SPDX Workgroup Releases Software Package Data Exchange Standard to Widespread Industry Support
Standard format for communicating open source license and copyright information throughout supply chain ensures better, easier compliance
LINUXCON, Vancouver, B.C., August 17, 2011 – The SPDX workgroup, hosted by The Linux Foundation, today announced the release of version 1.0 of its Software Package Data Exchange (SPDX™) standard.
The SPDX standard helps facilitate compliance with free and open source software licenses by standardizing the way license information is shared across the software supply chain. SPDX reduces redundant work by providing a common format for companies and communities to share important data about software licenses and copyrights, thereby streamlining and improving compliance.
SPDX was developed with participation by a wide range of industry and open source community heavyweights, including: Alcatel-Lucent, Antelink, Black Duck Software, Canonical, HP, Micro Focus, Motorola Mobility, nexB Inc, OpenLogic, Palamida, Protecode, Source Auditor, Texas Instruments and Wind River. Participants in the SPDX beta program included Antelink, HP, Motorola Mobility, Texas Instruments and Wind River.
Click here to see comments in support of the SDPX 1.0 release.
“The SPDX 1.0 standard is an example of how open compliance and collaboration can enable the advancement of Linux and open source software,” said Jim Zemlin, executive director of The Linux Foundation. “We applaud the SPDX workgroup for its important work on providing a consistent way to report and view license information for software technology components, making it even easier for companies to maximize their investments in free and open source software.”
Most technology products today are assembled from multiple components that contain free and open source software, as well as commercial software; these components are created, delivered, and received by companies throughout the supply chain. Because of the distributed nature and complexity of the global software supply chain, it has become cumbersome and time consuming for each organization to prepare the license information for these components in the multiple distinct formats prescribed by others in their supply chain.
By enabling communities and companies to provide license information in a common format that can be easily analyzed and shared, the SPDX standard helps to accelerate the adoption of Linux and other free and open source software across industries, including the consumer electronics marketplace, by easing the burden of compliance through transparent sharing of license information.
“Today we’re seeing collaboration among industry experts come to fruition in SPDX 1.0,” said Esteban Rockett, co-founder of SPDX and lead software counsel at Motorola Mobility (an SPDX beta participant). “Representatives from the community, vendors and companies that use open source have come together to deliver a standard, accompanied with tools, that will make it easier to determine and comply with license obligations in a software bill of materials. This reduces compliance anxiety and costs, and further accelerates the adoption of Linux and other free and open source software.”
“The announcement of the initial release of the SPDX standard is a welcome event, because SPDX is a crucial building block in an industry-wide system of automated license compliance administration,” said Eben Moglen, executive director of the Software Freedom Law Center. “The efforts of the SPDX workgroup will ultimately help to realize large cost savings for all parties making commercial use of embedded FOSS, as well as substantially increased assurance of license compliance for FOSS licensors.”
The SPDX standard defines a standard file format that lists detailed license and copyright information for a software package and each file it comprises. The SPDX community has also provided open source tools to convert SPDX files to and from spreadsheet formats.
Visit the SPDX website for more details on what is in the SPDX standard or to participate in the SPDX community: www.spdx.org.
A video overview of SPDX is available at http://www.linuxfoundation.org/programs/legal/compliance/webinars/introduction-to-spdx.
The Software Package Data Exchange® (SPDX™) specification is a standard format for communicating the components, licenses and copyrights associated with a software package. This SPDX Community is a workgroup sponsored by The Linux Foundation and associated with FOSSBazaar. The specification has been adopted as one of the key elements of the Linux Foundation’s Open Compliance Program. Further, the SPDX naming conventions are now in use at the industry’s repository of record for open source licenses, maintained by the Open Source Initiative at http://opensource.org/licenses. The SPDX specification itself is under the Creative Commons Attribution License 3.0. For more information about SPDX, please visit: http://spdx.org/about/spdx.
About The Linux Foundation
The Linux Foundation is a nonprofit consortium dedicated to fostering the growth of Linux. Founded in 2000, the organization sponsors the work of Linux creator Linus Torvalds and promotes, protects and advances the Linux operating system by marshaling the resources of its members and the open source development community. The Linux Foundation provides a neutral forum for collaboration and education by hosting Linux conferences, including LinuxCon, and generating original Linux research and content that advances the understanding of the Linux platform. Its web properties, including Linux.com, reach approximately two million people per month. The organization also provides extensive Linux training opportunities that feature the Linux kernel community’s leading experts as instructors. Follow The Linux Foundation on Twitter.
Trademarks: The Linux Foundation and SPDX are trademarks of The Linux Foundation. Linux is a trademark of Linus Torvalds.