SOURCE: The Linux Foundation

The Linux Foundation

August 17, 2011 07:00 ET

SPDX Workgroup Releases Software Package Data Exchange Standard to Widespread Industry Support

Standard Format for Communicating Open Source License and Copyright Information Throughout Supply Chain Ensures Better, Easier Compliance

VANCOUVER, BC--(Marketwire - Aug 17, 2011) - LINUXCON -- The SPDX workgroup, hosted by The Linux Foundation, today announced the release of version 1.0 of its Software Package Data Exchange (SPDX™) standard.

The SPDX standard helps facilitate compliance with free and open source software licenses by standardizing the way license information is shared across the software supply chain. SPDX reduces redundant work by providing a common format for companies and communities to share important data about software licenses and copyrights, thereby streamlining and improving compliance.

SPDX was developed with participation by a wide range of industry and open source community heavyweights, including: Alcatel-Lucent, Antelink, Black Duck Software, Canonical, HP, Micro Focus, Motorola Mobility, nexB Inc, OpenLogic, Palamida, Protecode, Source Auditor, Texas Instruments and Wind River. Participants in the SPDX beta program included Antelink, HP, Motorola Mobility, Texas Instruments and Wind River.

"The SPDX 1.0 standard is an example of how open compliance and collaboration can enable the advancement of Linux and open source software," said Jim Zemlin, executive director of The Linux Foundation. "We applaud the SPDX workgroup for its important work on providing a consistent way to report and view license information for software technology components, making it even easier for companies to maximize their investments in free and open source software."

Most technology products today are assembled from multiple components that contain free and open source software, as well as commercial software; these components are created, delivered, and received by companies throughout the supply chain. Because of the distributed nature and complexity of the global software supply chain, it has become cumbersome and time consuming for each organization to prepare the license information for these components in the multiple distinct formats prescribed by others in their supply chain.

By enabling communities and companies to provide license information in a common format that can be easily analyzed and shared, the SPDX standard helps to accelerate the adoption of Linux and other free and open source software across industries, including the consumer electronics marketplace, by easing the burden of compliance through transparent sharing of license information.

"Today we're seeing collaboration among industry experts come to fruition in SPDX 1.0," said Esteban Rockett, co-founder of SPDX and lead software counsel at Motorola Mobility (an SPDX beta participant). "Representatives from the community, vendors and companies that use open source have come together to deliver a standard, accompanied with tools, that will make it easier to determine and comply with license obligations in a software bill of materials. This reduces compliance anxiety and costs, and further accelerates the adoption of Linux and other free and open source software."

"The announcement of the initial release of the SPDX standard is a welcome event, because SPDX is a crucial building block in an industry-wide system of automated license compliance administration," said Eben Moglen, executive director of the Software Freedom Law Center. "The efforts of the SPDX workgroup will ultimately help to realize large cost savings for all parties making commercial use of embedded FOSS, as well as substantially increased assurance of license compliance for FOSS licensors."

The SPDX standard defines a standard file format that lists detailed license and copyright information for a software package and each file it comprises. The SPDX community has also provided open source tools to convert SPDX files to and from spreadsheet formats.

Visit the SPDX website for more details on what is in the SPDX standard or to participate in the SPDX community: www.spdx.org.

A video overview of SPDX is available at http://www.linuxfoundation.org/programs/legal/compliance/webinars/introduction-to-spdx.

Support for SPDX 1.0
Antelink
"SPDX gives us an easy way to get data about licenses in open source projects," said Guillaume Rousseau, CEO, Antelink. "As a participant in the SPDX beta program, we have found the SPDX specification to be simple, straightforward and easy to work with. We're very happy to support the SPDX efforts, and look forward to implementing SPDX 1.0 in our search engine of open source files!"

Black Duck Software
"Black Duck's mission is to enable open source adoption while automating governance and compliance. SPDX is completely aligned with this mission, and so from the outset, we have been eager to invest our resources and expertise in the initiative," said Phil Odence, vice president of Business Development, Black Duck Software.

Canonical
"We look forward to the opportunity of working with upstream projects using SPDX and/or DEP5 to make it easier to understand the licensing associated with those projects," said Kate Stewart, Ubuntu Release Manager.

Debian
"Having a consistent way to describe licenses that's shared by Debian's DEP5 and the SPDX working group will help the entire ecosystem provide accurate licensing information for open source projects," said Steve Langasek, Debian DEP5 co-editor.

Fedora
"Fedora is pleased to have participated in the development of the SPDX specification. SPDX will help shine a light on Free and Open Source Software licensing," said Tom "spot" Callaway, Fedora Engineering Manager.

HP
"Open source is an extremely valuable asset to HP and the technology industry. With so many open source components throughout the software supply chain, organizations need a common format to simplify their license compliance efforts," said Phil Robb, director, HP Open Source Program Office. "By streamlining the process, the SPDX standard addresses how license information is shared, while reducing the risks and costs of compliance for organizations. This represents the next step of industry-wide due diligence to ensure the ongoing success of open source into the future by respecting the rights and wishes of its authors."

Micro Focus
"The broad adoption of SPDX by independent software vendors will substantially reduce the overhead involved in open source adoption and compliance," said Thomas Incorvia, Vice President of Product Licensing at Micro Focus.

nexB Inc.
"SPDX 1.0 is a crucial first step toward establishing the processes and tools that will support the application of supply chain best practices to component-based software development," said Michael Herzog, CEO of nexB Inc. "It will assist organizations of all sizes and types in their efforts to comply with open source license obligations, and it also provides a solid building block for managing other types of software license data in the future."

OpenLogic
"As we work with enterprises to help them comply with open source licenses, one of the challenges they face is getting a complete understanding of what open source licenses are included in their products. SPDX will provide an important step forward by standardizing the way that licenses information is communicated and sharing that information across the software supply chain," said Kim Weins, senior vice president of Marketing at OpenLogic. "Our audit and scanning tools will support the SPDX spec to help automate these compliance processes."

OSI
"We applaud the work of the SPDX working group on helping to simplify and standardize references to software licenses and build on the naming work that OSI's volunteers were already doing. OSI has already adopted SPDX in the definitive list of licenses at http://opensource.org/licenses," said Michael Tiemann, president, the Open Source Initiative (OSI). "The SPDX workgroup has leveraged more than a decade of the work at OSI in reviewing licenses for their impact on software freedom. By using the SPDX set of standard short-form license names, the entire open source ecosystem will be able to communicate in a consistent manner, especially to identify and avoid code under SPDX-identified licenses that are not OSI-approved."

Protecode
"SPDX will enable more organizations to freely use open source software in their products and streamline the license compliance process. Having a standard in place will benefit both the Linux and open source communities as a whole. All of our System 4 products will fully support SPDX 1.0," Kamal Hassin, VP of Product Management, Protecode.

Source Auditor
"Source Auditor is pleased to be a contributor to SPDX specification and tools," said Gary O'Neall, CEO of Source Auditor. "By incorporating SPDX into our processes and tools, we will enable our customers and their suppliers to reduce the cost and complexity of complying with open source license obligations."

Texas Instruments
"SPDX is a great resource that allows TI to understand all licensing information for the open source components of our software packages," said Jack Manbeck, manager, Open Source Review Board, TI. "TI is committed to providing customers with full knowledge of all components included in TI software packages and assuring compliance with all applicable open source licenses. SPDX enables us to do this quickly, efficiently and cost-effectively."

Wind River
"SPDX is another step towards advancing Linux and open source software in embedded markets," said Paul Anderson, vice president of marketing and strategy for Linux products at Wind River. "As an active participant in both the SPDX workgroup and Beta program, Wind River has developed a strong understanding and appreciation of how SDPX can benefit embedded device vendors. SPDX can ease compliance by standardizing the way license and copyright information is shared across the entire supply chain."

About SPDX
The Software Package Data Exchange® (SPDX™) specification is a standard format for communicating the components, licenses and copyrights associated with a software package. This SPDX Community is a workgroup sponsored by The Linux Foundation and associated with FOSSBazaar. The specification has been adopted as one of the key elements of the Linux Foundation's Open Compliance Program. Further, the SPDX naming conventions are now in use at the industry's repository of record for open source licenses, maintained by the Open Source Initiative at http://opensource.org/licenses. The SPDX specification itself is under the Creative Commons Attribution License 3.0. For more information about SPDX, please visit: http://spdx.org/about/spdx.

About The Linux Foundation
The Linux Foundation is a nonprofit consortium dedicated to fostering the growth of Linux. Founded in 2007, the organization sponsors the work of Linux creator Linus Torvalds and promotes, protects and advances the Linux operating system by marshaling the resources of its members and the open source development community. The Linux Foundation provides a neutral forum for collaboration and education by hosting Linux conferences, including LinuxCon, and generating original Linux research and content that advances the understanding of the Linux platform. Its web properties, including Linux.com, reach approximately two million people per month. The organization also provides extensive Linux training opportunities that feature the Linux kernel community's leading experts as instructors. Follow The Linux Foundation on Twitter.

Trademarks: The Linux Foundation and SPDX are trademarks of The Linux Foundation. Linux is a trademark of Linus Torvalds.

Contact Information