Presentation is loading. Please wait.

Presentation is loading. Please wait.

SPDX® SOFTWARE PACKAGE DATA EXCHANGE®

Published byMervyn Harper Modified over 6 years ago

Similar presentations

Presentation on theme: "SPDX® SOFTWARE PACKAGE DATA EXCHANGE®"— Presentation transcript:

1 SPDX® SOFTWARE PACKAGE DATA EXCHANGE®
SPDX Overview for American Bar Association Brad Edmondson, SPDX Legal Team Volunteer March 2nd, 2017

2 Software Package Data Exchange® (SPDX®)
Open-Source Software (OSS) vs. Proprietary Various open-source licenses out in the wild Permissive, “copy-left” (share-alike), “open-source-like” (in-between) Friction in open-source licensing just like friction in all IP licensing SPDX as a Linux Foundation project Run like an open-source project (transparent and consensus-based) Project itself is open-source (both content and tools/software) Just accepted to Google Summer of Code 2

3 What is SPDX? SPDX Specification: SPDX License List: SPDX Group:
SPDX is a standard format for communicating the components, licenses and copyrights associated with a software package. Key pillar in Linux Foundation’s Open Compliance Program: SPDX License List: Known, recognizable open-source (and open-source-like) licenses SPDX Group: With the Linux Foundation, participation from over 20 organizations including software, systems and tool vendors, consultants and foundations SPDX is a standard format for communicating the components, licenses, and copyrights associated with a software package SPDX is about identifying licenses that exist in software packages, not recommending licenses or making legal conclusions about licenses 3

4 What is SPDX? SPDX mission statement: https://spdx.org/about
Develop and promote adoption of a specification to enable any party in a software supply chain, from the original author to the final end user, to accurately communicate the licensing information for any piece of copyrightable material that such party may create, alter, combine, pass on, or receive, and to make such information available in a consistent, understandable, and re-usable fashion, with the aim of facilitating license and other policy compliance. SPDX is about identifying licenses that exist in software packages, not recommending licenses or making legal conclusions about licenses 4

5 What is SPDX? Guiding principles: Goals: History:
Human and machine readable Focus on capturing facts; avoid interpretations Common vocabulary Goals: Reduce redundant work in determining software license information and facilitate compliance throughout the software supply chain Reduce friction in the open-source software supply chain History: Started before 2010 as grass-roots effort by corporate counsels, business leads, and FOSS release managers responsible for compliance Now a Linux Foundation project 5

6 The Need Software Products Include Source Code from Many Different Sources Outsourced Code Development Internally Developed Code Commercial 3rd-Party Code Code Software projects are often made up of a rainbow of code licenses, with complex interactions among them Open Source Software Your Application Obligations YOUR COMPANY – TOOLS, PROCESSES 6 Diagram Source: Black Duck Software 6

7 The Need Scope of the Problem
Software distributors need to provide license information for millions of lines of code to customers in the software supply chain, who often require detailed software copyright and licensing information for their own risk management. Software distributors (and users) need to be able to review the contents of each included package to ensure compliance with all of the licenses contained within it. A package’s declared license may not always match the license of every individual file inside the package. Similarly, a package with no top-level license assertion may consist of many files, each with a different license. Need a standard way to refer to the legal compliance “bill-of-materials” of a software package so we can efficiently exchange that information with others and accurately evaluate it for ourselves. In order to comply with licenses and otherwise assess your product's outbound license compatibility with any licenses of third party (eg. OSS) code included with it, you need to know what it contains. Software “bill of materials” == “packing slip” for software contents 7

8 The Need Software Supplier’s Point of View
I don’t mind vetting our code, but I’m sure this imported package has been analyzed a dozen times before. Our suppliers aren’t giving us complete licensing information for open source packages. Every customer wants a bill of materials in a different form. software in software out 8

9 The Need The Challenge of Open Source Compliance
New code OSS Package OSS Package OSS Package License B License C License A One OSS Package = Many Licenses License D License E License info for OSS is not provided in a consistent, easy-to-use format OSS Package License A License B License C License D License E 9

10 The Need The Challenge of Open Source Compliance
Your code Software Bill of Materials (BOM) OSS Package ? OSS Package Companies combine OSS with other software Outsourced SW Creating an accurate bill of materials requires effort & research 3rd party SW 10

11 The Need The Challenge of Open Source Compliance
Supplier 1 Customers Compliance effort is repeated at each step in the supply chain Open Source Organizations End-Users Integration & Services Device OEMs Applications OS Distributions Systems Semiconductor Vendors Supplier 3 Supplier 2 11

12 SPDX is (Part of the) Solution
SPDX Specification: A file format for license information to accompany open-source software packages Benefits Easy exchange of license information between organizations, reducing burden on both suppliers and consumers Reduce due diligence work when the same license or the same source code (software package) is analyzed again and again Support a common vocabulary for software developers, compliance managers, open-source counsel, and extend that vocabulary to the tools they use to manage compliance, ultimately yielding better compliance with less effort At time of product delivery, SDPX document shows that developer has done due diligence on the code they’ve used and know what licenses are included. Aim to establish a trusted document that can be communicated up and down the software supply chain so that compliance staff within that supply chain don’t have to re-read and re-evaluate each license. “De-duplicate due diligence drudgery” with SPDX! 12

13 SPDX Specification Instructions for collecting, storing and communicating data Goal to be human and machine readable Focus on facts (not interpretations) Version 2.1 in Sept 2016 Associated tooling/software Document Creation Information Package Information Package Information Other Licensing Information File Information Other Licensing Information Other Licensing Information Other Licensing Information Specification has different sections that describe the fields for that section For license, copyright, provenance information at package, and file level Can reflect package hierarchy through relationships Information about creation of SPDX document There are 2 standard document formats: Tag value and RDF there are tools available for producing, translating between these two supported formats, spreadsheet and other human-readable format (.txt, HTML); comparison tool, verification tool With 2.1 we are starting to get Python tooling up and going Focus now on documentation, best practices, and real world examples Relationships Other Licensing Information Annotations

14 SPDX reflects package relationships
SPDX Document MQ Apache Apache MQ package contains cont’d by Jetty Web Container package Jetty Web Container contains cont’d by javax.servlet javax.servlet package 14

15 SPDX License List https://spdx.org/licenses/
Current version: 2.6 (Q1 2017) Over 300 Licenses Short IDs for easy reference Exact text of licenses Includes commonly used exceptions Continuously Maintained: Always available in human- and machine-readable formats Actively updated by SPDX Legal Team with new licenses 15

16 Example License: BSD 2-Clause
License Matching Guidelines For matching licenses against those included on the SPDX License List License Templates Exact text of licenses Markup denotes optional and replaceable text per the matching guidelines Formats Available in numerous human- and machine-readable formats Recently moved to GitHub to make contribution easier 16

17 SPDX Short License Identifiers
Simple File-level License Identification Incorporate a specific license by reference with a single line (rather than writing out the full license text in every source file Easy to use, concise format and easy to read Reliable & Machine Readable Use SPDX license identifier to precisely match identifiers to license text Easy to produce an SPDX document for a given software package Flexible license expression syntax AND, OR, WITH, + Represent licenses with exceptions, multiple applicable licenses, choice of license, license version X and later SPDX license identifiers (which match specific license texts) SPDX license expressions (which show how the licenses combine for a given file/package/work) are also thought of as part of the “license list” SPDX helps organizations in the software supply chain represent complex license collections, building from the bottom up Note: “short identifier” in code can actually be an expression - it's just historical accident that they're called "License-Identifier" Valid SPDX expressions: (LGPL-2.1 OR MIT OR BSD-3-Clause) (LGPL-2.1 AND MIT) (GPL-2.0+ WITH Bison-exception-2.2) 17

18 Using Short Identifiers in Source Code
18

19 SPDX in action Generating or consuming SPDX documents
“Bill of materials” for any given software package Using authoritative license text from SPDX License List Using of SPDX license identifiers (and expressions) in source code Using other SPDX specification fields in internal systems

20 What SPDX Means to You Embedded & SW Supply Chains Save Time/Money
Better Compliance Open Source Developers Help Users Comply With Your Licenses Consumers of SW & OSS Understand Licensing of the Code You Use 20

21 SPDX Adoption License List: Format/Specification: Tagging Files:
Internal: ARM, TI, Wind River, MicroFocus, HP, Siemens, Qualcomm, Valeo Community: OSI, Debian, Composer, Bower, npm, RubyGems Format/Specification: Internal/Partners: TI, Wind River, Alcatel Lucent, Siemens, Qualcomm Tagging Files: ARM, Linux kernel, U-Boot, Wind River, Node.js (coming soon) Tools: Open-source: FOSSology/UNO, Yocto, ScanCode, SPDX OSS, SPDX npm tools Proprietary: Wind River, Black Duck, nexB, Source Auditor, Protecode, TripleCheck 21

22 SPDX Resources Main SPDX project: https://spdx.org/
SPDX General Meeting: SPDX Tech Team: SPDX Outreach Team: SPDX Legal Team: Wiki for minutes, project tracking, and decision-making: Using SPDX: Generated files in various formats (for tools): SPDX Legal Team’s “master files” for generating supported formats: 22

23 Get Involved in SPDX SPDX Legal Team SPDX License List:
Members include Linux Foundation project staff, attorneys working in-house with open source, as well as attorneys whose firms regularly advise clients on open-source. A handful of software engineers also support the legal team. Overview: Legal Team projects page: Legal Team mailing list: SPDX License List: Updating and maintaining the SPDX License List is the primary charge of the SPDX Legal Team: Those willing to “do” can influence direction Just accepted to Google “Summer of Code” intern- mentoring program Face to face meetings at Linux Foundation and other events Don’t need a legal or a technical background, just have to want to help Opportunities: review proposals to add licenses to the list; review or add markup to existing licenses; assist with developing the spec further to e.g. handle translations Opportunities: Encourage your Developers, Testers and Writers to help with the Open Source based tools working with SPDX. Low-lift: when you help clients purchase software, ask for an SPDX document (or other BOM) to get assurance that the vendor has done its compliance due diligence 23

24 Thank you! Questions? Contact: brad.edmondson@gmail.com
GitHub: Questions? Note: This information was adapted from publicly available documents and represents my personal views. I am a volunteer contributor to the SPDX Legal Team and do not officially represent the Linux Foundation, OSI, or any other organization mentioned herein. SPDX® is a registered trademark of the Linux Foundation. 24

Download ppt "SPDX® SOFTWARE PACKAGE DATA EXCHANGE®"

Similar presentations

NATIONAL AERONAUTICS AND SPACE ADMINISTRATION 1 NASA Earth Science Data Systems (ESDS) Software Reuse Working Group CEOS WIGSS-22 Annapolis, MD September.

NATIONAL AERONAUTICS AND SPACE ADMINISTRATION 1 NASA Earth Science Data Systems (ESDS) Software Reuse Working Group CEOS WIGSS-22 Annapolis, MD September.
Case Tools Trisha Cummings. Our Definition of CASE  CASE is the use of computer-based support in the software development process.  A CASE tool is a.

Case Tools Trisha Cummings. Our Definition of CASE  CASE is the use of computer-based support in the software development process.  A CASE tool is a.
1 V2.4 [spec v1.0]Copyright Linux Foundation 2011 (CC-BY-3.0) SPDX™ a Year Later - What's New in Data Exchange LinuxCon North America, August 18, 2011.

1 V2.4 [spec v1.0]Copyright Linux Foundation 2011 (CC-BY-3.0) SPDX™ a Year Later - What's New in Data Exchange LinuxCon North America, August 18, 2011.
Software Documentation Written By: Ian Sommerville Presentation By: Stephen Lopez-Couto.

Software Documentation Written By: Ian Sommerville Presentation By: Stephen Lopez-Couto.
COPYRIGHT © 2013 ALCATEL-LUCENT – ALL RIGHT RESERVED. October 2013 STANDARDIZING THE FOSS GOVERNANCE PROCESSES Michel Ruffin.

COPYRIGHT © 2013 ALCATEL-LUCENT – ALL RIGHT RESERVED. October 2013 STANDARDIZING THE FOSS GOVERNANCE PROCESSES Michel Ruffin.
Update on The Open Compliance Program Phil Koltun, Ph.D. Director, Open Compliance Program

Update on The Open Compliance Program Phil Koltun, Ph.D. Director, Open Compliance Program
An Overview of MPEG-21 Cory McKay. Introduction Built on top of MPEG-4 and MPEG-7 standards Much more than just an audiovisual standard Meant to be a.

An Overview of MPEG-21 Cory McKay. Introduction Built on top of MPEG-4 and MPEG-7 standards Much more than just an audiovisual standard Meant to be a.
Accelerating Development Using Open Source Software Black Duck Software Company Presentation.

Accelerating Development Using Open Source Software Black Duck Software Company Presentation.
EMI INFSO-RI-261611 SA2 - Quality Assurance Alberto Aimar (CERN) SA2 Leader EMI First EC Review 22 June 2011, Brussels.

EMI INFSO-RI SA2 - Quality Assurance Alberto Aimar (CERN) SA2 Leader EMI First EC Review 22 June 2011, Brussels.
What is a Business Analyst? A Business Analyst is someone who works as a liaison among stakeholders in order to elicit, analyze, communicate and validate.

What is a Business Analyst? A Business Analyst is someone who works as a liaison among stakeholders in order to elicit, analyze, communicate and validate.
Software Licences HSF Recommendations John Harvey / CERN 24 June 2015

Software Licences HSF Recommendations John Harvey / CERN 24 June 2015
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
1 Efficient- Flexible- Cost Effective. 2 The key is to ensure that your clients have a positive experience remotely irrespective of the process you wish.

1 Efficient- Flexible- Cost Effective. 2 The key is to ensure that your clients have a positive experience remotely irrespective of the process you wish.
03/01/12Centre For Development Of Advanced Computing Chennai 1 OPEN SOURCE COMPLIANCE PROGRAM.

03/01/12Centre For Development Of Advanced Computing Chennai 1 OPEN SOURCE COMPLIANCE PROGRAM.
Centre for Development of Advanced Computing Chennai 103/1/12 Open Source Compliance Program Vidhyalakshmi A CDAC chennai

Centre for Development of Advanced Computing Chennai 103/1/12 Open Source Compliance Program Vidhyalakshmi A CDAC chennai
1 Team Skill 3 Defining the System Part 1: Use Case Modeling Noureddine Abbadeni Al-Ain University of Science and Technology College of Engineering and.

1 Team Skill 3 Defining the System Part 1: Use Case Modeling Noureddine Abbadeni Al-Ain University of Science and Technology College of Engineering and.
Project Management Software development models & methodologies

Project Management Software development models & methodologies
1 New Perspectives on Access 2016 Module 8: Sharing, Integrating, and Analyzing Data.

1 New Perspectives on Access 2016 Module 8: Sharing, Integrating, and Analyzing Data.
1 January 14, Evaluating Open Source Software William Cohen NCSU CSC 591W January 14, 2008 Based on David Wheeler, “How to Evaluate Open Source.

1 January 14, Evaluating Open Source Software William Cohen NCSU CSC 591W January 14, 2008 Based on David Wheeler, “How to Evaluate Open Source.
ABSTRACT This is the template for preparing posters for the Electrical Safety Workshop (ESW). It is intended to define the required format for printing.

ABSTRACT This is the template for preparing posters for the Electrical Safety Workshop (ESW). It is intended to define the required format for printing.

Similar presentations

Ads by Google