Overview

SPDX is an open standard for communicating software bill of material information, including provenance, license, security, and other related information. SPDX reduces redundant work by providing common formats for organizations and communities to share important data, thereby streamlining and improving compliance, security, and dependability.

Our Mission

The mission of SPDX is to develop and promote open standards for communicating software bill of material information, including provenance, license, security, and other related information.

Our Vision

The vision of SPDX is to reduce redundant work by providing common formats for organizations and communities to share important data, thereby streamlining and improving compliance, security, and dependability.

About

SPDX is an open source project hosted by the Linux Foundation. The grass-roots effort includes representatives from a diverse set of organizations—software, systems and tool vendors, foundations and systems integrators. Work is done by two sub-groups: the tech team and the legal team. There is also a monthly general call which provides an overview of progress on the entire project. For more information about getting involved, see the Participate page.

The SPDX project is composed of:

  • The SPDX Specification itself
  • The SPDX License List (including exceptions, matching guidelines, license IDs, and license expression syntax)
  • SPDX tools and libraries for working with the SPDX documents and SPDX License List

Guiding Principles

  • SPDX represents data in formats that are both machine- and human-readable.
  • SPDX focuses on collecting and communicating facts; and provides a framework to make assertions about those facts.
  • SPDX makes no legal interpretations (of licenses or license compliance).
  • SPDX facilitates the efficient exchange of metadata in the supply chain.

Governance Model

The SPDX Governance model is based on the Meritocratic Governance model used by the Apache Software Foundation as described at OSS Watch and is documented here.

A Short History of SPDX

  1. February 2010

    Specification drafting began in a work-group of FOSSBazaar under Linux Foundation that came to be called SPDX

  2. August 2010

    SPDX announced as one of the pillars of the Linux Foundation's Open Compliance Program

  3. August 2011

    SPDX 1.0 specification released - handles packages

  4. August 2012

    SPDX 1.1 specification released - fixed flaw in verification algorithm

  5. October 2013

    SPDX 1.2 specification released - improved interaction with license list, additional fields for documenting project info

  6. May 2015

    SPDX 2.0 specification released - added ability to handle multiple packages, relationships between packages and files, annotations