All notable changes to this project will be documented in this file.
- Snippets allow a portion of a file to be identified as having different properties from the file it resides within. The use of snippets is completely optional, and it is not mandatory for snippets to be identified;
- Improvements in referencing external packages and repositories; users can now associate packages with security vulnerability databases as well as component repositories, such as npm, maven, bower, among others; and
- A new appendix has been added to explain how to use SPDX License List identifiers in source files. An increasing number of open source projects are adding these short identifiers to code, as they allow anyone to quickly scan a directory of files to identify the licenses included. SPDX license identifier tags also eliminate common mistakes based on scanning headers to conclude the license of a source file
See also the SPDX specification 2.1 release announcement
- The new relationship view makes the SPDX standard more useful for a broader range of uses, including exchanging data about software and modules introduced throughout the supply chain. The improvements are said to ease the exchange of open source and license data, streamline compliance with open source licenses, and help vendors more easily identify obligations or security vulnerabilities before shipment.
- Descriptions of multiple packages in a single SPDX document, allowing aggregation of information that should be kept together
- Expanded annotations that include replacing “review” comments, available for any specific element in an SPDX document
- New license expression syntax with improved license matching guidelines, making the capture of complex licensing within a file easier and more reliable
- Additional file types and checksum algorithms with expanded file types, allowing for more precise identification of a file
- Support for referencing software pulled from version control systems, in addition to software served as downloads
See also the SPDX specification 2.0 release announcement
- A field to specify license list version and one to describe file dependencies
- More flexibility in locally naming non-standard licenses
- Clarity with respect to case sensitivity for existing fields
- Fields to document notices, project homepage and author credits
- The ability to identify and map standard license headers
See also the SPDX specification 1.2 release announcement
- Optional fields for including license names and cross references to license sites
- New comment fields added to capture important facts in the document, license, and file sections
- Expanded list of licenses, new short form identifiers for all licenses
See also the SPDX specification 1.1 release announcement
- The initial release
See also the SPDX specification 1.0 release announcement