Skip to main content
Category

In the News

SPDX Announces 3.0 Release Candidate with New Use Cases

By Announcements, In the News

VANCOUVER, May 8, 2023 – We are delighted to announce the release of the SPDX 3.0 Release Candidate, the first in a series of releases that will lead to the general availability of SPDX 3.0. This is a significant milestone for the SPDX project, and we are thrilled to share some of the exciting features included in this release candidate.

We have developed six profiles to address the most popular SBOM generation and consumption use cases, with a particular focus on security, licensing, AI, datasets, and software packaging build processes. These profiles have been created with input from the broad SPDX community, representing almost all industries where software has become a critical part of their infrastructure. These new profiles will ensure SPDX meets the needs of the global software supply chain, and we are confident they will provide significant benefits to those who adopt them. Increasing supply chain transparency through consensus-built and machine-readable will be essential to meet the cybersecurity goals of emerging regulation in America, Europe, and beyond.

Our goal with SPDX 3.0 is to extend the SPDX standard into exciting new use cases, making it easier to onboard and consume for software engineers, security professionals, and legal and compliance professionals. With the recent push from the United States government (EO 14028) and the European Union (Cyber Resiliency Act) to secure software dependency and supply chains, there is a clear need for an international standard that is actionable and usable. SPDX 3.0 aims to be that standard and serve as the toolkit that underpins software supply chain and dependency chain transparency and security.

We encourage the SBOM tooling community to provide feedback on the specification, model, and profiles in this SPDX 3.0 release candidate. Your input is crucial to the success of the SPDX project, and we value your contributions and engagement highly.

Please visit the SPDX 3.0 Model on GitHub with all relevant repos for more information about the release candidate and how you can get involved in the project. For more general information about SPDX itself, please visit the SPDX website at spdx.dev. Thank you for your continued support of SPDX. We cannot wait to hear your feedback and work with you to continue advancing the software industry.

Contact

Jordi Mon Companys

jmon@contractor.linuxfoundation.org



Media Contact

Jordi Mon Companys

jmon@contractor.linuxfoundation.org

SPDX Specification is now an ISO Standard

By In the News

After much hard work and anticipation, we are proud to announce that the SPDX Specification is now an ISO Standard! We want to thank everyone who helped make this happen. This represents a significant milestone for the project and will help industry adoption of standardized Software Bill of Materials.

Specification: ISO/IEC 5962:2021 .

Our press release: SPDX Becomes Internationally Recognized Standard for Software Bill of Materials.

Although it has become an ISO Standard, we will continue to develop and evolve the SPDX specification in the open via our community using our GitHub Repository.

– SPDX Core Team

SPDX Specification submitted to ISO

By In the News

On August 20th,  the Software Package Data Exchange® (SPDX®) specification was submitted to ISO for consideration as a Publicly Available Specification.  The Joint Development Foundation (which is part of the Linux Foundation) submitted the specification to JTC1 for balloting.   We are now awaiting feedback from the coordinators, and hope to see it available for balloting soon.

License List 3.0 Released!

By In the News

by Jilayne Lovejoy, Legal team Co-Chair

On December 28th, 2017, version 3.0 of the SPDX License List was released. This marks the achievement of several significant milestones for the project and represents over a year’s worth of work by members of both the legal and tech teams. Below is a summary of some of the key changes that are the foundation for improved maintainability and usability of the SPDX License List into the future.

A new master format for the SPDX License List

Since its inception, the master format for the SPDX License List was a spreadsheet and text files. From these master files, other consumable formats, such as the web pages and other formats were generated. While this format was straight-forward, it was mostly maintained by one person, did not lend itself to collaboration, and thus, was not scalable for the growing magnitude and use of the SPDX License List.

Various proposals were discussed to both move away from the spreadsheet format and also improve the implementation of the matching guidelines in the master files. A format using an XML-style template for each license and tags for the various fields and matching guidelines was developed.

Converting from the old format to the new was no small task. This required an initial automated conversion followed by human checking of all 396 licenses and exceptions, some clean-up after that, and a lot of discussion to finalize the XML format along the way.  The result is a new format for the SPDX License List master files as of version 3.0.

Better guidance for matching

The SPDX License List has long included matching guidelines to ensure consistent identification of licenses and use of SPDX identifiers. While the matching guidelines are human-readable/understandable, they pose challenges for full implementation in tools. This means tool-makers have been left to sort out the implementation, which can result in inconsistent matching across tools.

The new XML format captures items like bullets, copyright notices, licenses, and optional text in XML elements.  This additional information allows for tools to provide better matching as per the matching guidelines.

Since release 1.2 of the SPDX specification,  SPDX supported a template format which includes variable (or alternate) text and optional text.  Elements such as bullets, titles and copyrights are translated into templates including the appropriate optional and variable text.  With the introduction of the XML format and the significant work provided by the SPDX legal team, the number of variable or optional tags has increase from 85 in the 2.6 version of the license list to over 6,400 in the new 3.0 license list.

While this format will initially only be used internal to the SPDX legal team, that is, to generate the other consumable formats, eventually once hardened, the XML format will enable more consistent and precise implementation of the matching guidelines by license matching tools/scanners.

Clarified Identifiers for GNU Licenses

In a collaborative effort between the Free Software Foundation (FSF) and the SPDX working group to help facilitate clarity and better license identification practices, we have updated the short identifiers for the GNU family of licenses to support more precise and consistent usage.

SPDX has always had a way to identify the “this version only” and “any later version” options, for example via GPL-2.0 and GPL-2.0+ respectively. In practice, however, GPL-2.0 was not always used  to mean “only version 2” as defined in the SPDX License List.  It was often used by default to refer to the GPL version 2 text as drafted to include this version or any later version.  The FSF was concerned about the potential confusion this could cause. Richard Stallman has posted an article explaining the background for this aspect of the GNU licenses and the root concern about copyright holders not identifying or being unclear regarding which option is intended.

By providing identifiers that are explicit as to “this version only” and “any later version”, we can be sure that SPDX users are reminded of the difference and that the right information is communicated.

As such, the next release of the SPDX License List v3.0 will reflect the changes to the GNU family of licenses following this pattern:

GPL-2.0-only

GPL-2.0-or-later

For each GNU license, the SPDX License List now contains a specific item and identifier for the two variations. The + operator is retained and can still be used with other licenses.

Why 3.0 and not 2.7?

A major version numbering change was used with this release to act as a clear signal to users of the license list, that this release wasn’t a business as usual.  Given the significance of the changes on how licenses are represented internally, new tooling is now possible to improve the fidelity of license recognition.   In addition, the short form identifier naming changes to address the FSF concerns with how the GPL licenses are represented and deprecation of the prior GNU license identifiers will impact some projects.

Conclusion

We want to thank everyone who made this release possible, as it was truly a team effort!

Linux Kernel is using SPDX Identifiers

By In the News

“Observers of the kernel’s commit stream or mailing lists will have seen a certain amount of traffic referring to the addition of SPDX license identifiers to kernel source files. For many, this may be their first encounter with SPDX. But the SPDX effort has been going on for some years; this article describes SPDX, along with why and how the kernel community intends to use it. ”

For more see the article by Jonathan Corbet of LWN “SPDX Identifiers in the Kernel”.