[Updated 10:00AM] — The Linux Foundation has updated its SPDX standard to v2.0, enhancing the ability to track complex open source license dependencies to ensure compliance.
The Linux Foundation (LF) released version 1.0 of the Software Package Data Exchange (SPDX) standard in 2011, promoting it as a common format for sharing data about software licenses and copyrights. Now the LF’s SPDX workgroup has released version 2.0 of the standard, with new features that let you relate SPDX documents to each other to provide a “three-dimensional” relationship view of license dependencies.
What’s new in SPDX 2.0
SPDX was developed in order to streamline the time-consuming process of complying with licensing requirements for software components in bill of materials and other documents. The problem has been exacerbated over the years with the increasing complexity of the global supply chain.
SPDX handles package relationships
The new relationship view makes the SPDX standard more useful for a broader range of uses, including exchanging data about software and modules introduced throughout the supply chain, says the LF. The improvements are said to ease the exchange of open source and license data, streamline compliance with open source licenses, and help vendors more easily identify obligations or security vulnerabilities before shipment.
Other new features in SPDX 2.0 include:
- Descriptions of multiple packages in a single SPDX document, allowing aggregation of information that should be kept together
- Expanded annotations that include replacing “review” comments, available for any specific element in an SPDX document
- New license expression syntax with improved license matching guidelines, making the capture of complex licensing within a file easier and more reliable
- Additional file types and checksum algorithms with expanded file types, allowing for more precise identification of a file
- Support for referencing software pulled from version control systems, in addition to software served as downloads
The SPDX “big picture”
The SPDX workgroup includes representatives from more than 20 organizations, including software, systems, and tool vendors, as well as foundations and systems integrators. Members include Alcatel-Lucent, ARM, Black Duck Software, Cisco, HP, Linaro, Micro Focus, nexB, Palamida, Pelagicore, Protecode, Source Auditor, Qualcomm, Samsung, Texas Instruments, University of Nebraska Omaha, University of Victoria, and Wind River.
“With SPDX 2.0, companies can be more confident than ever before in their open source license compliance,” stated Black Duck’s Phil Odence, chair of the SPDX workgroup. “With new features that provide contextual reference across packages and files, including those external to SPDX documents, the SPDX specification becomes an even more valuable resource to the increasing number of companies around the world using open source software in their products.”
SPDX 2.0 is available for free download now. More information may be found at the SPDX.org website. The SPDX 2.0 presentation PDF file from which the images in this post were obtained is available for download here.