To install click the Add extension button. That's it.

The source code for the WIKI 2 extension is being checked by specialists of the Mozilla Foundation, Google, and Apple. You could also do it yourself at any point in time.

How to transfigure the Wikipedia

Would you like Wikipedia to always look as professional and up-to-date? We have created a browser extension. It will enhance any encyclopedic page you visit with the magic of the WIKI 2 technology.

Try it — you can delete it anytime.

Install in 5 seconds
4,5
Kelly Slayton
Congratulations on this excellent venture… what a great idea!
Alexander Grigorievskiy
I use WIKI 2 every day and almost forgot how the original Wikipedia looks like.
Live Statistics
English Articles
Improved in 24 Hours
Added in 24 Hours
Languages
Recent
Show all languages
What we do. Every page goes through several hundred of perfecting techniques; in live mode. Quite the same Wikipedia. Just better.
Great Wikipedia has got greater.
.
Leo
Newton
Brights
Milds

Software Package Data Exchange

From Wikipedia, the free encyclopedia

For networking protocol, see SPDY.
AbbreviationSPDX
StatusPublished
First publishedAugust 2011 (2011-08)
Latest version2.3
November 2022 (2022-11)
Preview version3.0 RC[1]
16 May 2023 (2023-05-16)
OrganizationLinux Foundation
CommitteeSPDX Project
DomainSoftware bill of materials
LicenseCC-BY-3.0
Websitespdx.dev

Software Package Data Exchange (SPDX) is an open standard for software bill of materials (SBOM).[2] SPDX allows the expression of components,  licenses, copyrights, security references and other metadata relating to software.[3] Its original purpose was to improve license compliance,[4] and has since been expanded to facilitate additional use-cases, such as supply-chain transparency and security.[5] SPDX is authored by the community-driven SPDX Project under the auspices of the Linux Foundation.

The current version of the standard is 2.3.[6]

YouTube Encyclopedic

  • 1/5
    Views:
    10 672
    8 871
    24 753
    13 838
    26 471
  • What are Data Exchanges?
  • What exactly is a software package?
  • Revit 2023: Introducing Data Exchanges
  • ETAP-Revit Data Exchange
  • Linux Training: Intro to SPDX

Transcription

Structure

The SPDX standard defines an SBOM document, which contains SPDX metadata about software. The document itself can be expressed in multiple formats, including JSON, YAML, RDF/XML, tag-value, and spreadsheet. Each SPDX document describes one or more elements, which can be a software package, a specific file, or a snippet from a file. Each element is given a unique ID, so that they can reference each other.[7]

Version history

Specification versions
Version number Publication date Notes References
1.0 August 2011 The first release of the SPDX specification; handles packages. [4]
1.1 August 2012 Fixed a flaw in the SPDX Package Verification Code (a cryptographic hash function) and added support for free-form comments. [8]
1.2 October 2013 Improved interaction with the SPDX License List, and added new fields for documenting extra information about software projects. [9]
2.0 May 2015 Added the ability to describe multiple packages and the relationships between different packages and files. [10]
2.1 November 2016 Added support for describing 'snippets' of code and the ability to reference non-SPDX data (such as CVEs). [11][12]
2.2 May 2020 Added 'SPDX-lite' profile for minimal software bill of materials and improved support for external references. [13]
2.2.1 October 2020 Functionally equivalent to SPDX 2.2 but with typesetting for publication as an ISO standard. [14]
2.2.2 April 2022 Functionally equivalent to SPDX 2.2.1 but with spelling, grammar and other editorial improvements. [15]
2.3 November 2022 Added new fields to improve the ability to capture security related information and interoperability with other SBOM formats. [16]

The first version of the SPDX specification was intended to make compliance with software licenses easier,[4] but subsequent versions of the specification added capabilities intended for other use-cases, such as being able to contain references to known software vulnerabilities.[12] Recent versions of SPDX fulfill the NTIA's 'Minimum Elements For a Software Bill of Materials'.[17]

SPDX 2.2.1 was submitted to the International Organization for Standardization (ISO) in October, 2020, and was published as ISO/IEC 5962:2021 Information technology — SPDX® Specification V2.2.1 in August, 2021.[14][18]

License syntax

Each license is identified by a full name, such as "Mozilla Public License 2.0" and a short identifier, here "MPL-2.0". Licenses can be combined by operators AND and OR, and grouping (, ).

For example, (Apache-2.0 OR MIT) means that one can choose between Apache-2.0 (Apache License) or MIT (MIT license). On the other hand, (Apache-2.0 AND MIT) means that both licenses apply.

There is also a "+" operator which, when applied to a license, means that future versions of the license apply as well. For example, Apache-1.1+ means that Apache-1.1 and Apache-2.0 may apply (and future versions if any).

SPDX describes the exact terms under which a piece of software is licensed. It does not attempt to categorize licenses by type, for instance by describing licenses with similar terms to the BSD License as "BSD-like".[19]

In 2020, the European Commission published its Joinup Licensing Assistant,[20] which makes possible the selection and comparison of more than 50 licenses, with access to their SPDX identifier and full text.

Deprecated license identifiers

The GNU family of licenses (e.g., GNU General Public License version 2) have the choice of choosing a later version of the license built in. Sometimes, it was not clear whether the SPDX expression GPL-2.0 meant "exactly GPL version 2.0" or "GPL version 2.0 or any later version".[21] Thus, since version 3.0 of the SPDX License List, the GNU family of licenses got new names.[22] GPL-2.0-only means "exactly version 2.0" and GPL-2.0-or-later means "version 2.0 or any later version".

Adoption

For licensing

The SPDX license identifier can be added to the top of source code files as a short string unambiguously declaring the license used. The SPDX-License-Identifier syntax, pioneered by Das U-Boot in 2013, became part of SPDX in version 2.1. In 2017, the FSFE launched REUSE, which provides tools to validate the comment and to efficiently extract copyright information.[23]

The SPDX license identifier is also used in a number of package managers such as npm,[24] Python,[25] and Rust cargo.[26] SPDX license expressions are used in RPM package metadata in Fedora Linux, replacing the earlier use of the Callaway system.[27] Debian uses a slightly different license specification.[28]

See also

References

  1. ^ "SPDX Announces 3.0 Release Candidate with New Use Cases". Software Package Data Exchange (SPDX). 16 May 2023.
  2. ^ Stewart, Kate (May 25, 2021). "SPDX: It's Already in Use for Global Software Bill of Materials (SBOM) and Supply Chain Security". Linux Foundation. Retrieved 2021-08-13.
  3. ^ "Survey of Existing SBOM Formats and Standards" (PDF). National Telecommunications and Information Administration. October 25, 2019. p. 9. Retrieved 2021-08-13.
  4. ^ a b c Bridgwater, Adrian (August 19, 2011). "Linux Foundation eases open source licensing woes". Computer Weekly. Retrieved 2021-08-13.
  5. ^ Rushgrove, Gareth (June 16, 2021). "Advancing SBOM standards: Snyk and SPDX". Retrieved 2021-08-14.
  6. ^ "SPDX Current version". spdx.dev. Retrieved 2022-11-22.
  7. ^ "SPDX and NTIA Minimum Elements for SBOM HOWTO". spdx.github.io.
  8. ^ "The Linux Foundation's SPDX Workgroup Releases New Version of Software Package Data Exchange Standard". Linux Foundation. August 30, 2012. Retrieved 2021-12-01.
  9. ^ "The Linux Foundation's SPDX Workgroup Releases New Version of Software Package Data Exchange Standard". Linux Foundation. October 22, 2013. Retrieved 2021-12-01.
  10. ^ "What's new in SPDX 2.0". LWN.net. May 20, 2015. Retrieved 2021-12-01.
  11. ^ "General Meeting/Minutes/2016-11-03". wiki.spdx.org. November 3, 2016. Retrieved 2021-12-01.
  12. ^ a b "The Linux Foundation's Open Compliance Initiative Releases New SPDX Specification". Linux Foundation. October 4, 2016. Retrieved 2021-12-01.
  13. ^ "SPDX 2.2 Specification Released". Linux Foundation. May 7, 2020. Retrieved 2021-12-01.
  14. ^ a b "ISO/IEC 5962:2021 Information technology — SPDX® Specification V2.2.1". iso.org. Retrieved 2021-12-01.
  15. ^ "Release v2.2.2". github.com/spdx. Retrieved 2022-06-11.
  16. ^ "Release v2.3". github.com/spdx. Retrieved 2022-11-22.
  17. ^ "The Minimum Elements For a Software Bill of Materials (SBOM)" (PDF). National Telecommunications and Information Administration. Retrieved 2021-12-01.
  18. ^ Bernard, Allen (September 9, 2021). "SPDX becomes internationally recognized standard". TechRepublic. Retrieved 2021-12-01.
  19. ^ Odence, Phil (2010-06-23). "The Software Package Data Exchange (SPDX) Format". Dr Dobb's. Retrieved 2012-08-31.
  20. ^ "Joinup Licensing Assistant". Retrieved 31 March 2020.
  21. ^ Richard Stallman. "For Clarity's Sake, Please Don't Say "Licensed under GNU GPL 2"!". GNU. Retrieved 2018-05-24.
  22. ^ Jilayne Lovejoy (5 January 2018). "License List 3.0 Released!". spdx.dev. Archived from the original on 2018-01-05. Retrieved 2021-09-02.
  23. ^ "Solving License Compliance at the Source: Adding SPDX License IDs - Linux Foundation". www.linuxfoundation.org.
  24. ^ "package.json | npm Docs". docs.npmjs.com.
  25. ^ "PEP 639 – Improving License Clarity with Better Package Metadata | peps.python.org". peps.python.org.
  26. ^ "The Manifest Format - The Cargo Book". doc.rust-lang.org.
  27. ^ "License: field in Spec File". Fedora Legal Documentation. Retrieved 30 July 2023.
  28. ^ "Machine-readable debian/copyright file". www.debian.org.

External links

This page was last edited on 25 November 2023, at 19:10
Basis of this page is in Wikipedia. Text is available under the CC BY-SA 3.0 Unported License. Non-text media are available under their specified licenses. Wikipedia® is a registered trademark of the Wikimedia Foundation, Inc. WIKI 2 is an independent company and has no affiliation with Wikimedia Foundation.
Contact WIKI 2
Introduction
Terms of Service
Privacy Policy