This is a great article on SPDX and answers a lot of common questions people have: “SPDX Could Help Organizations Better Manage Their Thickets of Open Source Licenses“, by Swapnil Bhartiya.
SPDX will be meeting at the Linux Foundation 2017 Leadership Summit, being held 14-16 Februrary 2017. Information on the summit including hotels, travel and so forth is located here: http://events.linuxfoundation.org/events/open-source-leadership-summit .
This is the proposed Agenda. It is subject to change as we work the final few details out. We are also looking into getting a web share and conference phone set up for those who would like to listen in and cant attend in person. More details to follow, but it would be on best effort case. If you need an invitation code to register, please contact Kate Stewart . We hope to see everyone there!
Februrary 16th (Proposed Agenda)
9am – 10am Jilayne Lovejoy – XML working session (not on schedule). Will be summarized at the 12-12:30 session.
11am-12 pm Matt Germonprez – presenting survey results on use of SPDX. UNO has been doing interviews with SPDX users will present the results of their research on what’s working, what’s not. This is to set context for brainstorming on ways to help adoption of SPDX, discuss the issues, and possible solutions
12- 12:30 pm Jilayne Lovejoy – Review of status of XML tooling for license list and discussion of next steps needed.
1:30-2pm Mark Gisi – License expression – Review of status, and overview of problems to be tackled in 2017.
2:00-3:00 Gary O’Neall – Git plugin tooling and other tool roadmaps – Discuss scope of request to generate SPDX documents directly from GIT with a GIT plugin, which existing tools can be leveraged and plan
3:00-4:00 Yev Bronshteyn – Future File formats supported by SPDX. Yev will provide some examples of different formats based on an updated set of SPDX tools (JSON, TURTLE, …). This is to provide context for further discussions on this in 2017 and do some preliminary brainstorming on what will help the community.
4:00-5:00 Additional Topics.
Outside of meeting: Wiki team cleanup – Kate, Jack, Jilayne and Gary to do the cleanup – everyone welcome to join. Contact Jack, Kate, Gary or Jilayne
On Jan. 29, we will be moving the primary repository for the SPDX tools and License List from git.spdx.org over to github.com/spdx. this change will allow us to take better advantage of many github collaboration tools and will reduce the effort in maintaining the SPDX tools.
This will not have any impact on how the binaries are downloaded (they are already hosted on github.com/spdx).
For some time, we have been mirroring the repositories from git.spdx.org over to github.com/spdx. If you are already using github.com/spdx for read-only access the license list or tools source code, there will be no change. If you are accessing git.spdx.org, you should switch your repository access to github.com/spdx prior to January 29th. If you are a committer of code to one of the repositories on git.spdx.org, please email gary@sourceadutior.com with your github username and he will make sure you are setup for the transition.
Here are the fine detials:
If you are accessing git.spdx.org for read access to the repository:
If you are a committer to one of the git.spdx.org repositories:
The SPDX tech team will be hosting an SPDX Tools BakeOff at LinuxCon Europe on 6 October 2016.
Particpation can be remote by phone or in person. The Bake-off (aka Plugfest) will focus on comparing SPDX Documents generated with SPDX specification 2.1 featues along with any questions people may have.
For more information and how to partipate, please read Background info for the SPDX 2.1 Bake-off in LinuxCon Europe.
If you have questions, please send email to spdx-tech@spdx.org
These are critical areas where we could use help from the community right now:
There is always lots to do, even if you dont have much time, so let us know if you would like to help on this or something else.
As you can see, the SPDX work group has launched a new website. Working with the Linux Foundation the group’s Outreach Team created the site with a new look and feel and sporting a new logo which aligns with the foundation’s other collaborative projects. The new site is designed to be very easy to navigate for experienced users and those just learning about SPDX as well. Large “How can we help?” buttons on the home page help one to navigate to the content most relevant to their needs. The site retains all of the content of the previous site plus valuable new content including easy to read, HTML versions of the spec itself and How Tos for those wanted to get started using SPDX. This is the first major overhaul to the site since it was launched five years ago and represents a great step forward in making the SPDX standard accessible.
SPDX License List: The year in review
by Jilayne Lovejoy, Legal team Co-Chair
Version 2.2 of the SPDX License List is now available and it seemed like a good opportunity to provide a summary of updates that have occurred over the last few releases and other related news.
In case you are new here, the SPDX License List is a list of commonly found open source licenses and exceptions for the purposes of being able to easily and efficiently identify such licenses and exceptions in an SPDX document (or elsewhere). The SPDX License List includes a standardized short identifier, full name for each license, vetted license text, other basic information, and a canonical permanent URL for each license and exception. The master files for the license list comprise of a spreadsheet and text files. From this data, the HTML web pages at spdx.org/licenses are generated. There are other ways to access this data, including RDFa machine readable access and a JSON file. For more information, check out the tech report, Accessing SPDX Licenses.
As of version 2.2, the SPDX License List contains 306 licenses and 24 license exceptions. The spreadsheet in the master files includes columns indicating changes for each release, but here are some highlights of the last four releases:
Version 1.20 saw the biggest single increase in the number of licenses added at 87. 77 of these new licenses were a direct result of the SPDX legal team going through the Fedora license list to attempt to provide more cross-list representation. Although not every license on the Fedora list is on the SPDX License List, this was a huge step in the right direction. A cross-reference of short identifiers is available, as well as a list of Fedora licenses that are not (yet?) on the SPDX License List. If you want to see something added from here or help further this work, please let us know!
Version 2.0 was a big change for both the SPDX specification and the license list. The addition of the license expression syntax now allows greater flexibility in representing licenses or license combinations. This included the + operator to indicate an “or later” license and the “with” operator to indicate a license exception. Consequently, some licenses were deprecated and exceptions were moved to their own list to allow for this new expression language in v2.0.
Also as of version 2.0, the legal team decided to implement a quarterly release of the license list to provide more predictability. Of course, if circumstances warrant a sooner release or if there are no changes during a quarter, then we will adjust that schedule as needed.
Version 2.1 added 5 new licenses and 12 new license exceptions. A lack of exceptions was always been a weak point for the SPDX License List. A couple members of the Legal team scoured the internet for as many license exceptions as they could find, with the goal of adding more license exceptions post-2.0 release. As such, we added 12 licenses exceptions in version 2.1 and 3 more in version 2.2 from this research and will continue to explore other additions.
Version 2.1 and 2.2 also saw 5 new licenses added each. These licenses included a few more from the Fedora list review that needed clarification.
So, now you are up-to-date with changes to the license list. A huge thanks to the participating members of the SPDX legal team who come together every couple weeks to make this all happen, as well as other work in between! Look for the 2.3 release just in time for the New Year.
See what Eric had to say about SPDX and the use of the SPDX License Identifier in your source code:
The Supply Chain Mini-Summit aims to bring together researchers, implementers and assurance professionals from supply chain, license compliance and security domains to explore ways we can improve the automation of information to create a more efficient and accountable software supply chain. We will be looking at ways to make compliance information more transparent, accurate and accessible; as well as how we can link it in to the security vulnerabilities and weaknesses in a more effective manner. For more information go here: Supply Chain Summit
