The Linux Foundation announced the SPDX 2.1 and OpenChain 1.0 specs, which aim to clarify and standardize open source compliance and management.
At LinuxCon Europe in Berlin, the Linux Foundation announced two new releases from different groups attempting to standardize open source license tracking, compliance, and supply chain management. The Software Package Data Exchange (SPDX) Project announced SPDX 2.1 for tracking complex open source license dependencies, adding new “Snippets” and appendix features, and the OpenChain Workgroup released OpenChain 1.0 for managing the open source supply chain.
Two scenes from LinuxCon Europe 2016
(click images to enlarge; source: Linux Foundation)
LinuxCon Europe, which will be followed next week by the Embedded Linux Conference Europe (ELCE) and and OpenIoT Summit in the same location, launched a few days after the release of the Linux 4.7.6 maintenance release, as well as the general availability of the Linux 4.4.23 LTS kernel. The minor Linux 4.7.6 changes include improvements to the XFS, Btrfs, Ceph, autofs4, HostFS, OCFS2, and ReiserFS filesystems.
The Software Package Data Exchange (SPDX) standard and new SPDX Project were announced with the release of SPDX 1.0 in 2011, based on earlier work done by the FOSSology Project. SPDX version 2.0 arrived in 2015. This common format for sharing data about software licenses and copyrights has now been released in a 2.1 version as part of the LF’s Open Compliance Initiative.
SPDX 2.1 document contents and compliance flow chart
(click images to enlarge)
SPDX 2.1 standardizes the inclusion of additional data in generated files. It also adds a syntax for accurate tagging of source files with SPDX license list identifiers.
Specific new features include an optional Snippets feature that lets you identify a portion of a file that has different properties from the file at large. There are also improvements to how external packages and repositories are referenced, as well as a new appendix that explains how to use SPDX License List identifiers in source files. These short identifiers are increasingly being used by open source projects, as they allow quick identification of included licenses, says the SPDX Project.
The Linux Foundation announced the OpenChain Workgroup a year ago at LinuxCon Europe in Dublin. The workgroup has now followed up with a release of the OpenChain 1.0 spec.
Like the SPDX Project, the OpenChain Project aims to streamline open source compliance, but it focuses more specifically on supply chain issues. The project further intends to “facilitate greater quality and consistency of open source compliance to help reduce duplication of effort caused by lack of standardization and transparency throughout professional open source organizations.”
These goals are now formalized in an OpenChain 1.0 spec that establishes requirements and best practices for documenting Free and Open Source (FOSS) policy, training staff on compliance, and assigning responsibility for achieving compliance. The spec defines how to review and approve FOSS content, and deliver FOSS documentation and artifacts such as copyright notices, licenses, and source code.
OpenChain 1.0 also explains processes like FOSS legal approval, business rationale, technical review of code, community interaction, and contribution requirements. In addition, the spec shows how to meet OpenChain certification requirements.
The OpenChain Project cites the Linux Foundation’s recently released 2016 Open Source Jobs Report, reporting that nearly 70 percent of hiring managers are looking to recruit and retain open source professionals within the next six months. Platinum members of the OpenChain Project include Adobe, ARM, Cisco, Harman, HPE, Qualcomm, Siemens, and Wind River.
“Hundreds of thousands of people around the globe, including the world’s largest companies, leverage open source software, so we need to work together to support best practices for software license compliance throughout a supply chain,” stated Jim Zemlin, executive director, The Linux Foundation.