SPDX Announces 3.0 Release Candidate with New Use Cases
The Linux Foundation | 08 May 2023
VANCOUVER, May 8, 2023 – We are delighted to announce the release of the SPDX 3.0 Release Candidate, the first in a series of releases that will lead to the general availability of SPDX 3.0. This is a significant milestone for the SPDX project, and we are thrilled to share some of the exciting features included in this release candidate.
We have developed six profiles to address the most popular SBOM generation and consumption use cases, with a particular focus on security, licensing, AI, datasets, and software packaging build processes. These profiles have been created with input from the broad SPDX community, representing almost all industries where software has become a critical part of their infrastructure. These new profiles will ensure SPDX meets the needs of the global software supply chain, and we are confident they will provide significant benefits to those who adopt them. Increasing supply chain transparency through consensus-built and machine-readable will be essential to meet the cybersecurity goals of emerging regulation in America, Europe, and beyond.
Our goal with SPDX 3.0 is to extend the SPDX standard into exciting new use cases, making it easier to onboard and consume for software engineers, security professionals, and legal and compliance professionals. With the recent push from the United States government (EO 14028) and the European Union (Cyber Resiliency Act) to secure software dependency and supply chains, there is a clear need for an international standard that is actionable and usable. SPDX 3.0 aims to be that standard and serve as the toolkit that underpins software supply chain and dependency chain transparency and security.
We encourage the SBOM tooling community to provide feedback on the specification, model, and profiles in this SPDX 3.0 release candidate. Your input is crucial to the success of the SPDX project, and we value your contributions and engagement highly.
Please visit the SPDX 3.0 Model on GitHub with all relevant repos for more information about the release candidate and how you can get involved in the project. For more general information about SPDX itself, please visit the SPDX website at spdx.dev. Thank you for your continued support of SPDX. We cannot wait to hear your feedback and work with you to continue advancing the software industry.
Contact
Jordi Mon Companys
jmon@contractor.linuxfoundation.org
Media Contact
Jordi Mon Companys
jmon@contractor.linuxfoundation.org
About The Linux Foundation
The Linux Foundation is the world’s leading home for collaboration on open source software, hardware, standards, and data. Linux Foundation projects are critical to the world’s infrastructure including Linux, Kubernetes, Node.js, ONAP, OpenChain, OpenSSF, PyTorch, RISC-V, SPDX, Zephyr, and more. The Linux Foundation focuses on leveraging best practices and addressing the needs of contributors, users, and solution providers to create sustainable models for open collaboration. For more information, please visit us at linuxfoundation.org. The Linux Foundation has registered trademarks and uses trademarks. For a list of trademarks of The Linux Foundation, please see its trademark usage page: www.linuxfoundation.org/trademark-usage. Linux is a registered trademark of Linus Torvalds.