A Linux Foundation workgroup is determined to make it easier to work with open-source code and comply with licenses with the release of the Software Package Data Exchange (SPDX) specification 2.0.
“When creating products from open-source code, it is important to respect the terms of the license in the code, if you’re going to use the code,” said Jack Manbeck, co-chair of the SPDX business team.
“Determining the licensing of something can be a complex process, and determining the complete set of licenses for an application is often done multiple times, by different people for the same item. This leads to a lot of wasted time and effort. By having a specification and the SPDX license list, you now have a way to communicate that information in a common format, versus everyone wanting it differently, thus avoiding redundancy.”
(Related: Skills you can use for Linux)
SPDX was first announced in 2011, and since then the workgroup has been working on improving the specification to simplify compliance. Version 2.0 was a major milestone for open-source license compliance, according to the workgroup. It features the ability to relate SPDX documents to each other in order to understand what open-source software was used to build components, what versions of the software are being used, and if there are any vulnerabilities that need to be addressed.
“SPDX is about reducing the cost of and facilitating license compliance,” said Manbeck. “When you have complete licensing information, you can make sure everyone’s license choices are taken into consideration.”
Other features of SPDX 2.0 include:
- Descriptions of multiple packages in a single SPDX document
- An expansion of annotations to increase flexibility
- A new license expression syntax to make it easier and more reliable to capture licensing in a file
- Support for additional file types and checksum algorithms
- The ability to now reference software pulled from version-control systems.
“License compliance is a priority for the Linux and open-source community, and benefits the technology industry overall, especially as the adoption of open technologies continues to increase,” said Jim Zemlin, executive director of the Linux Foundation. “With the release of SPDX 2.0, compliance is easier than ever before.”
More information is available here.