The Linux Foundation and FOSSBazaar recently released the Software Package Data Exchange (SPDX), a data exchange specification that tracks license information in a standardized way, allowing it to travel across the software supply chain and easing the hassle of license compliance for open source software.
Currently, each license carries within it the developer's definition of how the software can be used and distributed. Permissive licenses allow software to be redistributed and developers can modify code without being required to make those changes publicly available--however, reciprocal licenses have restrictions on reuse and redistribution.
Many companies have tools or services to audit the code and find its license to make sure the organization is in compliance. But even with such an audit, there is no standard way to document the data so it could be transferred to other users. SPDX uses a specific format to collect data about each project, including version number and license. Eventually, tools will be developed that allow SPDX files to be transferred from other file formats. Now that version 1.0 of the specification is available, the SPDX working group hopes that commercial software vendors will support the SPDX specification in the future.
From Network World
View Full Article
Abstracts Copyright © 2011 Information Inc. , Bethesda, Maryland, USA