The Linux Foundation’s Open Compliance Initiative releases new SPDX specification

Software Package Data Exchange 2.1 helps open source developers and projects streamline software supply chain; eases license sharing .

  • 8 years ago Posted in
The SPDX® Project, hosted by The Linux Foundation®, is announcing the release of version 2.1 of its Software Package Data Exchange (SPDX) specification. SPDX 2.1 standardizes the inclusion of additional data in generated files, as well as providing a syntax for accurate tagging of source files with SPDX license list identifiers.
 
According to The 2016 North Bridge & Black Duck Future of Open Source Study, 90 percent of companies rely on open source for improved efficiency, innovation and interoperability, yet only half of those companies have a formal management process for the code they rely upon. The SPDX specification helps facilitate compliance with free and open source software licenses by providing a uniform way license information is shared across the software supply chain. The effort unites more than 20 organizations - software, systems and tool vendors, foundations and systems integrators - to create a specification for software package data exchange formats.
 
“The new SDPX specification release benefits the entire open source community – from developers to end users. It not only helps standardize the way license information is shared, but it gives every stakeholder in FOSS assurance around quality and consistency of code use,” said Mike Dolan, VP of Strategic Programs, The Linux Foundation. “SPDX is a community driven effort, with technical guidance from open source developers. Together, we’re helping advance open source by establishing a specification that enables code to be used or altered in a consistent, understandable and compliant manner.”
 
Key features in the SPDX 2.1 specification include:
?     Snippets allow a portion of a file to be identified as having different properties from the file it resides within. The use of snippets is completely optional, and it is not mandatory for snippets to be identified;
?     Improvements in referencing external packages and repositories; users can now associate packages with security vulnerability databases as well as component repositories, such as npm, maven, bower, among others; and
?     A new appendix has been added to explain how to use SPDX License List identifiers in source files. An increasing number of open source projects are adding these short identifiers to code, as they allow anyone to quickly scan a directory of files to identify the licenses included. SPDX license identifier tags also eliminate common mistakes based on scanning headers to conclude the license of a source file.
After Kubernetes Kosmos and S3-based Object Storage, Scaleway continues to deliver on its Multi...
Canonical has published the first Ubuntu images optimised for the next generation of Intel IoT...
Canonical has released Ubuntu 21.10 - the most productive environment for cloud-native developers...
The latest release occurs as the 2021 User Survey reveals significant growth in OpenStack...
The 12th iteration of the Building Security In Maturity Model reflects high-profile ransomware and...
Sonatype has released its seventh annual State of the Software Supply Chain Report that reveals...
Latest release of Red Hat Process Automation advances the development of decision services for Red...
Data from 1,200 respondents and insights from seven industry experts reveal rapid growth, some...