1V2.4 [spec v1.0] Copyright Linux Foundation 2011 (CC-BY-3.0)

SPDX™ a Year Later - What's New in Data Exchange

LinuxCon North America, August 18, 2011

Phil Odence, Black Duck Software

Esteban Rockett, Motorola Mobility

2Copyright Linux Foundation 2011 (CC-BY-3.0)V2.4 [spec v1.0]

Software Package Data Exchange® (SPDX™)

A standard format for communicating the components, licenses and copyrights associated with a software package.

Key pillar in Linux Foundation’s Open Compliance Program which comprises: Tools, Self-Assessment, SPDX, Rapid Alert System,

Training, Community

3Copyright Linux Foundation 2011 (CC-BY-3.0)V2.4 [spec v1.0]

Kudos!

SPDX is a crucial building block in an industry-wide system of automated license compliance administration…will ultimately help to realize large cost savings for all parties .- Eben Moglen, Software Freedom Law Center Executive Director

SPDX will help shine a light on Free and Open Source Software licensing.- Tom “spot” Callaway, Fedora Engineering Manager.

This represents the next step of industry-wide due diligence.- Phil Robb, HP Dir. OSPO

SPDX…helping to simplify and standardize references to software licenses.- Michael Tiemann, OSI President

SPDX is a great resource.- Jack Manbeck, TI Mgr OSRB

4Copyright Linux Foundation 2011 (CC-BY-3.0)V2.4 [spec v1.0]

Software Today

YOUR COMPANY – TOOLS, PROCESSES

Your ApplicationOpen Source

Software

Internally Developed

Code

Outsourced Code Development

Code

Obligations

Commercial 3rd-Party Code

Diagram Source: Black Duck Software

5Copyright Linux Foundation 2011 (CC-BY-3.0)V2.4 [spec v1.0]

The Need

software insoftware in

Our suppliers aren’t giving us complete

licensing information for open source

packages.

Our suppliers aren’t giving us complete

licensing information for open source

packages.

Every customer wants a bill of materials in a different form.

Every customer wants a bill of materials in a different form.

I don’t mind vetting our code, but I’m sure this imported package has been analyzed a dozen times before.

I don’t mind vetting our code, but I’m sure this imported package has been analyzed a dozen times before.

We need a standardized, adopted format for a software Bill of Materials

software outsoftware out

6Copyright Linux Foundation 2011 (CC-BY-3.0)V2.4 [spec v1.0]

SPDX™ Group

A working group of Linux Foundation Goal

To create a defined format for a file of license fact information describing a software package

History A grass roots effort started by corporate counsels,

business leads, and release managers responsible for ensuring release compliance with applicable licenses of FOSS included in the release

Operation Open participation through www.spdx.org

7Copyright Linux Foundation 2011 (CC-BY-3.0)V2.4 [spec v1.0]

Participants

SystemsSystems

OS DistributionsOS Distributions

ApplicationsApplications

Integration & ServicesIntegration & Services

Device OEMsDevice OEMs

End-UsersEnd-Users

Semiconductor VendorsSemiconductor Vendors

Open Source OrganizationsOpen Source Organizations

…and others

Participation is from a range of organizations and across various roles

8Copyright Linux Foundation 2011 (CC-BY-3.0)V2.4 [spec v1.0]

Primordial Soup

History & Status

Q1 10“SPDX” group constituted

Q3 10Introduced to LF along with OCP

Q2 11Beta release of spec and tools

Q3 11Version 1.0 release

Q4 11V 1.1 target

9Copyright Linux Foundation 2011 (CC-BY-3.0)V2.4 [spec v1.0]

Pairs of supply chain partners Exchanging docs Testing Tools Support Teams Group feedback

Beta

Translate

View

SPDXdoc

10Copyright Linux Foundation 2011 (CC-BY-3.0)V2.4 [spec v1.0]

The SPDX™ File

Package identification, copyright and licensing

Text of licenses that are not in SPDX™ standard list

SPDX Version and Licensing

Log of 3rd party reviews

File is in RDF/XML or Tag Value form; can be converted to spreadsheet and other formats.

Document Information

Creation Information

Package Information

File Information

Licensing Information

Review Information

How and when created

File by file identification, copyright and licensing

11Copyright Linux Foundation 2011 (CC-BY-3.0)V2.4 [spec v1.0]

Package Information

Identification Formal Name of Package (Full name given by originator and version information)

Package File Name (Name package obtained under (.tar, .rpm, etc.))

Unique ID (to unambiguously map file to a package) Package Download Location (download URL)

Package Supplier and Originator Licensing for Package

Declared License- License that has been asserted for the package Concluded License- License that Creator has concluded List of file licenses

Copyright Text Description of Package (optional)

12Copyright Linux Foundation 2011 (CC-BY-3.0)V2.4 [spec v1.0]

File Information

File Name File Type (source, binary, archive) File CheckSum Concluded License (license determined

by SPDX file creator) License Text in File Copyright Text Artifact of Project Name (from which

project it came)

13Copyright Linux Foundation 2011 (CC-BY-3.0)V2.4 [spec v1.0]

Other Licensing Information

NOTES: This section is for licenses not on the standard list. Aim for ~90% coverage with standard short forms NOT

exhaustive Background:

Black Duck identifies >2000 licenses in use ~20 licenses responsible for nearly all licensed open source projects

http://www.blackducksoftware.com/oss/licenses#top20 OSI currently recognizes 67 licenses as “open source”

http://www.opensource.org/licenses

Identifier Assigned (short form) Extracted Text

14Copyright Linux Foundation 2011 (CC-BY-3.0)V2.4 [spec v1.0]

Review

Reviewer Review Date Review Comment

Multiple Reviews

15Copyright Linux Foundation 2011 (CC-BY-3.0)V2.4 [spec v1.0]

The SPDX™ List of “Standard Licenses”

SPDX™ license repo• List of most common

licenses (100+)• Include common

exceptions• Guidelines for matching• Standardized license

names (OSI adopted)• Exact text of licenses• Available on SPDX™

website – URLs won’t change

16Copyright Linux Foundation 2011 (CC-BY-3.0)V2.4 [spec v1.0]

Tools for SPDX™

Open Source Tools (hosted on SPDX Git Repo) Viewer Spreadsheet to RDF xlator RDF to Spreadsheet License file generator (from Spreadsheet) Spreadsheet template

Commercial Tools Scanning tools output SPDX™

17Copyright Linux Foundation 2011 (CC-BY-3.0)V2.4 [spec v1.0]

Working Group Structure

Teleconferences Website Wikis Mailing Lists

General Meeting

TechTeam

Business Team

LegalTeam

18Copyright Linux Foundation 2011 (CC-BY-3.0)V2.4 [spec v1.0]

Working Group Operation

The working group runs similarly to an open source project without centralized constitution or bylaws

Intellectual property contributed by participants members is covered under the Creative Commons license (CC-BY-3.0)

Very inclusive process Self-subscription Those willing to “do” can influence http://spdx.org

19Copyright Linux Foundation 2011 (CC-BY-3.0)V2.4 [spec v1.0]

Getting involved…

See: http://www.spdx.org #spdx on Freenode IRC

Contact: Phil Odence (co-chair) -

podence@blackducksoftware.com Esteban Rockett (co-chair) – rockett@motorola.com

20Copyright Linux Foundation 2011 (CC-BY-3.0)V2.4 [spec v1.0]

Where Next?

Technical 1.1 Clean Up Hierarchy/Nested SPDX Docs

Business Drive Adoption Supporting Materials License List Process

Legal License Templates Protection of Data Proprietary Licenses

21V2.4 [spec v1.0] Copyright Linux Foundation 2011 (CC-BY-3.0)

QUESTIONS?

Thank you!