SPDX License Expressions
This page provides an introduction to SPDX license expressions with a focus on how they are used in Fedora.
Overview
SPDX (Software Package Data Exchange) is a standard format for communicating the component and metadata information associated with software packages. The three aspects of SPDX that are most relevant to Fedora are:
-
The SPDX License List: Focusing on commonly found licenses and exceptions used in free/open or collaborative software, data and documentation, this list features standardized short identifiers for referring to licenses and exceptions.
-
The SPDX matching guidelines: Multiple real-world license texts will "match" a given SPDX License List license or exception identifier in accordance with these guidelines.
Fedora uses SPDX license expressions primarily for two distinct though related purposes:
-
To classify and organize the data pertaining to allowed and not-allowed licenses, as maintained in the Fedora License Data repository and the Fedora license lists that are generated from it.
-
To populate License tags in spec files.
Types of SPDX License Expressions
SPDX License List Identifiers
Commonly called "SPDX identifiers", these are the short form
identifiers contained in the SPDX License List. Examples: MIT,
GPL-2.0-or-later.
Custom-defined License Identifiers (LicenseRef-)
A custom-defined license identifier (i.e., not contained in the SPDX
License List) may be formed using the LicenseRef- prefix). Currently
in Fedora License Data all LicenseRef- identifiers are defined
specifically by Fedora (i.e., there is no use of LicenseRef-
identifiers from other projects or organizations). Note that SPDX
currently has no official system of namespacing for LicenseRef-
identifiers.
Most Fedora LicenseRef- identifiers represent not-allowed
licenses. Examples: LicenseRef-sun-rpc,
LicenseRef-OpenMotif. However, some represent allowed
licenses. Examples include the umbrella identifiers
LicenseRef-Fedora-Public-Domain and
LicenseRef-Fedora-UltraPermissive.
WITH Expressions
A compound SPDX expression may be formed by following an SPDX
identifier with the WITH operator, followed by an exception
identifier contained in the
SPDX Exceptions
List. This is intended to signify the supplementing of a license
grant with a permissive exception or additional permission, which most
commonly occurs with licenses in the GPL family. Some examples:
GPL-2.0-or-later WITH Autoconf-exception-generic, Apache-2.0 WITH
LLVM-exception.
In theory, WITH can also follow a LicenseRef- identifier, but
there are no examples of this in Fedora License Data. (There is one
unusual LicenseRef- that incorporates WITH in the identifier:
LicenseRef-GPL-2.0-or-later-WITH-UPX.) SPDX 3.0 will add an
AdditionRef- construct to the SPDX expression grammar, which will
permit custom-defined identifiers that can follow WITH. WITH
AdditionRef- expressions may be used for additional terms of all
types, not just permissive exceptions.
OR Expressions
A compound SPDX expression may be formed by joining two SPDX
expressions with the OR operator. This is intended to signify a
choice of licenses. In FOSS, a choice of exactly two licenses is often
called "dual licensing", although that term is sometimes used to refer
to different concepts. Examples: Apache-2.0 OR MIT (a common
form of licensing of Rust crates), MPL-1.1 OR GPL-2.0-or-later OR
LGPL-2.1-or-later (historically known as the Mozilla tri-license).
AND Expressions
A compound SPDX expression may be formed by joining two SPDX
expressions with the AND operator. This generally signifies that
both sub-expressions apply to different parts of a file or
package. Example: LGPL-2.1-or-later AND GPL-2.0-or-later AND MIT
+ Operator
The postfix + operator applied to an SPDX identifier signifies
permission to use later versions of the license. Example:
LPPL-1.3a+. Use of + is uncommon in Fedora License Data.
At the Free Software Foundation’s request, the use of + with
GPL family license identifiers has been deprecated by SPDX in favor of
the use of -only and -or-later identifier variants (for example,
GPL-2.0-only and GPL-2.0-or-later).
|
SPDX License Expressions in Fedora License Data
Each item in Fedora’s lists of allowed and not-allowed licenses is an
SPDX license expression that is associated with a specific TOML file
in the data/ directory of the Fedora License Data repository. Each
TOML file has an expression key whose value is a string containing
an SPDX license expression. That SPDX expression forms the base name
of the TOML file, except that internal whitespace is represented with
an underscore. For example, the MIT.toml file contains expression =
"MIT", and the GPL-2.0-only_WITH_Linux-syscall-note.toml file
contains expression = "GPL-2.0-only WITH Linux-syscall-note".
AND expressions and, with one exception, OR expressions, are not
appropriate for Fedora License Data. (They may, and commonly do,
appear in spec file License
tags.)
The exception is certain OR expressions representing a dual license
that consists of a GPL-family license and the Perl 5 Artistic 1.0
license (~ Artistic-1.0-Perl). Currently two of these are included
in Fedora License Data: GPL-1.0-or-later OR Artistic-1.0-Perl and
GPL-2.0-or-later OR Artistic-1.0-Perl.
This exception is designed to facilitate the use of these OR
expressions in spec file License tags for Perl packages, a preference
of Fedora Perl package maintainers and upstream Perl module
maintainers despite the fact that Artistic-1.0-Perl is
not-allowed. The normal rule in Fedora is that if a license grant is
representable by an OR expression that includes an allowed license
and a license that is not allowed, only the allowed license should be
included in a spec file License tag.
|
SPDX Matching Guidelines
SPDX License List identifiers are templates (specified in XML files maintained in the license-list-XML repository). Many of the XML files make use of regular expressions and designate portions of license text as optional. Multiple real-world license texts may match an SPDX identifier in a sense that is defined in detail in the matching guidelines contained in the SPDX specification. Not all of the matching guidelines are implemented in the XML files.
In using SPDX identifiers and LicenseRef- identifiers, Fedora aims
to apply the SPDX matching guidelines to the extent they are
meaningful or applicable to the Fedora context.
SPDX License Expressions in License Tags
A separate page provides a detailed discussion of the use of SPDX expressions in spec file License tags.
Want to help? Learn how to contribute to Fedora Docs ›