Learn

Overview

This page is designed to give you an overview of SPDX. You should learn a bit about who we are and why we do this and why SPDX is part of the solution.

If you are interested in Participation go here.
If you would like to Learn more about how to use SPDX go here.
If you are interested in our History, Governance Model or Mission/Vision go here.

You can also get some more background on SPDX by coninuting on this page.

What is SPDX?

First and foremost we are a community dedicated to solving the issues and problems around Open Source licensing compliance. The SPDX workgroup consists of individuals, company representatives, foundations, and organizations who use or are considering using the SPDX standard. The workgroup operates much like a meritocratic, consensus-based community project; that is, anyone with an interest in the project can join the community, contribute to the specification, and participate in the decision-making process. We come from many different backgrounds including open source developers, lawyers, consultants and business professionals many of who have been involved with License Compliance and identification for years.

The SPDX community has developed a set of collateral that can be used to more clearly convey complete license information in a standard/reusable fashion and to facilitate compliance. The advantages of this are:

Establishing a common data format (SPDX Documents) allows more effort be expended on license compliance. After all, license compliance can only begin once all software and associated licenses have been identified in a particular code base.
The content of an SPDX document comprises information definitively identifying the software package, package level, and file level licensing and copyright information. It also provides metadata about the analysis itself: who created the file, when, and how.
Standard formats allow for tooling to be created to make the process more efficient and to allow more complex compliance operations to take place.

Key Facts About SPDX

It's a Standard

We have developed several pieces of collateral over the years to help solve the problem:

The SPDX License List
The SPDX Specification
Source Identifiers for code

A standard format for communicating the components, licenses, and copyrights associated with a software package
Key pillar in Linux Foundation’s Open Compliance Program

Our Guiding Principles

Human and machine readable formats
Focus on capturing facts; avoid interpretations

Our Vision

To help reduce redundant work in determining software license information and to facilitate compliance

Why is it needed?

Look at the figure below. Does this seem familiar?

As a company you are often faced with:

Surprises with licensing of the software and binaries given to you by Suppliers.
The need to develop your own Bill of Materials for suppliers to fill out (as there was not a standard for now).

As a Supplier, you are often faced with:

Every customer wants a bill of materials in a different form.
Surely this open source package has been analyzed before.

These are unsustainable models on both ends.

That Bill of Materials is SPDX which is part of the solution.

Is this really important?

We think so, and we work in this field.

In 2013, the SPDX community conducted a survey of organizations and people to see what they thought as well. The results of this survey were that most people/organizations polled believe this to be important/very important.

Who is using it?

As with other standards, adoption is often slower than expected, but interest is certainly on the rise from both open source projects and companies. Check out our SPDX in action column to see what others are doing and/or the Examples in the Use Section.