OPEN SOURCE HACKS: ONE QUESTION INTERVIEWS WITH OPEN SOURCE EXPERTS - How to Use SPDX Headers
Open Source Hacks: One question interviews with Open Source Experts
This blog series aims to share simple philosophies, insights, tips, and tricks that can have a positive impact on you and your projects. Each blog features a guest expert providing their thoughts on one open source question. Here we once again turn to Intel’s Jessica Marz to answer the question:
How do you (Successfully) use SPDX headers in your project?
Software Package Data Exchange (SPDX) is a set of standards for communicating the components, licenses, and copyrights associated with open source software. SPDX provides a common format for companies and communities alike to provide important data about software licenses and copyrights, thereby streamlining and improving compliance.
Enabling data to be shared in a common format, SPDX reduces redundant compliance tasks all along the software supply chain. The specification is developed and managed by the SPDX workgroup, which is hosted by the Linux Foundation. Representatives from more than 20 organizations participate in the workgroup.
SPDX license identifiers are standardized, abbreviated names of commonly found licenses and exceptions used in free and open source as well as other collaborative software or documentation. Should you use them? Absolutely if you like to make your life easier!
SPDX license identifiers are standardized, so they enable easy and efficient identification of licenses and exceptions in source files, in an SPDX document, or elsewhere. By referencing the short SPDX license identifier, developers can quickly refer to a license without having to redundantly reproduce the full license text in their individual source code files.
So, a header that in the past would have had to look like this:
Can now look like this:
Beyond brevity, the SPDX license identifier has other advantages:
- Precision-there is no ambiguity due to variations in hand-typed license header text
- Automation-easy to machine process (yay! for assisting with compliance automation)
Using SPDX license identifiers is easy. Just place them in your source code files! Convention is to place your copyright statement on the first line, then the SDPX license identifier below it. That’s it! Then at the top level of your repo, include a copy of the full license text.
Caution: one thing you never, ever want to do is edit the license header of a file if you aren’t the copyright holder. As much as you might want to help ‘clean up’ a file by replacing the license text with an SPDX license identifier, don’t touch it if the file isn’t ‘yours’.
When to not use SPDX license identifiers. Follow the norms of the particular project community where the contribution is being made. If you are contributing to an open source project that does not use SPDX license identifiers, consult with the upstream project maintainer before introducing patches containing SPDX license identifiers.
Links to helpful resources. Want more information? Check out these links.
About the Author
Jessica Marz works in the Open Source Technology Center at Intel Corporation and has been involved in software legal compliance since becoming licensed to practice law. In her current role, she is responsible for defining and managing Intel’s corporate Open Source Software policies and practices. She explains legal stuff to software developers, and software development stuff to lawyers.