Skip to main content

The Linux Foundation’s Open Compliance Initiative Releases New SPDX Specification

By 2016-10-048月 22nd, 2017Press Release

Software Package Data Exchange 2.1 helps open source developers and projects streamline software supply chain; eases license sharing 

Berlin, Germany (LinuxCon and ContainerCon Europe) – October 4, 2016 – The SPDX® Project, hosted by The Linux Foundation®, today is announcing the release of version 2.1 of its Software Package Data Exchange (SPDX) specification. SPDX 2.1 standardizes the inclusion of additional data in generated files, as well as providing a syntax for accurate tagging of source files with SPDX license list identifiers.

According to The 2016 North Bridge & Black Duck Future of Open Source Study, 90 percent of companies rely on open source for improved efficiency, innovation and interoperability, yet only half of those companies have a formal management process for the code they rely upon. The SPDX specification helps facilitate compliance with free and open source software licenses by providing a uniform way license information is shared across the software supply chain. The effort unites more than 20 organizations – software, systems and tool vendors, foundations and systems integrators – to create a specification for software package data exchange formats.

“The new SDPX specification release benefits the entire open source community – from developers to end users. It not only helps standardize the way license information is shared, but it gives every stakeholder in FOSS assurance around quality and consistency of code use,” said Mike Dolan, VP of Strategic Programs, The Linux Foundation. “SPDX is a community driven effort, with technical guidance from open source developers. Together, we’re helping advance open source by establishing a specification that enables code to be used or altered in a consistent, understandable and compliant manner.”

Key features in the SPDX 2.1 specification include:

      Snippets allow a portion of a file to be identified as having different properties from the file it resides within. The use of snippets is completely optional, and it is not mandatory for snippets to be identified;

      Improvements in referencing external packages and repositories; users can now associate packages with security vulnerability databases as well as component repositories, such as npm, maven, bower, among others; and

      A new appendix has been added to explain how to use SPDX License List identifiers in source files. An increasing number of open source projects are adding these short identifiers to code, as they allow anyone to quickly scan a directory of files to identify the licenses included. SPDX license identifier tags also eliminate common mistakes based on scanning headers to conclude the license of a source file.

SPDX 2.1 is now available at To learn more about SPDX and participate, please visit:

About The Linux Foundation

The Linux Foundation is the organization of choice for the world’s top developers and companies to build ecosystems that accelerate open technology development and commercial adoption. Together with the worldwide open source community, it is solving the hardest technology problems by creating the largest shared technology investment in history. Founded in 2000, The Linux Foundation today provides tools, training and events to scale any open source project, which together deliver an economic impact not achievable by any one company. More information can be found at

The Linux Foundation has registered trademarks and uses trademarks. For a list of trademarks of The Linux Foundation, please see our trademark usage page:

Linux® is a registered trademark of Linus Torvalds.

# # #

The Linux Foundation
Follow Us