The Linux Foundation and FOSSBazzaar on Wednesday released a new specification to ease the pain of license compliance for open source software. The Software Package Data Exchange (SPDX) is a data exchange specification that tracks license information in a standardized way and allows it to travel across the software supply chain.
The Linux Foundation and FOSSBazaar on Wednesday released a new specification to ease the pain of license compliance for open source software. The Software Package Data Exchange (SPDX) is a data exchange specification that tracks license information in a standardized way and allows it to travel across the software supply chain.
Since open source software is by its nature collaborative, any new project often includes bits and pieces of other open source software projects, each covered by a different license. By the time a project lands in the hands of an enterprise that wants to use it, and possibly modify it, IT professionals may not even know all the different license provisions attached to the code.
Companies want to do the right thing with licenses, and they want to know about any licensing restrictions before they adopt a project. That's not easy to do with more than 2,000 licenses in existence for freely available software on the Internet, from crazy licenses like the Free Beer license (which asks you to send beer to the programmer instead of money) to the GPL family of licenses to platform-specific licenses such as Apache and Eclipse.
Each license carries within it the developer's definition of how the software can be used and distributed. Permissive licenses like BSD and MIT allow software to be redistributed and developers can modify code without the requirement of making changes publicly available. Reciprocal licenses, on the other hand, place varying restrictions on reuse and redistribution.
Several companies offer tools or services to audit the code in use by organization, discover its license and ensure that an enterprise or developer is in compliance. These include Black Duck Software, OpenLogic, HP's FOSSology and Pathology. But even if a company underwent such an audit, and then every contributor to a project thoughtfully documented the license and copyright information for each piece of software modified, there was no standard way to document the data so it could be transferred to other users.
SPDX solves this problem, says Dave McLoughlin, an open source auditor for OpenLogic. An SPDX file will travel with a software project as an included file in it. It uses a specific format to collect specific data about each project including version number and license. Eventually, tools will be created that will allow SPDX files to be transferred from other file formats as well. For instance, if a company's development team has been using a spreadsheet to track licensing information, such tools will allow that spreadsheet to be converted to an SPDX file.
The SPDX working group hopes that eventually all commercial software vendors will support SPDX. Now that the 1.0 of the specification is available, enterprises should ask their commercial open source software providers about SPDX support and how they have implemented it.
The project enjoyed participation and support by a wide range of industry heavyweights including Alcatel-Lucent, Antelink, Black Duck Software, Canonical, HP, Micro Focus, Motorola Mobility, nexB Inc., OpenLogic, Palamida, Protecode, Source Auditor, Texas Instruments and Wind River.
The specification is available on the Software Package Data Exchange website.
Julie Bort is the editor of Network World's Open Source community. She also writes the Source Seeker blog, the Odds and Ends blog for Cisco Subnet, and the Microsoft Update blog for Microsoft Subnet. Follow Bort on Twitter @Julie188.