Ring in the new


If I’d gotten to this a few days ago, I might be looking back on an eventful year, but here we are in 2014 looking forward. And, actually, it turns out we did some good reflecting in the blog I posted in November. If that wasn’t enough, please check out the International Free and Open Source Software Law Review (IFOSSLR) publication of an article that Jilayne, Scott and I wrote on the status of SPDX.

In the first half of the 2014, we should expect to see a continuing ramp of company adoption as last year’s internal experimentation evolves into a real vehicle for communication between supply chain partners. I want to quantify this by following up on the industry survey we did last Spring, but my sense is that the spec and supporting materials are to the point that users are able to run with it without a lot of questions. Thus, we are continuing to uncover companies “doing stuff” with SPDX.

The other thing I expect to see in the first half of the year is the first wave of open source projects beginning to incorporate SPDX into their work. We’ve seen U-Boot incorporate SPDX short-name tags in every file. We will see other projects doing the same and facilitating license communication in other ways.

The second half of the year should be about the 2.0 release—actually this work will consume the technical team for the first half of the year, enabling a release in the second half.  The dot 1, and 2 release have both enhanced our initial stab, incorporating feedback from users and tool makers, to make SPDX more usable. Version 2.0 will be a fairly major change taking us from the paradigm of self-standing SPDX docs to systems of related SPDX docs, enabling definitions of hierarchy and other relationships between pieces of software.

Another sign of  progress with SPDX is recognition by the Object Management Group (OMG) standards consortium. The OMG is now looking at other aspects of standards for managing open source licensing across supply chains and, as a starting point, recognizes SPDX as a key element of addressing this issue (and a well-crafted wheel they have no interest in  re-inventing). My prediction is that the initial focus for OMG will be on a component naming standard. Think GAV (Group, Artifact, Version) from Maven, but much broader. We will want to stay close to this work as it greatly will aid component identification in SPDX docs.

I’m amazed by what we have accomplished in the last year as a 100% volunteer organization. Congrats and thanks to all who have contributed in any way. And, for anyone who has been considering getting more involved, it’s not too late to make that your New Year’s resolution. Just a few additional hands spending a couple of hours a week could make a big difference in our velocity across all teams.  Please drop me a note if you’d like to discuss how to get yourself or colleagues more involved. (podence@blackducksoftware.com) Happy New Year.