Last month, the Joint Development Foundation (JDF), which became part of the Linux Foundation family in 2019, was recognized as an ISO/IEC JTC 1 PAS (“Publicly Available Specification”) submitter. With that recognition, Linux Foundation can put forward specifications to JTC 1 for national body approval and international recognition. Once JTC 1 approves a PAS submission, it becomes an international standard. Also in May, the JDF announced that The OpenChain Specification was the first specification submitted for JTC 1 review for recognition as an international standard.
The Linux Foundation today announced that the latest SPDX release (version 2.2) is the second specification to be submitted through the JDF to ISO/IEC JTC 1 for approval. In brief, the Software Package Data Exchange (SPDX) is an open standard for communicating software bill of material information, including components, licenses, copyrights, and security references. SPDX reduces redundant work by providing a common format for companies and communities to share important data, thereby streamlining and improving compliance. The first version of the SPDX specification was 10 years ago, and it has continued to improve and evolve to support the automation of more software bill of materials information over the years.
SPDX serves to verify the accuracy software bill of materials information metadata which is important both from a security and compliance standpoint. Consider that there are millions of open source software projects (34m open repositories are on GitHub alone) making it hard to know which are most critical, who created them and what are their security vulnerabilities? SPDX plays an important role in building more trust and transparency in how software is created, distributed and consumed. While many consider SPDX a defacto standard already, JTC1 certification will encourage accelerated adoption and acceptance on a global scale.
“The SPDX specification has played a vital role over the last 10 years in enabling open source adoption and establishing a foundation for automating compliance,” said Jim Zemlin. “Through the submission to the ISO/IEC JTC 1 by JDF, we are hopeful that it can become a accepted international standard that addresses how open source metadata information is shared, while reducing the risks and costs of compliance for organizations.”