SPDX Version 2.0


Version 2.0 is a fairly major change, taking the specification from the paradigm of self-standing SPDX docs to systems of related SPDX docs, enabling definitions of hierarchy and other relationships between pieces of software. This extends the scope beyond the package level and enhances it to better address the needs of multi-party software supply chains and other key identified use cases. With the modularity of 2.0 also comes the ability to track the revision history and verify creator and reviewer data for component SPDX docs. And, although it is unlikely to make the 2.0 release, the team is anticipating the inclusion of license and copyright information below the file level at the patch or snippet level.
The SPDX group encourages anyone interested in working with SPDX to start with the current 1.2 version. Every data element in the SPDX 1.2 specification will have a home in the SPDX 2.0 specification. It is possible that some data elements will be moved, if it is determined that a different home is appropriate. Version 1.2 users may find that new homes are available for content that previously fit only in Comment fields.
This 2.0 version is being actively worked on and the goal is to have a draft in June and a final version in August. A series of use cases has been created and work is going on to verify concepts against those use cases. The SPDX Tech Team welcomes participation from any one interested and invites interested parties to join.

To track progress and see the use cases, models, discussion and revs of the 2.0 spec, visit the 2.0 Project Overview Page on our wiki and join the Technical Team mailing list.