Linux Compliance Hits Milestone with SPDX 1.0
The issue of open source license compliance is not a difficult one to deal with if you know what to look for.
That's where the new Software Package Data Exchange (SPDX) standard comes into play. The SPDX 1.0 release is being made at the Linux Foundation's LinuxCon event in Vancouver. SPDX is a working group of the Linux Foundation.
According to the Linux Foundation, the SPDX standard defines a standard file format that lists detailed license and copyright information for a software package and each file it comprises.
"SPDX solves a problem that came from big trends," Jim Zemlin, Executive Director of the Linux Foundation told InternetNews.com. "One being the increased used of open source software to create devices and also the increased importance and complexity of software in general."
Zemlin noted that what is most interesting to him about SPDX is that it is a collective collaborative effort among multiple stakeholders including industry and the open source community. With SPDX, industry is able to more effectively use and comply with open source software and its associated licenses.
"SPDX is a real critical component as lots of large vendors can now adopt it across their supply chains and create more transparency in open source usage," Zemlin said. "It makes it easier for people to comply with open source license as they will now where components came from and what's in the product."
Zemlin explained that SPDX is a metadata standard and vendors will self certify against the standard. He added that the Linux Foundation will however make sure that SPDX is being used properly. Zemlin noted that the 1.0 milestone required time and effort to get right as all the various stakeholder worked on it to make sure it was complete.
"It has taken awhile, and this is now the 1.0 release," Zemlin said. "We're looking forward to seeing support for SPDX from large vendors that will use it in their supply chains and from commercial software vendors."
The SPDX 1.0 milestone is an extension of the Linux Foundation's Compliance efforts, which launched at LinuxCon 2010.
One issue sometimes confused with open source licenses and compliance is the issue of patents. Zemlin noted that software patents are a different issue than what SPDX and compliance is all about.
"Compliance effort is dealing with license compliance," Zemlin said. "It is limited in its scope with how to make the lives of people that consume open source software for product easier to comply with licenses."