The Linux Foundation is moving forward with its SPDX (Software Package Data Exchange) project, which is an industry-wide project to simplify and standardize the way suppliers and customers share bill of materials information about open source software throughout the supply chain. Identifying, preserving, and verifying the meta-information about software components that is necessary to comply with open source licenses has emerged as the eternal question for redistributors of open source in the private sector. In fact, the difficulty — not to mention the tedium and resource diversion — necessary to convey this information accurately, along with proper notices, is one of the biggest challenges in open source today. In other words, laying aside all the areas of legal ambiguity surrounding open source licensing — like juicy derivative works questions or the arcane patent terms of GPLv3 — and assuming one actually knows how to comply with the license, how does one actually do it? A sophisticated product can contain hundreds or thousands of open source components, and cataloging them is a daunting administrative task that requires both legal and technical training. Most companies are currently reduced to creating excel spreadsheets ad hoc, extracting information from scanning utilities like the Black Duck and Palamida software tools, or throwing up their hands in frustration. SPDX is an effort to formulate a protocol for storing and delivering the relevant information, aimed to become a standard acceptable to all links in the supply chain.
The effort is ambitious, and may aptly compared to herding cats or solving the meaning of life, but those involved in open source compliance, across the board, understand that it must be done. Participation in the workgroup is open to all. For more information, see http://spdx.org/.
