OpenChain ♥ SPDX

By October 29, 2018News

There is a lot of cross-pollination between Linux Foundation open source projects. The latest is a contribution from Fukuchi-San, a driving force in the OpenChain Japan WG, to SPDX. Motivated by a suggestion from Thomas Steenbergen at Open Source Summit Europe 2017 he has prepared a Japanese translation of the SPDX Specification. The draft document is available for comments, suggestions and improvements here:

About The Linux Foundation Compliance Stack

The OpenChain Project sits at the top of a stack of open source projects to address open source compliance. OpenChain is a high level standard defining the key requirements of a quality open source compliance program. Immediately below providing more specifics are the SPDX and TODO Group. The former is a standard for how the contents of software packages are described. The latter contains practical, timely information about how open source program offices can run. Moving further down the stack there are specific frameworks like FOSSology to scan code and confirm what software packages contain.

About The OpenChain Project

The OpenChain Project builds trust in open source by making open source license compliance simpler and more consistent. The OpenChain Specification defines a core set of requirements every quality compliance program must satisfy. The OpenChain Curriculum provides the educational foundation for open source processes and solutions, whilst meeting a key requirement of the OpenChain Specification. OpenChain Conformance allows organizations to display their adherence to these requirements. The result is that open source license compliance becomes more predictable, understandable and efficient for participants of the software supply chain.

About The SPDX Project

Software Package Data Exchange® (SPDX®) is an open standard for communicating software bill of material information (including components, licenses, copyrights, and security references). SPDX reduces redundant work by providing a common format for companies and communities to share important data about software licenses, copyrights, and security references, thereby streamlining and improving compliance. The SPDX specification is developed by the SPDX workgroup, which is hosted by The Linux Foundation. The grass-roots effort includes representatives from more than 20 organizations—software, systems and tool vendors, foundations  and systems integrators—all committed to creating a standard for software package data exchange formats.