SPDX License Expressions

This page provides an introduction to SPDX license expressions with a focus on how they are used in Fedora.


SPDX (Software Package Data Exchange) is a standard format for communicating the component and metadata information associated with software packages. The three aspects of SPDX that are most relevant to Fedora are:

  • The SPDX License List: Focusing on commonly found licenses and exceptions used in free/open or collaborative software, data and documentation, this list features standardized short identifiers for referring to licenses and exceptions.

  • The SPDX license expression grammar.

  • The SPDX matching guidelines: Multiple real-world license texts will "match" a given SPDX License List license or exception identifier in accordance with these guidelines.

Fedora uses SPDX license expressions primarily for two distinct though related purposes:

  • To classify and organize the data pertaining to allowed and not-allowed licenses, as maintained in the Fedora License Data repository and the Fedora license lists that are generated from it.

  • To populate License tags in spec files.

Types of SPDX License Expressions

SPDX License List Identifiers

Commonly called "SPDX identifiers", these are the short form identifiers contained in the SPDX License List. Examples: MIT, GPL-2.0-or-later.

Custom-defined License Identifiers (LicenseRef-)

A custom-defined license identifier (i.e., not contained in the SPDX License List) may be formed using the LicenseRef- prefix). Currently in Fedora License Data all LicenseRef- identifiers are defined specifically by Fedora (i.e., there is no use of LicenseRef- identifiers from other projects or organizations). Note that SPDX currently has no official system of namespacing for LicenseRef- identifiers.

Most Fedora LicenseRef- identifiers represent not-allowed licenses. Examples: LicenseRef-sun-rpc, LicenseRef-OpenMotif. However, some represent allowed licenses. Examples include the umbrella identifiers LicenseRef-Fedora-Public-Domain and LicenseRef-Fedora-UltraPermissive.

WITH Expressions

A compound SPDX expression may be formed by following an SPDX identifier with the WITH operator, followed by an exception identifier contained in the SPDX Exceptions List. This is intended to signify the supplementing of a license grant with a permissive exception or additional permission, which most commonly occurs with licenses in the GPL family. Some examples: GPL-2.0-or-later WITH Autoconf-exception-generic, Apache-2.0 WITH LLVM-exception.

In theory, WITH can also follow a LicenseRef- identifier, but there are no examples of this in Fedora License Data. (There is one unusual LicenseRef- that incorporates WITH in the identifier: LicenseRef-GPL-2.0-or-later-WITH-UPX.) SPDX 3.0 will add an AdditionRef- construct to the SPDX expression grammar, which will permit custom-defined identifiers that can follow WITH. WITH AdditionRef- expressions may be used for additional terms of all types, not just permissive exceptions.

OR Expressions

A compound SPDX expression may be formed by joining two SPDX expressions with the OR operator. This is intended to signify a choice of licenses. In FOSS, a choice of exactly two licenses is often called "dual licensing", although that term is sometimes used to refer to different concepts. Examples: Apache-2.0 OR MIT (a common form of licensing of Rust crates), MPL-1.1 OR GPL-2.0-or-later OR LGPL-2.1-or-later (historically known as the Mozilla tri-license).

AND Expressions

A compound SPDX expression may be formed by joining two SPDX expressions with the AND operator. This generally signifies that both sub-expressions apply to different parts of a file or package. Example: LGPL-2.1-or-later AND GPL-2.0-or-later AND MIT

+ Operator

The postfix + operator applied to an SPDX identifier signifies permission to use later versions of the license. Example: LPPL-1.3a+. Use of + is uncommon in Fedora License Data.

At the Free Software Foundation’s request, the use of + with GPL family license identifiers has been deprecated by SPDX in favor of the use of -only and -or-later identifier variants (for example, GPL-2.0-only and GPL-2.0-or-later).

SPDX License Expressions in Fedora License Data

Each item in Fedora’s lists of allowed and not-allowed licenses is an SPDX license expression that is associated with a specific TOML file in the data/ directory of the Fedora License Data repository. Each TOML file has an expression key whose value is a string containing an SPDX license expression. That SPDX expression forms the base name of the TOML file, except that internal whitespace is represented with an underscore. For example, the MIT.toml file contains expression = "MIT", and the GPL-2.0-only_WITH_Linux-syscall-note.toml file contains expression = "GPL-2.0-only WITH Linux-syscall-note".

AND expressions and, with one exception, OR expressions, are not appropriate for Fedora License Data. (They may, and commonly do, appear in spec file License tags.)

The exception is certain OR expressions representing a dual license that consists of a GPL-family license and the Perl 5 Artistic 1.0 license (~ Artistic-1.0-Perl). Currently two of these are included in Fedora License Data: GPL-1.0-or-later OR Artistic-1.0-Perl and GPL-2.0-or-later OR Artistic-1.0-Perl.

This exception is designed to facilitate the use of these OR expressions in spec file License tags for Perl packages, a preference of Fedora Perl package maintainers and upstream Perl module maintainers despite the fact that Artistic-1.0-Perl is not-allowed. The normal rule in Fedora is that if a license grant is representable by an OR expression that includes an allowed license and a license that is not allowed, only the allowed license should be included in a spec file License tag.

SPDX Matching Guidelines

SPDX License List identifiers are templates (specified in XML files maintained in the license-list-XML repository). Many of the XML files make use of regular expressions and designate portions of license text as optional. Multiple real-world license texts may match an SPDX identifier in a sense that is defined in detail in the matching guidelines contained in the SPDX specification. Not all of the matching guidelines are implemented in the XML files.

In using SPDX identifiers and LicenseRef- identifiers, Fedora aims to apply the SPDX matching guidelines to the extent they are meaningful or applicable to the Fedora context.

SPDX License Expressions in License Tags

A separate page provides a detailed discussion of the use of SPDX expressions in spec file License tags.