The Linux Foundation’s SPDX Workgroup Releases New Version of Software Package Data Exchange Standard
The Linux Foundation | 22 October 2013
Version 1.2 improves interoperability and is being adopted by U-Boot project
EDINBURGH – LinuxCon and CloudOpen – October 22, 2013 – The SPDX® workgroup, hosted by The Linux Foundation, today announced the release of version 1.2 of its Software Package Data Exchange (SPDX®) standard, which includes new features and is being adopted by U-Boot, a popular open source boot loader for embedded devices.
The new release addresses issues identified during interoperability testing. The SPDX workgroup held a “bake off,” or interoperability testing session, during the 2013 Linux Foundation Collaboration Summit in April, comparing the output of several tools as well as some manually generated SPDX documents. The extensive analysis uncovered opportunities for further clarity in the spec. SPDX Version 1.2 and its updated guidelines address these opportunities and ensure more consistency in SPDX documents.
“The interoperability testing we did at the Collaboration Summit was very valuable in checking the spec in use by a diverse group of users,” said SPDX Technical Team Lead, Kate Stewart, one of the founders of SPDX. “Version 1.2 is a great step forward in achieving consistency across SPDX tools, which is key to adoption.”
The SPDX workgroup is also announcing that U-Boot, a popular open source boot loader for embedded devices, is using SPDX license names as its standard for specifying licensing in files. This kind of adoption by open source projects greatly simplifies the creation of SPDX documents and reduces cost of compliance across the software supply chain.
“SPDX license identifiers enable us to unambiguously capture all license information in a single line,” says U-Boot creator Wolfgang Denk. “This avoids a variety of problems for us including bloated source code, breakdown of automated processing due to variations in the way licenses are specified, and difficulty in generating License Clearing Reports. At the same time this makes U-Boot easier to maintain and for organizations using SPDX to adopt.”
New features in SPDX 1.2 include:
- A field to specify license list version and one to describe file dependencies
- More flexibility in locally naming non-standard licenses
- Clarity with respect to case sensitivity for existing fields
- Fields to document notices, project homepage and author credits
- The ability to identify and map standard license headers
SPDX version 2.0 is expected in 2014 and will support hierarchy.
“With its latest release, the SPDX workgroup continues to improve the process for license compliance across multiple industries where Linux and open source software are dominant,” said Jim Zemlin, executive director at The Linux Foundation. “Investments in this area are important for increasing Linux and open source adoption, and we are happy to see these community contributions to SPDX.”
SPDX is developed with participation by a wide range of industry and open source community heavyweights, including: Alcatel-Lucent, Antelink, Black Duck Software, Cisco, HP, Linaro, Micro Focus, nexB, OpenLogic, Palamida, Protecode, Source Auditor, Texas Instruments, University of Nebraska Omaha, University of Victoria, and Wind River.
Currently the workgroup maintains a set of tools that complement community tools from University of Nebraska Omaha and commercial tools from Black Duck and Wind River. See: http://spdx.org/tools. To learn more about SPDX and participate, please visit: http://spdx.org
About The Linux Foundation
The Linux Foundation is a nonprofit consortium dedicated to fostering the growth of Linux and collaborative software development. Founded in 2000, the organization sponsors the work of Linux creator Linus Torvalds and promotes, protects and advances the Linux operating system and collaborative software development by marshaling the resources of its members and the open source community. The Linux Foundation provides a neutral forum for collaboration and education by hosting Collaborative Projects, Linux conferences, including LinuxCon, and generating original research and content that advances the understanding of Linux and collaborative software development. More information can be found at www.linuxfoundation.org.
###
Trademarks: The Linux Foundation, Linux Standard Base, MeeGo, OpenDaylight, Tizen and Yocto Project are trademarks of The Linux Foundation. OpenBEL is a trademark of OpenBEL Consortium. Linux is a trademark of Linus Torvalds.
About The Linux Foundation
The Linux Foundation is the world’s leading home for collaboration on open source software, hardware, standards, and data. Linux Foundation projects are critical to the world’s infrastructure including Linux, Kubernetes, Node.js, ONAP, OpenChain, OpenSSF, PyTorch, RISC-V, SPDX, Zephyr, and more. The Linux Foundation focuses on leveraging best practices and addressing the needs of contributors, users, and solution providers to create sustainable models for open collaboration. For more information, please visit us at linuxfoundation.org. The Linux Foundation has registered trademarks and uses trademarks. For a list of trademarks of The Linux Foundation, please see its trademark usage page: www.linuxfoundation.org/trademark-usage. Linux is a registered trademark of Linus Torvalds.