1 v2.4 [spec v1.0]copyright linux foundation 2011 (cc-by-3.0) spdx™ a year later - what's new...
TRANSCRIPT
1V2.4 [spec v1.0] Copyright Linux Foundation 2011 (CC-BY-3.0)
SPDX™ a Year Later - What's New in Data Exchange
LinuxCon North America, August 18, 2011
Phil Odence, Black Duck Software
Esteban Rockett, Motorola Mobility
2Copyright Linux Foundation 2011 (CC-BY-3.0)V2.4 [spec v1.0]
Software Package Data Exchange® (SPDX™)
A standard format for communicating the components, licenses and copyrights associated with a software package.
Key pillar in Linux Foundation’s Open Compliance Program which comprises: Tools, Self-Assessment, SPDX, Rapid Alert System,
Training, Community
3Copyright Linux Foundation 2011 (CC-BY-3.0)V2.4 [spec v1.0]
Kudos!
SPDX is a crucial building block in an industry-wide system of automated license compliance administration…will ultimately help to realize large cost savings for all parties .- Eben Moglen, Software Freedom Law Center Executive Director
SPDX will help shine a light on Free and Open Source Software licensing.- Tom “spot” Callaway, Fedora Engineering Manager.
This represents the next step of industry-wide due diligence.- Phil Robb, HP Dir. OSPO
SPDX…helping to simplify and standardize references to software licenses.- Michael Tiemann, OSI President
SPDX is a great resource.- Jack Manbeck, TI Mgr OSRB
4Copyright Linux Foundation 2011 (CC-BY-3.0)V2.4 [spec v1.0]
Software Today
YOUR COMPANY – TOOLS, PROCESSES
Your ApplicationOpen Source
Software
Internally Developed
Code
Outsourced Code Development
Code
Obligations
Commercial 3rd-Party Code
Diagram Source: Black Duck Software
5Copyright Linux Foundation 2011 (CC-BY-3.0)V2.4 [spec v1.0]
The Need
software insoftware in
Our suppliers aren’t giving us complete
licensing information for open source
packages.
Our suppliers aren’t giving us complete
licensing information for open source
packages.
Every customer wants a bill of materials in a different form.
Every customer wants a bill of materials in a different form.
I don’t mind vetting our code, but I’m sure this imported package has been analyzed a dozen times before.
I don’t mind vetting our code, but I’m sure this imported package has been analyzed a dozen times before.
We need a standardized, adopted format for a software Bill of Materials
software outsoftware out
6Copyright Linux Foundation 2011 (CC-BY-3.0)V2.4 [spec v1.0]
SPDX™ Group
A working group of Linux Foundation Goal
To create a defined format for a file of license fact information describing a software package
History A grass roots effort started by corporate counsels,
business leads, and release managers responsible for ensuring release compliance with applicable licenses of FOSS included in the release
Operation Open participation through www.spdx.org
7Copyright Linux Foundation 2011 (CC-BY-3.0)V2.4 [spec v1.0]
Participants
SystemsSystems
OS DistributionsOS Distributions
ApplicationsApplications
Integration & ServicesIntegration & Services
Device OEMsDevice OEMs
End-UsersEnd-Users
Semiconductor VendorsSemiconductor Vendors
Open Source OrganizationsOpen Source Organizations
…and others
Participation is from a range of organizations and across various roles
8Copyright Linux Foundation 2011 (CC-BY-3.0)V2.4 [spec v1.0]
Primordial Soup
History & Status
Q1 10“SPDX” group constituted
Q3 10Introduced to LF along with OCP
Q2 11Beta release of spec and tools
Q3 11Version 1.0 release
Q4 11V 1.1 target
9Copyright Linux Foundation 2011 (CC-BY-3.0)V2.4 [spec v1.0]
Pairs of supply chain partners Exchanging docs Testing Tools Support Teams Group feedback
Beta
Translate
View
SPDXdoc
10Copyright Linux Foundation 2011 (CC-BY-3.0)V2.4 [spec v1.0]
The SPDX™ File
Package identification, copyright and licensing
Text of licenses that are not in SPDX™ standard list
SPDX Version and Licensing
Log of 3rd party reviews
File is in RDF/XML or Tag Value form; can be converted to spreadsheet and other formats.
Document Information
Creation Information
Package Information
File Information
Licensing Information
Review Information
How and when created
File by file identification, copyright and licensing
11Copyright Linux Foundation 2011 (CC-BY-3.0)V2.4 [spec v1.0]
Package Information
Identification Formal Name of Package (Full name given by originator and version information)
Package File Name (Name package obtained under (.tar, .rpm, etc.))
Unique ID (to unambiguously map file to a package) Package Download Location (download URL)
Package Supplier and Originator Licensing for Package
Declared License- License that has been asserted for the package Concluded License- License that Creator has concluded List of file licenses
Copyright Text Description of Package (optional)
12Copyright Linux Foundation 2011 (CC-BY-3.0)V2.4 [spec v1.0]
File Information
File Name File Type (source, binary, archive) File CheckSum Concluded License (license determined
by SPDX file creator) License Text in File Copyright Text Artifact of Project Name (from which
project it came)
13Copyright Linux Foundation 2011 (CC-BY-3.0)V2.4 [spec v1.0]
Other Licensing Information
NOTES: This section is for licenses not on the standard list. Aim for ~90% coverage with standard short forms NOT
exhaustive Background:
Black Duck identifies >2000 licenses in use ~20 licenses responsible for nearly all licensed open source projects
http://www.blackducksoftware.com/oss/licenses#top20 OSI currently recognizes 67 licenses as “open source”
http://www.opensource.org/licenses
Identifier Assigned (short form) Extracted Text
14Copyright Linux Foundation 2011 (CC-BY-3.0)V2.4 [spec v1.0]
Review
Reviewer Review Date Review Comment
Multiple Reviews
15Copyright Linux Foundation 2011 (CC-BY-3.0)V2.4 [spec v1.0]
The SPDX™ List of “Standard Licenses”
SPDX™ license repo• List of most common
licenses (100+)• Include common
exceptions• Guidelines for matching• Standardized license
names (OSI adopted)• Exact text of licenses• Available on SPDX™
website – URLs won’t change
16Copyright Linux Foundation 2011 (CC-BY-3.0)V2.4 [spec v1.0]
Tools for SPDX™
Open Source Tools (hosted on SPDX Git Repo) Viewer Spreadsheet to RDF xlator RDF to Spreadsheet License file generator (from Spreadsheet) Spreadsheet template
Commercial Tools Scanning tools output SPDX™
17Copyright Linux Foundation 2011 (CC-BY-3.0)V2.4 [spec v1.0]
Working Group Structure
Teleconferences Website Wikis Mailing Lists
General Meeting
TechTeam
Business Team
LegalTeam
18Copyright Linux Foundation 2011 (CC-BY-3.0)V2.4 [spec v1.0]
Working Group Operation
The working group runs similarly to an open source project without centralized constitution or bylaws
Intellectual property contributed by participants members is covered under the Creative Commons license (CC-BY-3.0)
Very inclusive process Self-subscription Those willing to “do” can influence http://spdx.org
19Copyright Linux Foundation 2011 (CC-BY-3.0)V2.4 [spec v1.0]
Getting involved…
See: http://www.spdx.org #spdx on Freenode IRC
Contact: Phil Odence (co-chair) -
[email protected] Esteban Rockett (co-chair) – [email protected]
20Copyright Linux Foundation 2011 (CC-BY-3.0)V2.4 [spec v1.0]
Where Next?
Technical 1.1 Clean Up Hierarchy/Nested SPDX Docs
Business Drive Adoption Supporting Materials License List Process
Legal License Templates Protection of Data Proprietary Licenses