Learn

 

Overview

This page is designed to give you an overview of SPDX. You should learn a bit about who we are and why we do this and why SPDX is part of the solution.

For the basic overview read on.

 


What is SPDX?

First and foremost we are a community dedicated to solving the issues and problems around Open Source licensing compliance. The SPDX work group consists of individuals, representatives from companies, foundations and organizations who use or are considering using the SPDX standard. The work group operates much like a meritocratic, consensus-based community project; that is, anyone with an interest in the project can join the community, contribute to the specification, and participate in the decision-making process.We come from many different backgrounds including open source developers, lawyers, consultants and business professionals many of who have been involved with License Compliance and identification for years.

A part of this effort, the SPDX community has developed a set of collateral that can be used to more clearly convey complete license information in a standard/reusable fashion and to facilitate compliance. The advantages of this are:

  • Establishing a common data format  (SPDX Documents) which is a standard  allows more effort be expended on licence compliance. After all, license compliance can only begin once all software and associated licenses have been identified in a particular code base.
  • The content of an SPDX document comprises, among other things, information definitively identifying the software package, and package level and file level licensing and copyright information. It also provides metadata about the analysis itself: who created the file, when, and how.
  • Standard formats allow for tooling to be created to make the process more efficient and to allow more complex compliance operations to take place.

Here are some key facts:

  • It’s a Standard
    • A standard format for communicating the components, licenses and copyrights associated with a software package.
    • Key pillar in Linux Foundation’s Open Compliance Program
    • We have developed several pieces of collateral over the years to help solve the problem: The SPDX License List, the SPDX Specification and Source Identifiers for code.
  • Our Guiding principles
    • Human and machine readable formats
    • Focus on capturing facts; avoid interpretations
  • Our Vision
    • To help reduce redundant work in determining software license information and to facilitate compliance

 


Why is it needed?

Look at the figure below. Does this seem familiar?

 

As a company you are often faced with:

  • Surprises with licensing of the software and binaries given to you by Suppliers.
  • The need to develop your own Bill of Materials  for suppliers to fill out (as there was not a standard for now).

As a Supplier you are often faced with

  • Every customer wants a bill of materials in a different form.
  • Surely this open source package has been analyzed before.

These are unsustainable models on both ends.

That Bill of Materials is SPDX which is part of the solution.

Is this Really Important?

 

We think so and we work in this field. In 2013 the SPDX community conducted a survey of organizations and people to see what they thought as well. The results o that survey (see the figure below) were that most people/organizations polled believe this to be important/very important.

 


Who is Using It

As with other standards, adoption is often slower than expected, but interest is certainly on the rise from both open source projects and companies. Check out our SPDX in action column to see what others are doing and/or the Examples in the Use Section.

 


Id like to Learn more

Were happy you would like to learn more about SPDX. You can do so by going to our Use Section to get more details and examples of how SPDX is being used. There is also a General Meeting The General Meeting is for all SPDX participants and is held once a month. You are invited to join the call as frequently we have a guest speaker from business or the community who presents on their use of SPDX. Its a great way to see what others are doing and to share and ask questions.