Software we package is always licensed and there are two places where the licenses are recorded in a package:
licensearray field in the package metadata, as specified in the PKGBUILD file
- Copies of the license text contained in the package, usually under
<prefix>/share/licenses/<real-package-name>/*. In some cases packages install their license files in different places though.
Guidelines for Specifying License Metadata
The license array field
- Values starting with
spdx:are SPDX license expressions. Example:
- Multiple values starting with
spdx:are treated as if they are combined with
('spdx:LGPL-2.1-only', 'spdx:MPL-1.1')is the same as
('LGPL-2.1-only OR MPL-1.1')
- Mixing of spdx values and other values is undefined
- Values not starting with
spdx:or starting with
custom:follow the Arch Linux rules.
- In case of a split package each package can have a different license field depending on the package content. The global license field is inherited by each split package but can be overridden there.
The license text files
In case the package provides one or more license text files, they can be
real-package-name is the package name without the environment specific prefix,
so in case of
mingw-w64-ucrt-x86_64-meson it is just
These guidelines are inspired by
Differences compared to Arch Linux
- Arch Linux doesn't use SPDX identifiers, but manages its own license list in a
This list is not very exhaustive and is missing various variants of common licenses
- Everything else is prefixed with
custom:name of license.
- It's unclear (does anyone know?) if multiple licenses mean that the package is available under either license or you must comply with both licenses.
Given the above shortcomings we use our own rules inspired by other packaging systems.
The package includes different components with different licenses, what should I do?
Let's say the package source is licensed under
Apache-2.0, there is a vendored
library that is licenses under
MIT, and there is documentation that is
You can set the license field to
spdx:Apache-2.0 AND MIT AND CC-BY-4.0.
In case the documentation is split out into a separate package then you can use
spdx:Apache-2.0 AND MIT for the main package and
spdx:CC-BY-4.0 for the
How can I specify a custom license in an SPDX expression that is not on the SPDX license list?
You can define your own license ID with the following format
idstring is allowed to contain
The projects is licensed under
GPL-2.0-or-later and only advertises that but contains
BSD code as well. Should I include them all?
We can't be expected to hunt down every license in every file of every project. In case the project says it's
GPL-2.0-or-later then it's fine to just use that.