The Power of SPDX (Software Package Data Exchange) – ELC 2012

Orange Pi Development Boards

Mark Gisi, Sr. Manager of Intellectual Property at Wind River , discusses SPDX (Software Package Data Exchange) at Embedded Linux Conference 2012.

Abstract:

Sharing Critical Licensing Information within a Linux Device Supply Chain Embedded Linux device runtimes are derived from 100s of open source packages. A common misunderstanding is that just one or two licenses govern a given open source package, when in fact; often a dozen or more apply. Therefore a device runtime could be under 100s of unique licenses. Determining which licenses are relevant is challenging. SPDX, the Linux Foundation’s license exchange format, provides an effective mechanism for recording and sharing licensing information within a device vendor supply chain. We present an overview of SPDX along with a detailed source code example on how to create and extract relevant licensing information. The target audience includes developers, engineering managers, release operation engineers and license compliance professionals. They will learn what SPDX is, how it’s created, and how it is used. A basic understanding of open source licensing is helpful.

Here are some key points I noted from this presentation:

  • SPDX will generate one file per package in XML/RDF format.
  • SPDX only uses info within a given package (e.g. no access to licensing info on a give website)
  • SPDX only provides raw data about licenses and does not provide about patents or legal interpretation.
  • It looks at each source files to gather license data (there can be several license per file), then tries to determine the library license(s) and finally the application license(s)
  • The SPDX file layout is composed of 6 sections:
    • Spec Info (SPDX specs)
    • Creation Info (who created it and when, etc…)
    • Package Info (Name, Licenses…)
    • Other licenses (For licenses not part of the SPDX license list)
    • File Info (For each file in a given package)
    • Reviewer
  • There are around 40 licenses supported by SPDX such as several versions of GPL, LGPL, Apache, MIT, BSD etc…
  • The key benefits of SPDX:
    • Helps sharing licensing information
    • Brings greater accountability
    • Detects potential licensing incompatibilities (e.g. Apache 2.0 and GPL 2.0)
    • Promotes Licensing Discipline.
  • Ideally, SPDX file should be generated by the copyright holder.
  • Nodoby has adopted SPDX yet, as SPDX 1.0 has just been released at the end of 2011 but the Linux foundation is committed to make this work and some work is being done with Hewlett Packard.

The presentation slides are not (yet) available at elinux.org. You can get more information on SPDX website including the specifications, a white paper and a short (3 minutes) webinar.

1
Leave a Reply

avatar
1 Comment threads
0 Thread replies
0 Followers
 
Most reacted comment
Hottest comment thread
0 Comment authors
Protecode System 4 Helps You Manage Software Package Data Exchange (SPDX) Standard | CNXSoft – Embedded Software Development Recent comment authors
  Subscribe  
newest oldest most voted
Notify of
trackback

[…] (SPDX) Standard March 5th, 2012 cnxsoft Leave a comment Go to commentsSome days ago, I posted a presentation about SPDX (Software Portable Data Exchange), a new standard file format to share open source licenses. This took place at the Linux Embedded […]