Software Product Data Exchange (SPDX)
Promoting open source compliance through standard communication of SW licenses.
Develop and promote adoption of a specification to enable any party in a software supply chain, from the original author to the final end user, to accurately communicate the licensing information for any piece of copyrightable material that such party may create, alter, combine, pass on, or receive, and to make such information available in a consistent, understandable, and re-usable fashion, with the aim of facilitating license and other policy compliance.
The vision of SPDX is achieve license compliance with minimal cost across the supply chain. Ideally, upstream component developers begin the process by supplying SPDX flies as part of their downloads. Users of those components therefore have a starting point for the SPDX files they create for their "customers," and so on. If everything is working properly, the provenance of each piece of code is researched and documented only once during its journey through a supply chain, and that information is passed on in parallel with the code in the SPDX format.
Development of SPDX is run somewhat like an open source project: Those that participate influence. Decisions tend to be made by consensus. The spec itself is writen by a technical team with input and support from business and legal teams. Although much of the the initial focus was on Linux and the project is under the auspices of the Linux Foundation, the strategy from the outset has been much broader to be applicable to anything open source. To accommodate a range of needs, SPDX can be implemented in XML or tag-value formats.
The SPDX "IP" is all housed on this site. Most of that is embodied in the spec itself, but we have developed a number of separate assets that complement the specification, including a standard license list, implementation guidelines and the SPDX compatible tools.
Software Product Data Exchange (SPDX) 2017 Projects
GitHub Integration ProposalDesign, develop, and implement an application that, when provided with a GitHub repository's URL, generates SPDX (https://spdx.org/) documents based...
License Coverage GraderThere have been several talks about the need for a package level License Coverage Grade. This project will come up with an initial set of heuristics...
Online SPDX ToolBuilding an easy all-in-one portal to upload and parse SPDX documents for validation, comparison and conversion and search SPDX license list by...
Online Validation ToolsSoftware Package Data Exchange (SPDX) is “a set of standards for communicating the components, licenses, and copyrights associated with software”....