SPDX is an open standard for communicating software bill of material information, including provenance, license, security, and other related information. SPDX reduces redundant work by providing common formats for organizations and communities to share important data, thereby streamlining and improving compliance, security, and dependability. The SPDX specification is recognized as the international open standard for security, license compliance, and other software supply chain artifacts as ISO/IEC 5962:2021.
The mission of SPDX is to develop and promote open standards for communicating software bill of material information, including provenance, license, security, and other related information.
The vision of SPDX is to reduce redundant work by providing common formats for organizations and communities to share important data, thereby streamlining and improving compliance, security, and dependability.
SPDX is an open source project hosted by the Linux Foundation. The grass-roots effort includes representatives from a diverse set of organizations—software, systems and tool vendors, foundations and systems integrators. Work is done by three sub-groups: the tech team, the legal team, and the outreach team. There is also a monthly general call which provides an overview of progress on the entire project. For more information about getting involved, see the Participate page.
The SPDX project is composed of:
- The SPDX Specification itself
- The SPDX License List (including exceptions, matching guidelines, license IDs, and license expression syntax)
- SPDX tools and libraries for working with the SPDX documents and SPDX License List
- SPDX represents data in formats that are both machine- and human-readable.
- SPDX focuses on collecting and communicating facts; and provides a framework to make assertions about those facts.
- SPDX makes no legal interpretations (of licenses or license compliance).
- SPDX facilitates the efficient exchange of metadata in the supply chain.
The SPDX Governance model is described in full and documentation is available in the SPDX governance repository at https://github.com/spdx/governance.
A Short History of SPDX
Specification drafting began in a work-group of FOSSBazaar under Linux Foundation that came to be called SPDX
SPDX announced as one of the pillars of the Linux Foundation's Open Compliance Program
SPDX 1.0 specification released - handles packages
SPDX 1.1 specification released - fixed flaw in verification algorithm
SPDX 1.2 specification released - improved interaction with license list, additional fields for documenting project info
SPDX 2.0 specification released - added ability to handle multiple packages, relationships between packages and files, annotations
SPDX 2.1 specification - added snippets, support for associating packages with external reference sources of information about packages, using SPDX License identifiers in files
SPDX 2.1.1 - conversion of specification from google docs to github as repository
SPDX 2.2 - new SPDX-Lite profile, more external repository identifiers, relationships, fields.
SPDX 2.2.1 - conversion of specification to format for ISO & submission
SPDX published as ISO/IEC 5962:2021