| SPDX spec standardizes open source compliance reporting |
Aug. 18, 2011
 The Linux Foundation's SPDX workgroup announced the first release of a standard for sharing open source license information. The Software Package Data Exchange (SPDX) 1.0 standard, part of the foundation's Open Compliance Program, provides a common format for sharing data about software components, licenses, and copyrights.
At last August's LinuxCon conference, which returned again yesterday in Vancouver, BC, the Linux Foundation (LF) announced an Open Compliance Program to help companies comply with open source licenses. Specific projects included training, consulting, a self-assessment checklist, and tools for dependency checking, BoM analysis, and code clean-up.
A promised centerpiece of the program was a standard format for reporting software licensing information called Software Package Data Exchange (SPDX). Based on work previously underway at the FOSSBazaar community, the SPDX workgroup has now released version 1.0 of the spec under the Creative Commons Attribution License 3.0.
Participants in the SPDX working group include Alcatel-Lucent, Antelink, Black Duck Software, Canonical, HP, Motorola Mobility, nexB Inc, OpenLogic, Palamida, Protecode, Source Auditor, Texas Instruments and Wind River. A smaller group was said to be involved in the SPDX beta program: Antelink, HP, Motorola Mobility, Texas Instruments, and Wind River.
Most of the organizations supplied testimonial quotes, a few of which are reproduced in part below, with several suggesting specific implementations in products ranging from commercial search engines to in-house compliance systems.
Meanwhile, the SPDX naming conventions have already been adopted by the Open Source Initiative (OSI) for its repository of records for open source licenses..
Taming the compliance beast
Due to the complexity of today's multi-component software, exacerbated by a distributed, global software supply chain, organizations are finding it time consuming to prepare license information for software components in software bill of materials and other documents, says the LF. The task is said to be further complicated by all the distinct formats and terms used to describe components throughout the supply chain.
SPDX provides component, license, and copyright information in a common format, making it easier for companies to comply with open source licenses by sharing information, says the LF. The standard is said to define a standard file format for a software package and each file it comprises. The SPDX community, meanwhile, offers open source tools for converting SPDX files to and from spreadsheet formats, says the LF.
Compatibility with Debian DEP-5
Although the LF doesn't state it explicitly, SPDX appears to be compatible with the somewhat similar, but Debian-specific DEP-5 standard, also referred to as DEP5. The DEP-5 site alludes to this, as do several of the testimonial quotes from supporters, including one from Steve Langasek, Debian DEP-5 co-editor.
"Having a consistent way to describe licenses that's shared by Debian's DEP5 and the SPDX working group will help the entire ecosystem provide accurate licensing information for open source projects," stated Langasek.
Stated Esteban Rockett, co-founder of SPDX and lead software counsel at Motorola Mobility, "Today we're seeing collaboration among industry experts come to fruition in SPDX 1.0. This reduces compliance anxiety and costs, and further accelerates the adoption of Linux and other free and open source software."
Stated Eben Moglen, executive director of the Software Freedom Law Center, "The efforts of the SPDX workgroup will ultimately help to realize large cost savings for all parties making commercial use of embedded FOSS, as well as substantially increased assurance of license compliance for FOSS licensors."
Stated Jim Zemlin, executive director of The Linux Foundation, "We applaud the SPDX workgroup for its important work on providing a consistent way to report and view license information for software technology components."
Availability
SPDX 1.0 is available now. More information may be found at the LF's SPDX site. A Linux Foundation webinar video on SPDX from Phil Odence, the Vice President of Business Development at Black Duck Software, may be found here.
Related Stories:
(Click here for further information)
|
|
|
|
|
|
|
|
