The SPDX Mini Summit, held at the Open Source Summit North America 2023, brought together industry experts to discuss the latest developments in open software at large. The focus of this year’s session though, was software supply chain. The SPDX mini summit was thus one of the highlights of the event, gathering interest and people like never before.
Steve Winslow, Counsel at Boston Technology Law, gave a talk on license compliance and the utilization of the specific new Licensing profile recently launched within the SPDX 3.0 RC. This blog post will provide a summary of Steve Winslow’s talk and highlight key takeaways for professionals involved in license compliance. You can find the talk in SPDX’s Youtube channel.
Licensing within SPDX: at its core and on its profile
SPDX was initially created with the primary purpose of representing licensing metadata for software. The representation of licenses and license-related information formed the foundation of SPDX. Over time, the SPDX project has evolved significantly to support a wide range of additional use cases beyond license compliance. Having said that, license-related metadata remains essential and it now has its own profile.
A concise definition of this profile is: The licensing profile includes capturing details relevant to software licensing. Specifically, the licensing profile and its associated definitions help express which licenses and copyright notices are determined by persons or automated tooling to apply to distributions of software. It includes classes and fields that comprise the SPDX Licensing model, as can also be expressed using the SPDX License Expression syntax, and that relate to the SPDX License List. (Expect a separate blog post on this soon.)
Components of the Licensing Profile
Steve discussed the various components of the licensing model within the profile. The model comprises classes and properties that enable the modeling of licenses, license combinations, and associated metadata. These components allow for a refined representation of licenses and facilitate better management of compliance obligations.
License Definitions and Property name
Within the licensing model, two key concepts were highlighted: listed licenses and custom licenses. Listed licenses refer to licenses present in the official SPDX License List, while custom licenses are user-defined licenses. Steve emphasized the importance of utilizing SPDX license identifiers to ensure clarity and consistency.
A notable addition to SPDX 3.0 is the introduction of “custom license additions.” These additions are meant as a generalization of the “license exceptions” from the SPDX Exceptions List, and serve as supplementary texts that augment a license but are not themselves standalone licenses. They provide a solution for representing modifications or exceptions to licensed conditions, enhancing transparency and understanding for legal teams involved in compliance processes.
To improve interoperability and ease of understanding, SPDX 3.0 focuses on rationalizing and unifying property names across different types of software. While the definitions and usage may vary, aligning common terms for properties enables better communication and collaboration among stakeholders involved in compliance activities.
Benefits of the Licensing Profile
The licensing profile in SPDX offers several benefits for license compliance use cases. By providing standardized models and properties, it simplifies the representation and interpretation of licenses, reducing confusion and ambiguity. The separation of licensing information into a dedicated profile enhances the scalability and extensibility of SPDX, accommodating diverse compliance requirements across industries.
Open Issues and Future Developments
Steve acknowledged that there are open issues and discussions surrounding the licensing profile. These discussions, addressing both technical and substantive questions, will continue in upcoming SPDX legal team calls and joint sessions with the technical team. The goal is to refine the licensing profile further and ensure its readiness for the upcoming SPDX 3.0 release.