The SPDX® Project, hosted by The Linux Foundation®, is announcing the release of version 2.1 of its Software Package Data Exchange (SPDX) specification. SPDX 2.1 standardizes the inclusion of additional data in generated files, as well as providing a syntax for accurate tagging of source files with SPDX license list identifiers.
According to The 2016 North Bridge & Black Duck Future of Open Source Study, 90 percent of companies rely on open source for improved efficiency, innovation and interoperability, yet only half of those companies have a formal management process for the code they rely upon. The SPDX specification helps facilitate compliance with free and open source software licenses by providing a uniform way license information is shared across the software supply chain. The effort unites more than 20 organizations - software, systems and tool vendors, foundations and systems integrators - to create a specification for software package data exchange formats.
“The new SDPX specification release benefits the entire open source community – from developers to end users. It not only helps standardize the way license information is shared, but it gives every stakeholder in FOSS assurance around quality and consistency of code use,” said Mike Dolan, VP of Strategic Programs, The Linux Foundation. “SPDX is a community driven effort, with technical guidance from open source developers. Together, we’re helping advance open source by establishing a specification that enables code to be used or altered in a consistent, understandable and compliant manner.”
Key features in the SPDX 2.1 specification include:
? Snippets allow a portion of a file to be identified as having different properties from the file it resides within. The use of snippets is completely optional, and it is not mandatory for snippets to be identified;
? Improvements in referencing external packages and repositories; users can now associate packages with security vulnerability databases as well as component repositories, such as npm, maven, bower, among others; and
? A new appendix has been added to explain how to use SPDX License List identifiers in source files. An increasing number of open source projects are adding these short identifiers to code, as they allow anyone to quickly scan a directory of files to identify the licenses included. SPDX license identifier tags also eliminate common mistakes based on scanning headers to conclude the license of a source file.
