nexB, Palamida, Pelagicore, Protecode, Source Auditor, Qualcomm, Samsung, Texas Instruments, University of Nebraska Omaha, University of Victoria, and Wind River.

To learn more about SPDX and participate, please visit:

About The Linux Foundation

The Linux Foundation is a nonprofit consortium dedicated to fostering the growth of Linux and collaborative software development. Founded in 2000, the organization sponsors the work of Linux creator Linus Torvalds and promotes, protects and advances the Linux operating system and collaborative software development by marshaling the resources of its members and the open source community. The Linux Foundation provides a neutral forum for collaboration and education by hosting Collaborative Projects, Linux conferences, including LinuxCon and generating original research and content that advances the understanding of Linux and collaborative software development. More information can be found at


Trademarks: The Linux Foundation, Linux Standard Base, MeeGo, OpenDaylight, SPDX, Software Package Data Exchange, Tizen and Yocto Project are trademarks of The Linux Foundation. Linux is a trademark of Linus Torvalds.


The Linux Foundation
Follow Us