The Linux Foundation Projects
Skip to main content

Unpacking the SPDX 3.0 Tooling Mini Summit: A New Era of Compliance and Security

By June 14, 2023No Comments

The Software Package Data Exchange (SPDX) 3.0 Tooling Mini Summit recently hosted by the Linux Foundation at Open Source Summit North America stands as a significant milestone in the evolution of compliance and security in the realm of software supply chains. The event brought together an array of tooling operators, maintainers, and developers with a shared goal: To explore, understand, and streamline the integration of the newly minted SPDX 3.0 release candidate model and profiles into tools that generate and consume SPDX documents. 

This Mini Summit provided a comprehensive overview of the SPDX 3.0 specification. Participants gained a clear understanding of the differences between the 3.0 and its predecessor, the 2.2 and 2.3 specifications. Importantly, the event also delved into potential transition paths for tools, assisting developers and maintainers in seamlessly upgrading to this new iteration of SPDX. SPDX 3.0 is all about harnessing the possibilities that this renewed interest in the software supply chain provides. This is the time to get serious with proper software package communication!

Profiles: catering the user’s needs

One of the event’s key focuses was the new profiles within SPDX 3.0, and how these could be utilized for various compliance and security use cases. The profiles represent a significant upgrade in the standard, offering users more flexibility and specificity in managing their software components. These profiles are especially crucial in the context of the recent Executive Order (EO) 14028, which calls for a more secure software supply chain in government applications. This and other regulations are bringing together many kind of professionals with different backgrounds and incentives. For many, using SPDX can feel daunting at first, considering that SPDX is a broad international standard and that is a good thing. As any vocabulary, taxonomy or ontology, the broader, the more varied and the more ground it covers the better. But, consuming a broad vocabulary like SPDX is too much for new comers. Profiles are the solution for that: they are designed with specific use cases in mind so that applying them means a smaller cognitive load and a faster solution of the domain-specific problem.

Project lead Kate Stewart and AI and Data profile co maintainer Karen Bennet

Overall, the SPDX 3.0 Tooling Mini Summit has proven to be a critical juncture in the ongoing journey of SPDX. It marks the beginning of a new era of enhanced compliance and security in software supply chains, serving as an exciting glimpse into what the future of software compliance, transparency and security could look like. If you are a tooling operator, maintainer, or developer interested in harnessing the power of the SPDX 3.0 specification, especially in light of EO 14028, Europe’s CRA and other regulations to come, these discussions promise to be instrumental in your endeavors.

What got covered? Quite a lot, mind you!

The SPDX 3.0 Tooling Mini Summit kicked off with an exhaustive overview of SPDX 3.0, delivering a comprehensive understanding of this new iteration in the SPDX series. The session further delved into highlighting the stark differences between the 2.x and the 3.0 specifications, also focusing on crucial aspects of migration from the former to the latter. A significant portion of the event was devoted to educating participants on the ways to utilize profiles for varying use cases.

The summit emphasized the versatility of SPDX 3.0, illustrating how to utilize profiles for diverse scenarios such as license compliance, security, and even Artificial Intelligence. Attendees had the opportunity to gain insights into the ways to harness the build profile effectively, illuminating yet another practical application of this robust specification. Moreover, participants were given a walkthrough on how Vex integrates with SPDX, providing a practical demonstration of the standard in action.

The event rounded off with a deeper exploration into the SPDX 3.0 transition paths for tools, guiding tooling operators, maintainers, and developers on the best practices to integrate this new standard into their work. Lastly, an open round table discussion gave attendees the chance to discuss the present challenges with tools, ask questions, and offer potential solutions, fostering a collaborative environment to further the cause of SPDX.

The closing round table also focused on the future of SPDX in 2023. Attendees engaged in a robust conversation about the gaps that currently exist and the goals that the SPDX community should set to achieve its vision for 2023.

Find the complete list of recording here:

Is there appetite for more? SPDX 3.0 Mini Summit OSS Europe maybe? Stay tuned!!