What is an SPDX identifier and where would you use it?
SPDX (Software Package Data Exchange) identifiers are standardised short strings for license identification. Examples:
MIT — the MIT License
Apache-2.0 — Apache License 2.0
GPL-3.0-only — GNU GPL v3 only (not later versions)
GPL-3.0-or-later — GPL v3 or any later version
They appear in: SPDX file headers (SPDX-License-Identifier: MIT), package.json "license" fields, SBOM (Software Bill of Materials) documents, and REUSE-compliant projects.
2 / 5
A source file contains the header: SPDX-License-Identifier: Apache-2.0. What does this mean?
The SPDX-License-Identifier tag in a file header identifies the license for that specific file. In multi-license projects (e.g., core code under GPL-3.0, documentation under CC-BY-4.0, configuration files under MIT), each file carries its own SPDX tag. This is the basis of the REUSE specification — machine-readable, per-file license declarations. The tag does not imply anything about the rest of the repository.
3 / 5
Which SPDX expression correctly represents code that can be used under either the MIT License or the Apache-2.0 License (user's choice)?
"MIT OR Apache-2.0" is correct. SPDX compound license expressions use:
OR — licensee can choose either license (common for dual-licensing: "take it under MIT or Apache, your choice")
AND — both licenses apply simultaneously (rare; used when a file combines components under different licenses that must all be respected)
WITH — a license with a specific exception added
The Rust ecosystem uses "MIT OR Apache-2.0" widely. "MIT + Apache-2.0" and "MIT / Apache-2.0" are not valid SPDX syntax.
4 / 5
What is the purpose of the REUSE specification in relation to SPDX identifiers?
REUSE (reuse.software) defines a practical process for making copyright and licensing information machine-readable. The spec requires:
SPDX-License-Identifier tag in every source file (or in a .license sidecar file)
SPDX-FileCopyrightText tag with the copyright statement
License text files stored in a LICENSES/ directory at the project root, named by SPDX identifier (e.g., LICENSES/MIT.txt)
Projects can be checked with the reuse lint tool. This matters for SBOM generation, open-source compliance audits, and contributing to projects that require REUSE compliance.
5 / 5
A package.json contains "license": "GPL-3.0-only". How does this differ from "GPL-3.0-or-later"?
The difference matters for future GPL versions.
GPL-3.0-only — the code is available under GPL version 3 only. If GPL v4 is released, this code cannot automatically be upgraded to v4 without explicit permission from the copyright holder.
GPL-3.0-or-later — the code is available under GPL v3 or any later version the FSF publishes. Recipients can choose to accept the terms of a later GPL version.
The old notation "GPL-3.0+" is equivalent to "GPL-3.0-or-later" (SPDX deprecated the "+" form). When in doubt about which to use: "GPL-3.0-or-later" gives more flexibility to downstream users; "GPL-3.0-only" gives copyright holders more control.