Software licenses aren't very useful if no one adheres to them—and adhering to licenses gets tough quickly when you're dealing with complex supply chains of software whose numerous, ever-moving parts are licensed differently. That's why the Linux Foundation's Software Package Data Exchange (SPDX) working group has rolled out an updated specification designed to make open source licensing simpler.

Christopher Tozzi, Contributing Editor

May 12, 2015

2 Min Read
SPDX Updates Open Source License Compliance Standards

Software licenses aren’t very useful if no one adheres to them—and adhering to licenses gets tough quickly when you’re dealing with complex supply chains of software whose numerous, ever-moving parts are licensed differently. That’s why the Linux Foundation‘s Software Package Data Exchange (SPDX) working group has rolled out an updated specification designed to make open source licensing simpler.

SPDX provides a standard format for “communicating the components, licenses and copyrights associated with a software package,” and helps “facilitate compliance with free and open source software licenses by providing a uniform way license information is shared across the software supply chain,” according to the Linux Foundation.

Toward that end, version 2.0 of the specification, which the SPDX working group (which is hosted by the Linux Foundation and includes a number of major open source companies and organizations) released May 12 and which the Linux Foundation is calling “represents a major milestone for open source license compliance,” introduces several new features, including:

  • Support for relating SPDX documents to one another, which makes the specification “more useful for a broader range of uses, including exchanging clear data about software and modules in companies’ supply chains,” according to the Linux Foundation.

  • The ability to describe multiple packages within a single SPDX document.

  • Enhanced annotation support.

  • A new licensing expression syntax.

  • Support for additional file types and checksum algorithms.

  • Support for software from version-control systems (previously, SPDX worked only with software that was downloaded).

Most of the above is stuff that only programmers can fully appreciate. But for the broader open source world, SPDX is an important resource—even if it’s also one that’s hard to become excited about—since it makes it easier for developers to ensure that they are using open source licenses properly, and that their users do the same.

And because licenses—from the GNU General Public License to the Apache License to the FreeBSD licenses—serve as the bedrock of the free and open source software communities by defining what free and open source means, better licensing standards and tools are important for holding these communities together.

Read more about:

AgentsMSPsVARs/SIs

About the Author(s)

Christopher Tozzi

Contributing Editor

Christopher Tozzi started covering the channel for The VAR Guy on a freelance basis in 2008, with an emphasis on open source, Linux, virtualization, SDN, containers, data storage and related topics. He also teaches history at a major university in Washington, D.C. He occasionally combines these interests by writing about the history of software. His book on this topic, “For Fun and Profit: A History of the Free and Open Source Software Revolution,” is forthcoming with MIT Press.

Free Newsletters for the Channel
Register for Your Free Newsletter Now

You May Also Like