SPDX

This article is a definition of terms for SPDX – including short review questions, practical example and tags for quick revision.

What is SPDX?

SPDX (Software Package Data Exchange) is an open standard to document license information, copyright notices and dependency data in software projects in a uniform and machine-readable manner.

Instead of free text, standardized license IDs from the SPDX License List are used (e.g. MIT, Apache-2.0, GPL-3.0-or-later).

Why is SPDX important in practice?

• Compliance: less risk of license violations
• Automation: scanner tools reliably detect licenses
• SBOM/Supply Chain: SPDX is often used together with SBOMs
• Legal certainty: clear license situation for handover/publication

Practical example: SPDX-License-Identifier in code

// SPDX-License-Identifier: MIT

Effect: Tools can automatically detect the license of this file without having to parse long license texts.

Advantages and disadvantages

Advantages

• Standardized and internationally recognized
• Machine-readable (for audits and CI/CD)
• Better traceability when using open source

Disadvantages

• Initial overhead (maintain consistently)
• Multi-licensing can become complex

Typical exam questions (with short answer)

1. What does SPDX stand for? Software Package Data Exchange.
2. What is SPDX-License-Identifier? A machine-readable specification of a file’s license.
3. Why is SPDX relevant for IHK exams? Software licensing and handover must be documented in a legally sound manner.
4. How do you integrate SPDX into CI/CD? License scanners run in the build and fail on conflicts.

Conclusion

SPDX is a practical standard to cleanly document licensing issues in projects – and is becoming increasingly important through automation in CI/CD.