Version 1.0

workshop: Using SPDX to discover the licenses in your code

Learning to report open source licenses with SPDX


On this talk we'll explain what is SPDX from the Linux Foundation and how it can be used for discovering and indexing the open source licenses inside your code.

SPDX stands for "Standard Package Data Exchange". This is a format proposed by the Linux Foundation to ease the way different tools communicate licenses with each other.

In practice, it is a text (or XML) document that keeps a list of all files inside a directory and allows to specify properties such as:
- Licenses declared inside the file
- Copyright assignments
- SHA1 signature of the file
- Other relevant details

Despite its usefulness as licensing information format, it is not as known as it should. The result is that we lack a uniform manner of expressing licensing information between different people and tools, causing confusion (or simply lack of better licensing details).

Some months ago we decided to take SPDX into practice and developed our own desktop tooling (released as Free Software under EUPL) to create and read these documents with ease.

During our talk we'll present SPDX, give a summary of the key values that are interesting to keep in mind and give a demonstration of the tool in action.

Bring your laptop, suggest practical cases and we'll have a good session for questions and answers.