SPDX Licensing

Packages published through df-cli must declare their license using an SPDX license expression. SPDX (Software Package Data Exchange) is an industry standard for communicating software licenses in a machine-readable format. Using standardized identifiers removes ambiguity and makes it straightforward for consumers to understand what they are allowed to do with a package.

Declaring a License

Licenses are declared in the package section of the workspace .sws file:

{
  "package": {
    "license": "MIT",
    "licenseFile": "LICENSE.txt"
  }
}

The license field contains an SPDX license expression. The optional licenseFile field points to a full license text file relative to the workspace root.

SPDX License Identifiers

An SPDX license identifier is a short, standardized string that uniquely identifies a license. Some common examples:

Identifier	License
`MIT`	MIT License
`Apache-2.0`	Apache License 2.0
`GPL-3.0-only`	GNU General Public License v3.0 only
`GPL-3.0-or-later`	GNU General Public License v3.0 or later
`BSD-2-Clause`	BSD 2-Clause "Simplified" License
`BSD-3-Clause`	BSD 3-Clause "New" or "Revised" License
`ISC`	ISC License
`MPL-2.0`	Mozilla Public License 2.0
`LGPL-3.0-only`	GNU Lesser General Public License v3.0 only
`0BSD`	BSD Zero Clause License
`Unlicense`	The Unlicense

The full list of recognized identifiers is maintained by the SPDX project at spdx.org/licenses. df-cli ships with a built-in copy of this list and validates expressions against it at build time.

SPDX Expressions

License expressions go beyond single identifiers to describe more complex licensing situations using operators.

`OR` — Dual Licensing

When a package is available under a choice of licenses, use OR. The consumer may choose whichever license suits them.

MIT OR Apache-2.0

This means: "You may use this package under the terms of MIT or Apache-2.0, at your option."

`AND` — Combined Licensing

When different parts of a package are covered by different licenses and both apply simultaneously, use AND.

MIT AND BSD-2-Clause

This means: "You must comply with both MIT and BSD-2-Clause."

`WITH` — License Exceptions

Some licenses have standard exceptions that modify their terms. Attach an exception with WITH.

GPL-2.0-only WITH Classpath-exception-2.0

This means: "GPL 2.0 applies, but with the Classpath exception that allows linking without requiring the linked code to be GPL."

The list of recognized exceptions is also maintained by SPDX and is built into df-cli.

Parentheses — Grouping

Use parentheses to control precedence in complex expressions.

(MIT OR Apache-2.0) AND BSD-3-Clause

Operator precedence (low to high): OR, AND, WITH.

Custom Licenses

If your package uses a license that is not in the SPDX list, you can declare a custom license reference:

{
  "package": {
    "license": "LicenseRef-MyCompanyLicense",
    "licenseFile": "LICENSE.txt"
  }
}

Custom license identifiers must start with LicenseRef-. When using a custom license, the licenseFile field is required — since the license is not standardized, consumers need access to the full text.

df-cli will warn if you combine custom licenses with standard licenses using AND, as this can create confusing compliance requirements. Prefer using OR when offering a choice between a standard and a custom license, or use a single custom license reference.

Validation

df-cli validates the license expression at several points:

When reading the workspace — The expression is parsed and checked against the built-in SPDX license and exception lists. Invalid identifiers or malformed expressions produce a warning.
When packing (df-cli package pack) — A valid SPDX-compliant license is required. Packing will fail if the license is missing or invalid.
When pushing (df-cli package push) — The license is displayed for confirmation before publishing. The package repository stores the license expression as part of the package metadata.

What Happens with Invalid Licenses

Situation	Behavior
Empty license	Treated as `NOASSERTION` in metadata. Blocks packing.
Unknown identifier (e.g. `INVALID-LICENSE`)	Parse error. `spdxCompliantLicense` set to `false`. Blocks packing.
Custom license without `licenseFile`	Warning during config load. Blocks packing.
Complex custom + standard AND expression	Warning recommending simplification.

Browsing Package Licenses

All packages published to the DataFlex package repository are browsable at packages.dataflex.dev. Each package listing shows its declared license, making it easy to review licensing before adding a dependency. The df-cli package details command also displays the license for any package.

Choosing a License

If you are unsure which license to choose:

MIT or Apache-2.0 — Permissive licenses that allow almost any use. MIT is simpler; Apache-2.0 includes an explicit patent grant.
GPL-3.0-or-later — Copyleft license that requires derivative works to also be open source under GPL.
BSD-2-Clause — Very permissive, similar to MIT but with slightly different wording.
LicenseRef-Proprietary — For closed-source packages. Requires a licenseFile with your terms.

For a detailed comparison, see choosealicense.com.