SPDX Workgroup Releases Software Package Data Exchange Standard to Widespread Industry Support
Standard format for communicating open source license and copyright information throughout supply chain ensures better, easier compliance
LINUXCON, Vancouver, B.C., August 17, 2011 – The SPDX workgroup, hosted by The Linux Foundation, today announced the release of version 1.0 of its Software Package Data Exchange (SPDX™) standard.
The SPDX standard helps facilitate compliance with free and open source software licenses by standardizing the way license information is shared across the software supply chain. SPDX reduces redundant work by providing a common format for companies and communities to share important data about software licenses and copyrights, thereby streamlining and improving compliance.
SPDX was developed with participation by a wide range of industry and open source community heavyweights, including: Alcatel-Lucent, Antelink, Black Duck Software, Canonical, HP, Micro Focus, Motorola Mobility, nexB Inc, OpenLogic, Palamida, Protecode, Source Auditor, Texas Instruments and Wind River. Participants in the SPDX beta program included Antelink, HP, Motorola Mobility, Texas Instruments and Wind River.
“The SPDX 1.0 standard is an example of how open compliance and collaboration can enable the advancement of Linux and open source software,” said Jim Zemlin, executive director of The Linux Foundation. “We applaud the SPDX workgroup for its important work on providing a consistent way to report and view license information for software technology components, making it even easier for companies to maximize their investments in free and open source software.”
Most technology products today are assembled from multiple components that contain free and open source software, as well as commercial software; these components are created, delivered, and received by companies throughout the supply chain. Because of the distributed nature and complexity of the global software supply chain, it has become cumbersome and time consuming for each organization to prepare the license information for these components in the multiple distinct formats prescribed by others in their supply chain.
By enabling communities and companies to provide license information in a common format that can be easily analyzed and shared, the SPDX standard helps to accelerate the adoption of Linux and other free and open source software across industries, including the consumer electronics marketplace, by easing the burden of compliance through transparent sharing of license information.
“Today we’re seeing collaboration among industry experts come to fruition in SPDX 1.0,” said Esteban Rockett, co-founder of SPDX and lead software counsel at Motorola Mobility (an SPDX beta participant). “Representatives from the community, vendors and companies that use open source have come together to deliver a standard, accompanied with tools, that will make it easier to determine and comply with license obligations in a software bill of materials. This reduces compliance anxiety and costs, and further accelerates the adoption of Linux and other free and open source software.”
“The announcement of the initial release of the SPDX standard is a welcome event, because SPDX is a crucial building block in an industry-wide system of automated license compliance administration,” said Eben Moglen, executive director of the Software Freedom Law Center. “The efforts of the SPDX workgroup will ultimately help to realize large cost savings for all parties making commercial use of embedded FOSS, as well as substantially increased assurance of license compliance for FOSS licensors.”
The SPDX standard defines a standard file format that lists detailed license and copyright information for a software package and each file it comprises. The SPDX community has also provided open source tools to convert SPDX files to and from spreadsheet formats.
Visit the SPDX website for more details on what is in the SPDX standard or to participate in the SPDX community: www.spdx.org.
A video overview of SPDX is available at http://www.linuxfoundation.org/programs/legal/compliance/webinars/introduction-to-spdx.
Widespread Industry Support for SPDX 1.0
Antelink
“SPDX gives us an easy way to get data about licenses in open source
projects,” said Guillaume Rousseau, CEO, Antelink. “As a participant in
the SPDX beta program, we have found the SPDX specification to be
simple, straightforward and easy to work with. We’re very happy to
support the SPDX efforts, and look forward to implementing SPDX 1.0 in
our search engine of open source files!”
Black Duck Software
“Black Duck’s mission is to enable open source adoption while automating
governance and compliance. SPDX is completely aligned with this
mission, and so from the outset, we have been eager to invest our
resources and expertise in the initiative,” said Phil Odence, vice
president of Business Development, Black Duck Software.
Canonical
“We look forward to the opportunity of working with upstream projects
using SPDX and/or DEP5 to make it easier to understand the licensing
associated with those projects,” said Kate Stewart, Ubuntu Release
Manager.
Debian
“Having a consistent way to describe licenses that’s shared by Debian’s
DEP5 and the SPDX working group will help the entire ecosystem provide
accurate licensing information for open source projects,” said Steve
Langasek, Debian DEP5 co-editor.
Fedora
“Fedora is pleased to have participated in the development of the SPDX
specification. SPDX will help shine a light on Free and Open Source
Software licensing,” said Tom “spot” Callaway, Fedora Engineering Manager.
HP
“Open source is an extremely valuable asset to HP and the technology
industry. With so many open source components throughout the software
supply chain, organizations need a common format to simplify their
license compliance efforts,” said Phil Robb, director, HP Open Source
Program Office. “By streamlining the process, the SPDX standard
addresses how license information is shared, while reducing the risks
and costs of compliance for organizations. This represents the next step
of industry-wide due diligence to ensure the ongoing success of open
source into the future by respecting the rights and wishes of its
authors.”
Widespread Industry Support for SPDX 1.0
By Linux_Foundation - August 16, 2011 - 9:50pm
Antelink
“SPDX gives us an easy way to get data about licenses in open source
projects,” said Guillaume Rousseau, CEO, Antelink. “As a participant in
the SPDX beta program, we have found the SPDX specification to be
simple, straightforward and easy to work with. We’re very happy to
support the SPDX efforts, and look forward to implementing SPDX 1.0 in
our search engine of open source files!”
Black Duck Software
“Black Duck’s mission is to enable open source adoption while automating
governance and compliance. SPDX is completely aligned with this
mission, and so from the outset, we have been eager to invest our
resources and expertise in the initiative,” said Phil Odence, vice
president of Business Development, Black Duck Software.
Canonical
“We look forward to the opportunity of working with upstream projects
using SPDX and/or DEP5 to make it easier to understand the licensing
associated with those projects,” said Kate Stewart, Ubuntu Release
Manager.
Debian
“Having a consistent way to describe licenses that’s shared by Debian’s
DEP5 and the SPDX working group will help the entire ecosystem provide
accurate licensing information for open source projects,” said Steve
Langasek, Debian DEP5 co-editor.
Fedora
“Fedora is pleased to have participated in the development of the SPDX
specification. SPDX will help shine a light on Free and Open Source
Software licensing,” said Tom “spot” Callaway, Fedora Engineering Manager.
HP
“Open source is an extremely valuable asset to HP and the technology
industry. With so many open source components throughout the software
supply chain, organizations need a common format to simplify their
license compliance efforts,” said Phil Robb, director, HP Open Source
Program Office. “By streamlining the process, the SPDX standard
addresses how license information is shared, while reducing the risks
and costs of compliance for organizations. This represents the next step
of industry-wide due diligence to ensure the ongoing success of open
source into the future by respecting the rights and wishes of its
authors.”
Micro Focus
“The broad adoption of SPDX by independent software vendors will
substantially reduce the overhead involved in open source adoption and
compliance,” said Thomas Incorvia, vice president of Product Licensing
at Micro Focus.
nexB Inc.
“SPDX 1.0 is a crucial first step toward establishing the processes and
tools that will support the application of supply chain best practices
to component-based software development,” said Michael Herzog, CEO of
nexB Inc. “It will assist organizations of all sizes and types in their
efforts to comply with open source license obligations, and it also
provides a solid building block for managing other types of software
license data in the future.”
OpenLogic
“As we work with enterprises to help them comply with open source
licenses, one of the challenges they face is getting a complete
understanding of what open source licenses are included in their
products. SPDX will provide an important step forward by standardizing
the way that licenses information is communicated and sharing that
information across the software supply chain,” said Kim Weins, senior
vice president of Marketing at OpenLogic. “Our audit and scanning tools
will support the SPDX spec to help automate these compliance processes.”
OSI
“We applaud the work of the SPDX working group on helping to simplify
and standardize references to software licenses and build on the naming
work that OSI’s volunteers were already doing. OSI has already adopted
SPDX in the definitive list of licenses at
http://opensource.org/licenses,” said
Michael Tiemann, president, the Open Source Initiative (OSI). “The SPDX
workgroup has leveraged more than a decade of the work at OSI in
reviewing licenses for their impact on software freedom. By using the
SPDX set of standard short-form license names, the entire open source
ecosystem will be able to communicate in a consistent manner, especially
to identify and avoid code under SPDX-identified licenses that are not
OSI-approved.”
Protecode
“SPDX will enable more organizations to freely use open source software
in their products and streamline the license compliance process. Having a
standard in place will benefit both the Linux and open source
communities as a whole. All of our System 4 products will fully support
SPDX 1.0,” Kamal Hassin, VP of Product Management, Protecode.
Source Auditor
“Source Auditor is pleased to be a contributor to SPDX specification and
tools,” said Gary O’Neall, CEO of Source Auditor. “By incorporating
SPDX into our processes and tools, we will enable our customers and
their suppliers to reduce the cost and complexity of complying with open
source license obligations.”
Texas Instruments
“SPDX is a great resource that allows TI to understand all licensing
information for the open source components of our software packages,”
said Jack Manbeck, manager, Open Source Review Board, TI. “TI is
committed to providing customers with full knowledge of all components
included in TI software packages and assuring compliance with all
applicable open source licenses. SPDX enables us to do this quickly,
efficiently and cost-effectively.”
Wind River
“SPDX is another step towards advancing Linux and open source software
in embedded markets,” said Paul Anderson, vice president of marketing
and strategy for Linux products at Wind River. “As an active participant
in both the SPDX workgroup and Beta program, Wind River has developed a
strong understanding and appreciation of how SDPX can benefit embedded
device vendors. SPDX can ease compliance by standardizing the way
license and copyright information is shared across the entire supply
chain.”
About SPDX
The Software Package Data Exchange® (SPDX™) specification is a standard
format for communicating the components, licenses and copyrights
associated with a software package. This SPDX Community is a workgroup
sponsored by The Linux Foundation and associated with FOSSBazaar. The
specification has been adopted as one of the key elements of the Linux
Foundation’s Open Compliance Program. Further, the SPDX naming
conventions are now in use at the industry’s repository of record for
open source licenses, maintained by the Open Source Initiative at http://opensource.org/licenses.
The SPDX specification itself is under the Creative Commons Attribution
License 3.0. For more information about SPDX, please visit: http://spdx.org/about/spdx.
About The Linux Foundation
The Linux Foundation is a
nonprofit consortium dedicated to fostering the growth of Linux. Founded
in 2007, the organization sponsors the work of Linux creator Linus
Torvalds and promotes, protects and advances the Linux operating system
by marshaling the resources of its members and the open source
development community. The Linux Foundation provides a neutral forum for
collaboration and education by hosting Linux conferences, including LinuxCon, and generating original Linux research and content that advances the understanding of the Linux platform. Its web properties, including Linux.com, reach approximately two million people per month. The organization also provides extensive Linux training opportunities that feature the Linux kernel community’s leading experts as instructors. Follow The Linux Foundation on Twitter.
Trademarks: The Linux Foundation and SPDX are trademarks of The Linux Foundation. Linux is a trademark of Linus Torvalds.