Mark Gisi, Sr. Manager of Intellectual Property at Wind River , discusses SPDX (Software Package Data Exchange) at Embedded Linux Conference 2012.
Sharing Critical Licensing Information within a Linux Device Supply Chain Embedded Linux device runtimes are derived from 100s of open source packages. A common misunderstanding is that just one or two licenses govern a given open source package, when in fact; often a dozen or more apply. Therefore a device runtime could be under 100s of unique licenses. Determining which licenses are relevant is challenging. SPDX, the Linux Foundation’s license exchange format, provides an effective mechanism for recording and sharing licensing information within a device vendor supply chain. We present an overview of SPDX along with a detailed source code example on how to create and extract relevant licensing information. The target audience includes developers, engineering managers, release operation engineers and license compliance professionals. They will learn what SPDX is, how it’s created, and how it is used. A basic understanding of open source licensing is helpful.
Here are some key points I noted from this presentation:
- SPDX will generate one file per package in XML/RDF format.
- SPDX only uses info within a given package (e.g. no access to licensing info on a give website)
- SPDX only provides raw data about licenses and does not provide about patents or legal interpretation.
- It looks at each source files to gather license data (there can be several license per file), then tries to determine the library license(s) and finally the application license(s)
- The SPDX file layout is composed of 6 sections:
- Spec Info (SPDX specs)
- Creation Info (who created it and when, etc…)
- Package Info (Name, Licenses…)
- Other licenses (For licenses not part of the SPDX license list)
- File Info (For each file in a given package)
- There are around 40 licenses supported by SPDX such as several versions of GPL, LGPL, Apache, MIT, BSD etc…
- The key benefits of SPDX:
- Helps sharing licensing information
- Brings greater accountability
- Detects potential licensing incompatibilities (e.g. Apache 2.0 and GPL 2.0)
- Promotes Licensing Discipline.
- Ideally, SPDX file should be generated by the copyright holder.
- Nodoby has adopted SPDX yet, as SPDX 1.0 has just been released at the end of 2011 but the Linux foundation is committed to make this work and some work is being done with Hewlett Packard.