The SPDX License List is a list of commonly found licenses and exceptions used in free and open source and other collaborative software or documentation. The purpose of the SPDX License List is to enable easy and efficient identification of such licenses and exceptions in an SPDX document, in source files or elsewhere. The SPDX License List includes a standardized short identifier, full name, vetted license text including matching guidelines markup as appropriate, and a canonical permanent URL for each license and exception.
By including a license or exception on this list, the SPDX workgroup makes no judgment about its suitability or desirability. The list is meant only to standardize references to commonly used, free and open source licenses and exceptions, not to promote or discourage the use of any license or exception. A license not on the SPDX License List can be included in an SPDX document by using a License Ref and including the full license text as per the specification.
This page describes the current principles for the inclusion of a license on the SPDX License List, as well as an explanation of the fields contained on the list.
SPDX License List links:
- SPDX License List: The list of commonly found open source licenses for the purposes of being able to easily and efficiently identify such licenses.
- License Exceptions: The list of commonly found exceptions to free and open source licenses, which can be used with the License Expression operator, “WITH” to create a license with an exception operator.
- Master Files: The HTML pages you see at http://spdx.org/licenses/ are generated from the master files for the SPDX License List.
- Matching Guidelines: Guidelines for what constitutes a license match to the SPDX License List. The license text on the HTML pages at http://spdx.org/licenses/ will display omitable text in blue and replaceable text in red (see Guideline #2 for more information).
- Request New License: Instructions for proposing a license or exception be added to the SPDX License List.
License Inclusion Principles
The Software Package Data Exchange® (SPDX®) specification is a standard format for communicating, among other things, the components, licenses, and copyrights associated with open source software packages. Use of this standard streamlines license identification across the supply chain while reducing redundant work.
The goal of SPDX is not to evaluate licensing information or to provide legal interpretations. The only goal is to reliably and consistently communicate and share objective factual information so that organizations using software components will have the information necessary to conduct their independent analysis and evaluation. Establishing a consistent, reliable, and reusable way to communicate license information for software components will facilitate open source license compliance along the supply chain.
Although SPDX has traditionally focused on open source licensing, software may contain a mix of open-source licensed, commercially-licensed, freeware licensed, and other varieties of licensed software. Thus, it is feasible that a future version of the standard may develop a standardized method of identifying non-open source licenses contained within software packages.
Because the present focus of SPDX is the collection and presentation of the open-source software licenses contained in a software package, any license that is a candidate for inclusion on the SPDX License List must have the general attributes of an “open source” license.
Open Source Definition
The terms “free software,” “open source software,” or their variants (FOSS, FLOSS, libre software, etc.) are defined differently by different organizations. At a minimum, all definitions of open source or free software include the characteristic that the source code be made available for inspection and modification and that the source code may be freely distributed. However, there are a number of other characteristics that vary depending on the policy focus of the defining organization. Even though the various definitions of open source software differ in some respects, there are certain fundamental characteristics commonly incorporated in all these definitions.
The SPDX Legal Team uses the definition promulgated by the Open Source Initiative (OSI) as the basis for analyzing candidate licenses for inclusion on the SPDX License List. That definition provides as follows:
Open source doesn’t just mean access to the source code. The distribution terms of open-source software must comply with the following criteria:
- Free Redistribution. The license shall not restrict any party from selling or giving away the software as a component of an aggregate software distribution containing programs from several different sources. The license shall not require a royalty or other fee for such sale.
- Source Code. The program must include source code, and must allow distribution in source code as well as compiled form. Where some form of a product is not distributed with source code, there must be a well-publicized means of obtaining the source code for no more than a reasonable reproduction cost preferably, downloading via the Internet without charge. The source code must be the preferred form in which a programmer would modify the program. Deliberately obfuscated source code is not allowed. Intermediate forms such as the output of a preprocessor or translator are not allowed.
- Derived Works. The license must allow modifications and derived works, and must allow them to be distributed under the same terms as the license of the original software.
- Integrity of The Author’s Source Code. The license may restrict source-code from being distributed in modified form only if the license allows the distribution of “patch files” with the source code for the purpose of modifying the program at build time. The license must explicitly permit distribution of software built from modified source code. The license may require derived works to carry a different name or version number from the original software.
- No Discrimination Against Persons or Groups. The license must not discriminate against any person or group of persons.
- No Discrimination Against Fields of Endeavor. The license must not restrict anyone from making use of the program in a specific field of endeavor. For example, it may not restrict the program from being used in a business, or from being used for genetic research.
- Distribution of License. The rights attached to the program must apply to all to whom the program is redistributed without the need for execution of an additional license by those parties.
- License Must Not Be Specific to a Product. The rights attached to the program must not depend on the program’s being part of a particular software distribution. If the program is extracted from that distribution and used or distributed within the terms of the program’s license, all parties to whom the program is redistributed should have the same rights as those that are granted in conjunction with the original software distribution.
- License Must Not Restrict Other Software. The license must not place restrictions on other software that is distributed along with the licensed software. For example, the license must not insist that all other programs distributed on the same medium must be open-source software.
- License Must Be Technology-Neutral. No provision of the license may be predicated on any individual technology or style of interface.
Available at http://opensource.org/osd (March 14, 2013).
Candidate License Analysis
Determining whether a candidate license is deemed to be open source for purpose of inclusion on the SPDX License List requires the SPDX Legal Team to engage in a case-by-case evaluation of each candidate license. Candidate licenses that substantially comply with the open source definition will be added to the SPDX License List. Nevertheless, the SPDX Legal Team does not require (1) strict compliance with all elements of the OSI Definition; or (2) strict compliance with any particular element of the OSI Definition. Rather, it treats each element of the definition as a factor to be balanced in light of the totality of the candidate license and SPDX’s goals and objectives. The SPDX Legal Team may also analyze “environmental” factors outside the open source definition, such as whether a candidate license is already included on the OSI license list or other such lists, whether the candidate license is in common use, or whether a commonly used open source project uses it (particularly where such open source project is a dependency on which other projects rely).
The SPDX Legal Team endeavors to explain its reasoning, analysis, and conclusions with respect to a candidate license as a means of developing precedent.
The following information describes how each field on the license and exception list is treated.
A) Full Name
- The full name may omit certain word, such as “the,” for alphabetical sorting purposes
- No commas in full name of license or exception
- The word “version” is not spelled out; “v” or nothing is used to indicate license version (for space reasons)
- For version, use lower case v and no period or space between v and the number
- No abbreviations are included (in parenthesis) after the full name
B) Short Identifier
- Short identifier to be used to identify a license or exception match to licenses or exceptions in the context of an SPDX file, a source file, or elsewhere
- Short identifiers consist of ASCII letters (A-Za-z), digits (0-9), full stops (.) and hyphen or minus signs (-)
- Short identifiers consist of an abbreviation based on a common short name or acronym for the license or exception
- Where applicable, the abbreviation will be followed by a dash and then the version number, in X.Y format
- Where applicable, and if possible, the short identifier should be harmonized with other well-known open source naming sources (i.e., OSI, Fedora, etc.)
- Short identifiers should be as short in length as possible while staying consistent with all other naming criteria
C) Other web pages for license/exception
- Include URL for the official text of the license or exception
- If the license is OSI approved, also include URL for OSI license page
- Include another URL that has text version of license, if neither of the first two options are available
- Note that the source URL may refer to an original URL for the license which is no longer active. We don’t remove inactive URLs. New or best available URLs may be added.
- Link to the license or exception in its native language is used where specified (e.g. French for CeCILL). Link to English version where multiple, equivalent official translations (e.g. EUPL)
- Include date of release, if found, for licenses with multiple versions, using European date format: day – month – year
- Only factual information is included here
- Does not contain information (or links to information) that includes any kind of interpretation or comment about the license (even if written by the license author)
- Links to other official language translations of the license
- For exceptions, includes a reference to the license(s) to which this exception typically applies
E) OSI Approved?
- If the license is OSI-approved, this field will indicate “Y” and otherwise left blank
F) FSF Free/Libre?
- If the license is considered free by the FSF, this field will indicate “Y” and otherwise left blank
- Full license text of the license or exception
H) Standard License Header
- Should only include text intended to be put in the header of source files or other files as specified in the license or license appendix when specifically delineated
- Indicate if there is any variation in the header (i.e. for files developed by a contributor versus when applying license to original work)
- Do not include NOTICE info intended for a separate notice file
- Leave this field blank if there is no standard header as specifically defined in the license