The Linux Foundation, through its Open Compliance Program, is currently working on a standard for software packages and licenses. The program is a partnership of Linux and several other companies, and the first version of the Software Package Data Exchange standard (SPDX) is available with updates to be made in the future.
SPDX, currently available in a beta version with hopes for a full version in August, is meant to supply developers and companies with a license package delivery system that is machine readable and a standard way to explain how the software can be used, no matter what license developers or code distributors decide to use.
Black Duck, Canonical, OpenLogic, Protecode and others are working with the Foundation to push this standard out into the software development world. Mahshad Koohgoli, CEO of Protecode, said that the push for this standard resulted from a lack of clear understanding of licensing associated with software.
“There has never been a good description of the components of a software program. Packages can contain hundreds, thousands or tens of thousands of lines of code or files [and it is hard to keep track of the licenses associated with each],” he said.
“SPDX will be used to standardize information associated with distributed software packages.”
Noirin Shirley, the Apache Software Foundation’s executive vice president, said that software licenses are generally available to be applied in an ad hoc way to each and every project.
“In software, particularly in open-source software, there are two groups of people: the person(s) who hold the copyright and can do anything to the code, and the license holder(s) who have the right to use the code,” Shirley said.
She said that some licenses, like the GPL, LGPL, OGPL, etc., require the user to return modifications made to the code to the community at large, which is something a company would want to know before installing the code onto a proprietary piece of software, in terms of protecting business secrets and intellectual property.