News Archive (1999-2012) | 2013-current at LinuxGizmos | Current Tech News Portal |    About   

SPDX spec standardizes open source compliance reporting

Aug 17, 2011 — by Eric Brown — from the LinuxDevices Archive — 3 views

On the opening day of LinuxCon, the Linux Foundation's SPDX workgroup announced the first release of a standard for sharing open source license information. The Software Package Data Exchange (SPDX) 1.0 standard, which is part of the foundation's Open Compliance Program, provides a common format for sharing data about software licenses and copyrights, thereby streamlining and improving compliance.

At last August's LinuxCon conference — the 2011 version of which opened today (Aug. 17) in Vancouver, BC — the Linux Foundation (LF) announced an Open Compliance Program to help companies comply with open source licenses. Specific projects include training, consulting, a self-assessment checklist, and tools for dependency checking, BoM analysis, and code clean-up.

A promised centerpiece of the program was a standard format for reporting software licensing information called Software Package Data Exchange (SPDX). Basing its specification on work previously underway at the FOSSBazaar community, the SPDX workgroup has now released version 1.0 under the Creative Commons Attribution License 3.0.

Participants in the SPDX working group include Alcatel-Lucent, Antelink, Black Duck Software, Canonical, HP, Motorola Mobility, nexB Inc, OpenLogic, Palamida, Protecode, Source Auditor, Texas Instruments and Wind River. A smaller group was said to be involved in the SPDX beta program: Antelink, HP, Motorola Mobility, Texas Instruments, and Wind River.

Most of the organizations supplied testimonial quotes, a few of which are reproduced in part farther below. A number of the quotes suggest specific implementations in products ranging from commercial search engines to in-house compliance systems.

In addition, the SPDX naming conventions have been adopted by the Open Source Initiative (OSI) for its repository of record for open source licenses, says the LF.

Taming the compliance beast

Due to the complexity of today's multi-component software, exacerbated by a distributed, global software supply chain, organizations are finding it time-consuming to prepare license information for software components in bill of materials and other documents, says the LF. The task is said to be further complicated by all the distinct formats and terms used to describe components.

SPDX provides component, license, and copyright information in a common format, making it easier for companies to comply with open source licenses by sharing information, says the LF. The standard is said to define a standard file format for a software package and each file it comprises. The SPDX community, meanwhile, offers open source tools for converting SPDX files to and from spreadsheet formats.

Compatibility with Debian DEP-5

Although the LF doesn't state it explicitly, SPDX appears to be compatible with the somewhat similar, but Debian-specific, DEP-5 standard (also referred to as DEP5). The DEP-5 site alludes to this, as do several of the testimonial quotes from supporters, including one from Steve Langasek, Debian DEP-5 co-editor.

"Having a consistent way to describe licenses that's shared by Debian's DEP5 and the SPDX working group will help the entire ecosystem provide accurate licensing information for open source projects," stated Langasek.

Stated Esteban Rockett, co-founder of SPDX and lead software counsel at Motorola Mobility, "Today we're seeing collaboration among industry experts come to fruition in SPDX 1.0. This reduces compliance anxiety and costs, and further accelerates the adoption of Linux and other free and open source software."

Stated Eben Moglen, executive director of the Software Freedom Law Center, "The efforts of the SPDX workgroup will ultimately help to realize large cost savings for all parties making commercial use of embedded FOSS, as well as substantially increased assurance of license compliance for FOSS licensors."

Stated Jim Zemlin, executive director of The Linux Foundation, "We applaud the SPDX workgroup for its important work on providing a consistent way to report and view license information for software technology components."


SPDX 1.0 is available now. More information may be found at the LF's SPDX site. A Linux Foundation webinar video on SPDX from Phil Odence, the Vice President of Business Development at Black Duck Software, may be found here.

This article was originally published on and has been donated to the open source community by QuinStreet Inc. Please visit for up-to-date news and articles about Linux and open source.

Comments are closed.