Linux Foundation Updates SPDX Compliance Effort

The Software Package Data Exchange specification gets updated to help track and share license information in the Internet of things era.


Back in 2010, the Linux Foundation first launched its Software Package Data Exchange (SPDX) effort that helps to build out and identify software components in a standardized manner. Since then, use of SPDX has grown, and on May 12 the SPDX 2.0 specification was announced. The new specification aims to be even more comprehensive in helping organizations understand the open-source licenses that are used as part of an application deployment.

Over the last several years, a number of large companies have adopted SPDX for internal tracking and sharing of licensing information, according to Jack Manbeck, SPDX Business Team co-chair.

"Commercial license analysis tools are now able to generate and consume the format," Manbeck told eWEEK. "Open-source tools have started to emerge now on GitHub as well."

With the SPDX 2.0 specification, the key goal was to permit a wider set of relationships and types of files to be characterized, Manbeck said. He added that the license list now has short forms for all the licenses that are supported by Red Hat, which was not the case with the previous SPDX 1.2 specification.

"In addition, there is a new license expression syntax supported in 2.0, together with the notion of standardized license exceptions," Manbeck said. "The license list will update more frequently than the specification."

With release 2.0, there is now also the ability to relate SPDX documents to each other, to get a more complete picture of software license use. Manbeck explained that there is now a mechanism to refer to elements of external SPDX documents, in addition to being able to describe multiple packages in a single SPDX document. Historically, only one package per SPDX document was possible.

The SPDX 1.2 specification was aimed at the source-code level for packages, according to Manbeck. The SPDX 2.0 specification, however, can handle a wider range of objects and better map the relationship between binaries and the source packages used to build them.

"Accurate understanding of the license obligations is needed for embedded applications, like IoT [Internet of things], to be deployed effectively," he said.

Understanding the licenses used in an application is important to ensure everything is in order and no code is being used improperly from a legal compliance perspective. Manbeck said the big challenge today is having transparent and accurate licensing information being able to travel from the upstream projects into products being deployed. Making it easy to understand which licenses are in use when multiple code bases are combined to make a product is the goal of SPDX.

Now that the SPDX 2.0 specification is out, Manbeck said the plan is to get open-source tools updated to validate and comply to the 2.0 specification.

"We will be working with more upstream projects to adopt SPDX file generation as part of their release builds, like Yocto has," Manbeck said. "At the specification level, the next topic being tackled is how to represent licensing information for file snippets."

Sean Michael Kerner is a senior editor at eWEEK and Follow him on Twitter @TechJournalist.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.