SPDX version 1.0 released - compliance made easier

The Linux Foundation has announced that the SPDX working group has published SPDX 1.0, the first release of the Software Package Data Exchange specification. Designed to help companies who assemble open source packages to make consumer, and other, products ensure that they are complying with the requirements of those packages' licences. Companies including Alcatel-Lucent, Antelink, Black Duck Software, Canonical, HP, Micro Focus, Motorola Mobility, nexB Inc, OpenLogic, Palamida, Protecode, Source Auditor, Texas Instruments and Wind River took part in developing the SPDX specification.

SPDX defines a standard file format for detailed licence and copyright information for that package and the files within it. It also contains information about the creation of the package and who has reviewed the SPDX file for correctness, thereby allowing the lifecycle of the package to be mapped more accurately. This information should allow automated tools to quickly compose a manifest and calculate any licence requirements which need to be fulfilled. A file can be designated SPDX – a trademarked term – if it complies with the trademark terms which require that it implement the mandatory parts of the SPDX 1.0 Specification. SPDX files themselves must be licensed under the Open Data Commons Public Domain Dedication and Licence, PDDL, to ensure they can be easily reused.

The specification is one of the key elements of the Linux Foundation's Open Compliance Program and it is hoped that it will see widespread take-up by developers, packagers, vendors and compliance providers. The Open Compliance effort was launched a year ago with the aim of providing all the elements needed for supply chains to work well with open source.

(djwm)