Software Project Data Exchange SPDX(R)
SPDX is a set of standards for communicating the components, licenses, and copyrights associated with software. The open adoption permitted by the BSD license is one of FreeBSD's strongest points so it is convenient for the project to facilitate the use of tooling and standards that make our licensing information clearer.
Introductory Information
A guide to using the license identifiers can be found in the SPDX specification, in particular appendix V.
There is an FAQ that provides a few additional details.
David Wheeler put together an SPDX tutorial.
If you want to programmatically access the license metadata – see the related article.
In terms of tools, there is a license grader that will scan source code and report how well the licenses are documented. It is relatively new, so it may have a few “rough edges”.
There is a variety of tools sponsored by SPDX. Gary O'Neall maintains the Java tools, but there are also Python tools being maintained as well.
Another good resource is the mailing lists for SPDX. The Legal team is responsible for maintaining the license list and the license matching guidelines. The Technical team works on the spec and tooling. The mailing lists can be found in the pages for each of the teams.
Progress
Other projects are in early adoption stages and some seem happy replacing the license text with License tags. For FreeBSD that approach is not reasonable. Here are some guiding principles:
- The tags are only advisory and not a replacement for official licensing information.
- ID tags shall not be mandatory: we will not impose them on "contrib" software.
Since the tags can be compound (OR or AND), the tags should go before any copyright or license text. Ideally at the start of the first licensing comment. This differs a little from other projects where the tags are placed after the copyrights.
Advances
The Preferred License committers guide now includes an SPDX License tag for new files.
Some years ago we did a license audit by using access to a tool kindly provided by Wind River.
- License tags are being adopted by stages: the first stage included files under a BSD-4-Clause License, followed by the BSD-3-Clause and finally a mixed bag with the majority of the BSD-2-Clause and its variants was committed. This doesn't mean we have finished but a lot is covered. About 9000 files are already covered.
- Now we have to start looking branch by branch identifying the files where we don't have license information or where it has been tagged wrongly.
- Many of the older 4-Clause and 3-Clause files, especially those that come from the other BSDs, are likely to have updates available.