SlideShare a Scribd company logo

SPDX 2.0: introduction

Kate Stewart
Kate Stewart

SPDX 2.0 includes several new features such as the ability to describe relationships between packages, files, and external SPDX documents. It also allows annotations on any element, supports additional file types and checksum algorithms, and introduces a new license expression syntax. While most fields from SPDX 1.2 remain the same, some sections such as Review Information were replaced with new sections like Annotations.

Software
1 of 33
Download to read offline
1Copyright Linux Foundation 2015 (CC-BY-3.0) SPDX 2.0 summary of the changes
2 SPDX® 2.0 - what’s new? ▪ Multiple packages can now be described in a single SPDX document. ▪ Relationships between packages, files, and external SPDX documents, can now be described. ▪ Annotations can be provided on any specific element in an SPDX document. ▪ Additional file types & checksum algorithms are now supported. ▪ Download location information has been expanded. ▪ A new license expression syntax has been introduced with improved license matching guidelines. ▪ License exceptions are separate section in license list.
3 SPDX® 2.0 - what’s changed from 1.2? ▪ Review Information section replaced by Annotations. ▪ now able to provide specific information on file, package or document level. ▪ Document and Creation Information sections merged into a single section. ▪ all fields from 1.2 remain, just regrouped, and some additional ones added.
4 SPDX® 2.0 - what’s the same as 1.2? ▪ Most of it! ▪ Approx 90% of the fields are basically the same as in 1.2 (42/46). ▪ The 4 deprecated fields have been replaced with more generalized support. ▪ Still can refer to licenses not on SPDX License List ▪ more licenses added to SPDX License List (from Fedora “good” list). ▪ Same basic file formats supported ▪ Tag:Value ▪ RDF/XML ▪ translation to spreadsheets
5 Package Information The SPDX Document SPDX v1.2 File SPDX v2.0 File Creation Information Package Information Other Licensing Information Other Licensing Information Other Licensing Information File Information Other Licensing Information Review Information Document Creation Information Package Information Other Licensing InformationOther Licensing Information Other Licensing InformationFile Information Other Licensing Information Annotations Other Licensing InformationRelationships
6 Document and Creation Information ▪ SPDX Version (used in creation of SPDX file) ▪ Licensing of meta data ▪ SPDX Identifier for the document itself ▪ Name of this Document ▪ SPDX Document Namespace (URI) ▪ External SPDX Doc References ▪ License List Version ▪ Creator (how was the file created) ▪ Manual review (who, when) ▪ Tool (id, version, when) ▪ When was it created ▪ Comments on creator and document itself
7 Package Information ▪ Identification ▪ Formal Name of Package (Full name given by originator and version information) ▪ SPDX Identifier (unique ID for referencing from elsewhere) ▪ Package File Name (Name package obtained under (.tar, .rpm, etc.)) ▪ Package Supplier and Originator ▪ Package Download Location (download URL and repository information ) ▪ Package Verification Code and Checksum (SHA1, MD5, SHA256) ▪ Package Homepage and Source Information ▪ Licensing for Package ▪ Declared License- License(s) that has/have been asserted for the package ▪ Concluded License- License that Creator has concluded ▪ List of file licenses ▪ Comments Field (for example, to explain conclusion) ▪ Copyright Text ▪ Description of Package (summary and detailed options) and comments about the package
8 File Information ▪ Identification ▪ File Name ▪ SPDX Identifier (for referencing from elsewhere) ▪ File Type (source, binary, archive,application,audio,image,text,video,documentation,spdx) ▪ Artifact of Project Name, Homepage & URI (project it came from) ▪ File Checksum (SHA1, MD5, SHA256) ▪ Licensing for File ▪ Concluded License (license determined by SPDX file creator) ▪ License Information in File ▪ Comments on License ▪ Copyright Text ▪ File Notices ▪ File Contributor ▪ File Dependencies ▪ File Comments
9 Other Licensing Information Provides a way to identify licenses not on the SPDX License List ▪ Identifier Assigned (unique short form to this document) ▪ Extracted Text ▪ Name of License ▪ Cross References ▪ Comments
10 Relationships ▪ Each SPDX Document has a unique identifier ▪ Elements within a document have an identifier unique to the SPDX document (e.g. Document itself, Package, File & License) ▪ Elements in external documents are referenced using the external document ID followed by the local unique reference. SPDX Document A …. SPDXRef-DOCUMENT… … File Name: ./abc/def SPDXID: SPDXRef-201 … SPDX Document B …. ExternalDocumentRef: DocumentRef-A … … ... ... DocumentRef-A:SPDXRef-DOCUMENT… ... … DocumentRef-A:SPDXRef-201... …
11 Review Information ▪ Reviewer ▪ Review Date ▪ Review Comment REPLACED BY Annotations
12 Annotations ▪ Annotation allows for comments on any SPDX file, package or document. ▪ Annotations can provide a changelog for any changes made to that file, package, or document (as appropriate). ▪ Annotations contain: ▪ annotator (the person, company, or tool which provided the annotation) ▪ date the annotation made ▪ type of annotation (review or other) ▪ SPDX identifier reference (element the annotation refers to) ▪ comments
13 Matching Guidelines and templates ▪ License Matching Guidelines ▪ For matching licenses and license exceptions against those included on the SPDX License List ▪ http://spdx.org/spdx-license-list/matching-guidelines ▪ License templates ▪ Denotes text which is omittable or replaceable per the license matching guidelines ▪ Markup included in .txt files http://git.spdx.org/?p=license-list.git;a=summary and (will be) illustrated via colored text on spdx.org/licenses HTML pages
14 License Expression Syntax ▪ Enabling more complex licensing scenarios using operators: + WITH AND OR ▪ Licenses with “or later” option: were listed as separate licenses; now can use + operator ▪ License exceptions: were listed as separate licenses; now on a separate list, enabling more combinations using WITH operator ▪ As a result, some licenses were deprecated (will be denoted on SPDX License List and maintained for compatibility purposes) ▪ AND for conjunctive license sets; OR for disjunctive license sets ▪ Can be used with ( ) to create more complex expressions ▪ License Expression Syntax is located in Appendix to spec
15 SPDX® 2.0 - Model Overview ▪ Result of merging two model proposal ▪ Designed to support all of the proposed use cases for 2.0 (and then some) ▪ Contains several new “abstractions” to allow for future extensions ▪ Available in the spec and at http://wiki.spdx. org/view/Technical_Team/Model_2_0
16 RDF Overview ▪ What? ▪ Resource Description Framework - standard for encoding data for the Semantic Web ▪ Why? ▪ Precise ▪ Widely adopted ▪ Web based standard ▪ Support for “reasoning”
17 SPDX 2.0 RDF Changes ▪ Additional classes and properties to match the SPDX 2.0 model ▪ Use of the SPDX document namespace to uniquely identify all SPDX elements in the document ▪ All documents will have a unique URI for a namespace ▪ All elements will have a URI with the namespace + #ElmentID
18 RDF and Tag:Value ▪ Tools to translate both ways ▪ Common names for “most” of the properties ▪ Exceptions for enumeration values which must be unique in RDF (e.g. annotationType_review = REVIEW) ▪ Document Namespace tag key to URI
19 Notes for Implementers ▪ Careful of the Infinite Recursion of Relationships ▪ External Document References key to building URI’s for external documents ▪ Leverage existing implementations (git.linuxfoundation.org) ▪ The RDF schema can be found at http://spdx. org/rdf/ontology/spdx-2-0-rev-11/
20 How to Provide Feedback ▪ Add a Comment or Question on the draft working document: ▪ use this for typos/format errors/etc. ▪ Open a bug on the SPDX spec ▪ https://bugs.linuxfoundation.org/enter_bug.cgi?product=spdx ▪ use this for issues that might be showstoppers and things to consider for the next release. Set the target release to 2.0. We review these weekly. ▪ Send email to spdx-legal mail list ▪ https://lists.spdx.org/mailman/listinfo/spdx-legal ▪ use this for queries about the licenses or issues related to the SPDX License List. ▪ Send email to spdx-tech mail list ▪ https://lists.spdx.org/mailman/listinfo/spdx-tech ▪ use this for general queries about the spec that don’t fit into the other channels.
21Copyright Linux Foundation 2015 (CC-BY-3.0) QUESTIONS? Thank you!
22 Backup Slides
23 SPDX® 2.0 - How? Reworking the Underlying Model
24 SPDX handles Package Relationships MQ Apache Jetty Web Container javax.servlet Apache MQ Jetty Web Container javax.servlet Package SPDX Doc contains contains cont’d by cont’d by
25 SPDX Elements - the fundementals
26 Licenses
27 The Big (and complex) Picture
28 SPDX® 2.0 - Why? Key Use Cases to Support
29 Relationship Use Cases Binary only delivery • SPDX for the binary points to SPDX doc for the code used to build it (generatedFrom) • SPDX for the binary points to SPDX doc for a library it links with at run time (dynamicLink) Binary SPDX Source SPDX dynamicLink Library SPDX generatedFrom
30 More precise description of the “bits” • Instead of a single SPDX file with “the kitchen sink” or multiple ones that must have a document to say what they are, we can now be more precise and have the docs refer to themselves Application SPDX Source SPDX (License: BSD-3- Clause) Binary SPDX (License: BSD-3- Clause) Documents SPDX (License: CC- BY-3.0) describes generatedFrom Test Sftw SPDX (License: MIT) testCaseOf Relationship Use Cases
31 Supply Chains • Changes can be tracked as software moves through a supply chain • Entity A gives a library, libA, to Entity B • Entity B makes changes to libA and describes those changes with a new SPDX doc that refers to the original one. libA SPDX Entity A Entity B descendantOf fileAdded fileModified fileRemoved New libA SPDX Relationship Use Cases Package to Package relationship File to Package relationship
32 Resources for SPDX® ▪ Open Source Tools (hosted on SPDX Git Repo) ▪ Viewer ▪ Spreadsheet to RDF/Tag Value xlator ▪ RDF/Tag Value to Spreadsheet xlator ▪ License file generator (from Spreadsheet) ▪ Spreadsheet template ▪ FOSSology via University of Nebraska Omaha ▪ Commercial Tools ▪ Scanning tools to provide SPDX® support ▪ http://spdx.org/
33 Getting involved… ▪ See: ▪ http://www.spdx.org ▪ Mailing lists, meetings, wiki ▪ Contact: ▪ Phil Odence (Chair) - podence@blackducksoftware.com ▪ Kate Stewart (Tech Team Chair) - stewart@linux.com ▪ Gary O’Neal (Tools Lead) - gary@sourceauditor.com ▪ Jilayne Lovejoy (Legal Team Co-Chair) - opensource@jilayne.com ▪ Paul Maddick, (Legal Team Co-Chair) - paul.madick@hp.com ▪ Jack Manbeck (Business Team Co-Chair) - j-manbeck2@ti.com ▪ Mikael Söderberg (Business Team Co-Chair) - mikael.soderberg@pelagicore.com

Recommended

LDAP Integration
LDAP IntegrationLDAP Integration
LDAP Integration
Dell World
 
2014 10-14: GitHub plus FOSS == 1 million SPDX
2014 10-14: GitHub plus FOSS == 1 million SPDX2014 10-14: GitHub plus FOSS == 1 million SPDX
2014 10-14: GitHub plus FOSS == 1 million SPDX
Nuno Brito
 
Performance management roadmap
Performance management roadmapPerformance management roadmap
Performance management roadmap
Working Bug Designs
 
Dependencies and Licenses
Dependencies and LicensesDependencies and Licenses
Dependencies and Licenses
Robert Reiz
 
Dmaic
DmaicDmaic
Dmaic
jagan339
 
Spdx - fossbazaar - licensing - fossa2010
Spdx - fossbazaar - licensing - fossa2010Spdx - fossbazaar - licensing - fossa2010
Spdx - fossbazaar - licensing - fossa2010
fOSSa - Free Open Source Software Academia Conference
 
Preparing Your Source Code for Distribution
Preparing Your Source Code for DistributionPreparing Your Source Code for Distribution
Preparing Your Source Code for Distribution
OW2
 
OWF14 - Open Source & Software Supply Chain
OWF14 - Open Source & Software Supply ChainOWF14 - Open Source & Software Supply Chain
OWF14 - Open Source & Software Supply Chain
Paris Open Source Summit
 

Recommended

LDAP Integration
LDAP IntegrationLDAP Integration
LDAP Integration
Dell World
 
2014 10-14: GitHub plus FOSS == 1 million SPDX
2014 10-14: GitHub plus FOSS == 1 million SPDX2014 10-14: GitHub plus FOSS == 1 million SPDX
2014 10-14: GitHub plus FOSS == 1 million SPDX
Nuno Brito
 
Performance management roadmap
Performance management roadmapPerformance management roadmap
Performance management roadmap
Working Bug Designs
 
Dependencies and Licenses
Dependencies and LicensesDependencies and Licenses
Dependencies and Licenses
Robert Reiz
 
Dmaic
DmaicDmaic
Dmaic
jagan339
 
Spdx - fossbazaar - licensing - fossa2010
Spdx - fossbazaar - licensing - fossa2010Spdx - fossbazaar - licensing - fossa2010
Spdx - fossbazaar - licensing - fossa2010
fOSSa - Free Open Source Software Academia Conference
 
Preparing Your Source Code for Distribution
Preparing Your Source Code for DistributionPreparing Your Source Code for Distribution
Preparing Your Source Code for Distribution
OW2
 
OWF14 - Open Source & Software Supply Chain
OWF14 - Open Source & Software Supply ChainOWF14 - Open Source & Software Supply Chain
OWF14 - Open Source & Software Supply Chain
Paris Open Source Summit
 
OpenChain, SPDX and FOSSology
OpenChain, SPDX and FOSSologyOpenChain, SPDX and FOSSology
OpenChain, SPDX and FOSSology
Shane Coughlan
 
RDA & serials-transitioning to rda within a marc 21 framework
RDA & serials-transitioning to rda within a marc 21 frameworkRDA & serials-transitioning to rda within a marc 21 framework
RDA & serials-transitioning to rda within a marc 21 framework
NASIG
 
OpenChain Webinar #50 - An Overview of SPDX 3.0
OpenChain Webinar #50 - An Overview of SPDX 3.0OpenChain Webinar #50 - An Overview of SPDX 3.0
OpenChain Webinar #50 - An Overview of SPDX 3.0
Shane Coughlan
 
Managing Open Source Software Supply Chains
Managing Open Source Software Supply ChainsManaging Open Source Software Supply Chains
Managing Open Source Software Supply Chains
nexB Inc.
 
RDA & serials-transitioning to rda within a marc 21 framework-handout
RDA & serials-transitioning to rda within a marc 21 framework-handoutRDA & serials-transitioning to rda within a marc 21 framework-handout
RDA & serials-transitioning to rda within a marc 21 framework-handout
NASIG
 
Scanning Docker Images with ScanCode.io
Scanning Docker Images with ScanCode.ioScanning Docker Images with ScanCode.io
Scanning Docker Images with ScanCode.io
Michael Herzog
 
How to Manage Open Source requirements with AboutCode
How to Manage Open Source requirements with AboutCodeHow to Manage Open Source requirements with AboutCode
How to Manage Open Source requirements with AboutCode
nexB Inc.
 
Identifying third party software with ScanCode
Identifying third party software with ScanCodeIdentifying third party software with ScanCode
Identifying third party software with ScanCode
nexB Inc.
 
Operating System Practice : Meeting 4 - operasi file dan struktur direktori-s...
Operating System Practice : Meeting 4 - operasi file dan struktur direktori-s...Operating System Practice : Meeting 4 - operasi file dan struktur direktori-s...
Operating System Practice : Meeting 4 - operasi file dan struktur direktori-s...
Syaiful Ahdan
 
Describing configurations of software experiments as Linked Data
Describing configurations of software experiments as Linked DataDescribing configurations of software experiments as Linked Data
Describing configurations of software experiments as Linked Data
Joachim Van Herwegen
 
SFScon 22 - Alexios Zavras - Software Bills of Materials (SBOM).pdf
SFScon 22 - Alexios Zavras - Software Bills of Materials (SBOM).pdfSFScon 22 - Alexios Zavras - Software Bills of Materials (SBOM).pdf
SFScon 22 - Alexios Zavras - Software Bills of Materials (SBOM).pdf
South Tyrol Free Software Conference
 
LOD2: State of Play WP6 - LOD2 Stack Architecture
LOD2: State of Play WP6 - LOD2 Stack ArchitectureLOD2: State of Play WP6 - LOD2 Stack Architecture
LOD2: State of Play WP6 - LOD2 Stack Architecture
LOD2 Creating Knowledge out of Interlinked Data
 
ABCD for etd repositories
ABCD for etd repositoriesABCD for etd repositories
ABCD for etd repositories
sangeetadhamdhere
 
NIF Data Ingest
NIF Data IngestNIF Data Ingest
NIF Data Ingest
Neuroscience Information Framework
 
Introduction to DSpace
Introduction to DSpaceIntroduction to DSpace
Introduction to DSpace
Bharat Chaudhari
 
SFSCON23 - Alexios Zavras - The current state of SBOMs and SPDX
SFSCON23 - Alexios Zavras - The current state of SBOMs and SPDXSFSCON23 - Alexios Zavras - The current state of SBOMs and SPDX
SFSCON23 - Alexios Zavras - The current state of SBOMs and SPDX
South Tyrol Free Software Conference
 
The Big Documentation Extravaganza
The Big Documentation ExtravaganzaThe Big Documentation Extravaganza
The Big Documentation Extravaganza
Stephan Schmidt
 
Introduction to Digital Humanities: Metadata standards and ontologies
Introduction to Digital Humanities: Metadata standards and ontologies Introduction to Digital Humanities: Metadata standards and ontologies
Introduction to Digital Humanities: Metadata standards and ontologies
LIBIS
 
RELAX NG to DTD and XSD Using the Open Toolkit
RELAX NG to DTD and XSD Using the Open ToolkitRELAX NG to DTD and XSD Using the Open Toolkit
RELAX NG to DTD and XSD Using the Open Toolkit
Contrext Solutions
 
Managing Software Inventories & Automating Open Source Software Compliance
Managing Software Inventories & Automating Open Source Software ComplianceManaging Software Inventories & Automating Open Source Software Compliance
Managing Software Inventories & Automating Open Source Software Compliance
nexB Inc.
 
E-commerce Development Services- Hornet Dynamics
E-commerce Development Services- Hornet DynamicsE-commerce Development Services- Hornet Dynamics
E-commerce Development Services- Hornet Dynamics
Hornet Dynamics
 
LORRAINE ANDREI_LEQUIGAN_HOW TO USE ZOOM
LORRAINE ANDREI_LEQUIGAN_HOW TO USE ZOOMLORRAINE ANDREI_LEQUIGAN_HOW TO USE ZOOM
LORRAINE ANDREI_LEQUIGAN_HOW TO USE ZOOM
lorraineandreiamcidl
 

More Related Content

Similar to SPDX 2.0: introduction

OpenChain, SPDX and FOSSology
OpenChain, SPDX and FOSSologyOpenChain, SPDX and FOSSology
OpenChain, SPDX and FOSSology
Shane Coughlan
 
RDA & serials-transitioning to rda within a marc 21 framework
RDA & serials-transitioning to rda within a marc 21 frameworkRDA & serials-transitioning to rda within a marc 21 framework
RDA & serials-transitioning to rda within a marc 21 framework
NASIG
 
OpenChain Webinar #50 - An Overview of SPDX 3.0
OpenChain Webinar #50 - An Overview of SPDX 3.0OpenChain Webinar #50 - An Overview of SPDX 3.0
OpenChain Webinar #50 - An Overview of SPDX 3.0
Shane Coughlan
 
Managing Open Source Software Supply Chains
Managing Open Source Software Supply ChainsManaging Open Source Software Supply Chains
Managing Open Source Software Supply Chains
nexB Inc.
 
RDA & serials-transitioning to rda within a marc 21 framework-handout
RDA & serials-transitioning to rda within a marc 21 framework-handoutRDA & serials-transitioning to rda within a marc 21 framework-handout
RDA & serials-transitioning to rda within a marc 21 framework-handout
NASIG
 
Scanning Docker Images with ScanCode.io
Scanning Docker Images with ScanCode.ioScanning Docker Images with ScanCode.io
Scanning Docker Images with ScanCode.io
Michael Herzog
 
How to Manage Open Source requirements with AboutCode
How to Manage Open Source requirements with AboutCodeHow to Manage Open Source requirements with AboutCode
How to Manage Open Source requirements with AboutCode
nexB Inc.
 
Identifying third party software with ScanCode
Identifying third party software with ScanCodeIdentifying third party software with ScanCode
Identifying third party software with ScanCode
nexB Inc.
 
Operating System Practice : Meeting 4 - operasi file dan struktur direktori-s...
Operating System Practice : Meeting 4 - operasi file dan struktur direktori-s...Operating System Practice : Meeting 4 - operasi file dan struktur direktori-s...
Operating System Practice : Meeting 4 - operasi file dan struktur direktori-s...
Syaiful Ahdan
 
Describing configurations of software experiments as Linked Data
Describing configurations of software experiments as Linked DataDescribing configurations of software experiments as Linked Data
Describing configurations of software experiments as Linked Data
Joachim Van Herwegen
 
SFScon 22 - Alexios Zavras - Software Bills of Materials (SBOM).pdf
SFScon 22 - Alexios Zavras - Software Bills of Materials (SBOM).pdfSFScon 22 - Alexios Zavras - Software Bills of Materials (SBOM).pdf
SFScon 22 - Alexios Zavras - Software Bills of Materials (SBOM).pdf
South Tyrol Free Software Conference
 
LOD2: State of Play WP6 - LOD2 Stack Architecture
LOD2: State of Play WP6 - LOD2 Stack ArchitectureLOD2: State of Play WP6 - LOD2 Stack Architecture
LOD2: State of Play WP6 - LOD2 Stack Architecture
LOD2 Creating Knowledge out of Interlinked Data
 
ABCD for etd repositories
ABCD for etd repositoriesABCD for etd repositories
ABCD for etd repositories
sangeetadhamdhere
 
NIF Data Ingest
NIF Data IngestNIF Data Ingest
NIF Data Ingest
Neuroscience Information Framework
 
Introduction to DSpace
Introduction to DSpaceIntroduction to DSpace
Introduction to DSpace
Bharat Chaudhari
 
SFSCON23 - Alexios Zavras - The current state of SBOMs and SPDX
SFSCON23 - Alexios Zavras - The current state of SBOMs and SPDXSFSCON23 - Alexios Zavras - The current state of SBOMs and SPDX
SFSCON23 - Alexios Zavras - The current state of SBOMs and SPDX
South Tyrol Free Software Conference
 
The Big Documentation Extravaganza
The Big Documentation ExtravaganzaThe Big Documentation Extravaganza
The Big Documentation Extravaganza
Stephan Schmidt
 
Introduction to Digital Humanities: Metadata standards and ontologies
Introduction to Digital Humanities: Metadata standards and ontologies Introduction to Digital Humanities: Metadata standards and ontologies
Introduction to Digital Humanities: Metadata standards and ontologies
LIBIS
 
RELAX NG to DTD and XSD Using the Open Toolkit
RELAX NG to DTD and XSD Using the Open ToolkitRELAX NG to DTD and XSD Using the Open Toolkit
RELAX NG to DTD and XSD Using the Open Toolkit
Contrext Solutions
 
Managing Software Inventories & Automating Open Source Software Compliance
Managing Software Inventories & Automating Open Source Software ComplianceManaging Software Inventories & Automating Open Source Software Compliance
Managing Software Inventories & Automating Open Source Software Compliance
nexB Inc.
 

Similar to SPDX 2.0: introduction (20)

OpenChain, SPDX and FOSSology
OpenChain, SPDX and FOSSologyOpenChain, SPDX and FOSSology
OpenChain, SPDX and FOSSology
 
RDA & serials-transitioning to rda within a marc 21 framework
RDA & serials-transitioning to rda within a marc 21 frameworkRDA & serials-transitioning to rda within a marc 21 framework
RDA & serials-transitioning to rda within a marc 21 framework
 
OpenChain Webinar #50 - An Overview of SPDX 3.0
OpenChain Webinar #50 - An Overview of SPDX 3.0OpenChain Webinar #50 - An Overview of SPDX 3.0
OpenChain Webinar #50 - An Overview of SPDX 3.0
 
Managing Open Source Software Supply Chains
Managing Open Source Software Supply ChainsManaging Open Source Software Supply Chains
Managing Open Source Software Supply Chains
 
RDA & serials-transitioning to rda within a marc 21 framework-handout
RDA & serials-transitioning to rda within a marc 21 framework-handoutRDA & serials-transitioning to rda within a marc 21 framework-handout
RDA & serials-transitioning to rda within a marc 21 framework-handout
 
Scanning Docker Images with ScanCode.io
Scanning Docker Images with ScanCode.ioScanning Docker Images with ScanCode.io
Scanning Docker Images with ScanCode.io
 
How to Manage Open Source requirements with AboutCode
How to Manage Open Source requirements with AboutCodeHow to Manage Open Source requirements with AboutCode
How to Manage Open Source requirements with AboutCode
 
Identifying third party software with ScanCode
Identifying third party software with ScanCodeIdentifying third party software with ScanCode
Identifying third party software with ScanCode
 
Operating System Practice : Meeting 4 - operasi file dan struktur direktori-s...
Operating System Practice : Meeting 4 - operasi file dan struktur direktori-s...Operating System Practice : Meeting 4 - operasi file dan struktur direktori-s...
Operating System Practice : Meeting 4 - operasi file dan struktur direktori-s...
 
Describing configurations of software experiments as Linked Data
Describing configurations of software experiments as Linked DataDescribing configurations of software experiments as Linked Data
Describing configurations of software experiments as Linked Data
 
SFScon 22 - Alexios Zavras - Software Bills of Materials (SBOM).pdf
SFScon 22 - Alexios Zavras - Software Bills of Materials (SBOM).pdfSFScon 22 - Alexios Zavras - Software Bills of Materials (SBOM).pdf
SFScon 22 - Alexios Zavras - Software Bills of Materials (SBOM).pdf
 
LOD2: State of Play WP6 - LOD2 Stack Architecture
LOD2: State of Play WP6 - LOD2 Stack ArchitectureLOD2: State of Play WP6 - LOD2 Stack Architecture
LOD2: State of Play WP6 - LOD2 Stack Architecture
 
ABCD for etd repositories
ABCD for etd repositoriesABCD for etd repositories
ABCD for etd repositories
 
NIF Data Ingest
NIF Data IngestNIF Data Ingest
NIF Data Ingest
 
Introduction to DSpace
Introduction to DSpaceIntroduction to DSpace
Introduction to DSpace
 
SFSCON23 - Alexios Zavras - The current state of SBOMs and SPDX
SFSCON23 - Alexios Zavras - The current state of SBOMs and SPDXSFSCON23 - Alexios Zavras - The current state of SBOMs and SPDX
SFSCON23 - Alexios Zavras - The current state of SBOMs and SPDX
 
The Big Documentation Extravaganza
The Big Documentation ExtravaganzaThe Big Documentation Extravaganza
The Big Documentation Extravaganza
 
Introduction to Digital Humanities: Metadata standards and ontologies
Introduction to Digital Humanities: Metadata standards and ontologies Introduction to Digital Humanities: Metadata standards and ontologies
Introduction to Digital Humanities: Metadata standards and ontologies
 
RELAX NG to DTD and XSD Using the Open Toolkit
RELAX NG to DTD and XSD Using the Open ToolkitRELAX NG to DTD and XSD Using the Open Toolkit
RELAX NG to DTD and XSD Using the Open Toolkit
 
Managing Software Inventories & Automating Open Source Software Compliance
Managing Software Inventories & Automating Open Source Software ComplianceManaging Software Inventories & Automating Open Source Software Compliance
Managing Software Inventories & Automating Open Source Software Compliance
 

Recently uploaded

E-commerce Development Services- Hornet Dynamics
E-commerce Development Services- Hornet DynamicsE-commerce Development Services- Hornet Dynamics
E-commerce Development Services- Hornet Dynamics
Hornet Dynamics
 
LORRAINE ANDREI_LEQUIGAN_HOW TO USE ZOOM
LORRAINE ANDREI_LEQUIGAN_HOW TO USE ZOOMLORRAINE ANDREI_LEQUIGAN_HOW TO USE ZOOM
LORRAINE ANDREI_LEQUIGAN_HOW TO USE ZOOM
lorraineandreiamcidl
 
ALGIT - Assembly Line for Green IT - Numbers, Data, Facts
ALGIT - Assembly Line for Green IT - Numbers, Data, FactsALGIT - Assembly Line for Green IT - Numbers, Data, Facts
ALGIT - Assembly Line for Green IT - Numbers, Data, Facts
Green Software Development
 
OpenMetadata Community Meeting - 5th June 2024
OpenMetadata Community Meeting - 5th June 2024OpenMetadata Community Meeting - 5th June 2024
OpenMetadata Community Meeting - 5th June 2024
OpenMetadata
 
Vitthal Shirke Java Microservices Resume.pdf
Vitthal Shirke Java Microservices Resume.pdfVitthal Shirke Java Microservices Resume.pdf
Vitthal Shirke Java Microservices Resume.pdf
Vitthal Shirke
 
Webinar On-Demand: Using Flutter for Embedded
Webinar On-Demand: Using Flutter for EmbeddedWebinar On-Demand: Using Flutter for Embedded
Webinar On-Demand: Using Flutter for Embedded
ICS
 
Graspan: A Big Data System for Big Code Analysis
Graspan: A Big Data System for Big Code AnalysisGraspan: A Big Data System for Big Code Analysis
Graspan: A Big Data System for Big Code Analysis
Aftab Hussain
 
Top Benefits of Using Salesforce Healthcare CRM for Patient Management.pdf
Top Benefits of Using Salesforce Healthcare CRM for Patient Management.pdfTop Benefits of Using Salesforce Healthcare CRM for Patient Management.pdf
Top Benefits of Using Salesforce Healthcare CRM for Patient Management.pdf
VALiNTRY360
 
Hand Rolled Applicative User Validation Code Kata
Hand Rolled Applicative User Validation Code KataHand Rolled Applicative User Validation Code Kata
Hand Rolled Applicative User Validation Code Kata
Philip Schwarz
 
Neo4j - Product Vision and Knowledge Graphs - GraphSummit Paris
Neo4j - Product Vision and Knowledge Graphs - GraphSummit ParisNeo4j - Product Vision and Knowledge Graphs - GraphSummit Paris
Neo4j - Product Vision and Knowledge Graphs - GraphSummit Paris
Neo4j
 
Need for Speed: Removing speed bumps from your Symfony projects ⚡️
Need for Speed: Removing speed bumps from your Symfony projects ⚡️Need for Speed: Removing speed bumps from your Symfony projects ⚡️
Need for Speed: Removing speed bumps from your Symfony projects ⚡️
Łukasz Chruściel
 
GreenCode-A-VSCode-Plugin--Dario-Jurisic
GreenCode-A-VSCode-Plugin--Dario-JurisicGreenCode-A-VSCode-Plugin--Dario-Jurisic
GreenCode-A-VSCode-Plugin--Dario-Jurisic
Green Software Development
 
SMS API Integration in Saudi Arabia| Best SMS API Service
SMS API Integration in Saudi Arabia| Best SMS API ServiceSMS API Integration in Saudi Arabia| Best SMS API Service
SMS API Integration in Saudi Arabia| Best SMS API Service
Yara Milbes
 
How Can Hiring A Mobile App Development Company Help Your Business Grow?
How Can Hiring A Mobile App Development Company Help Your Business Grow?How Can Hiring A Mobile App Development Company Help Your Business Grow?
How Can Hiring A Mobile App Development Company Help Your Business Grow?
ToXSL Technologies
 
What is Master Data Management by PiLog Group
What is Master Data Management by PiLog GroupWhat is Master Data Management by PiLog Group
What is Master Data Management by PiLog Group
aymanquadri279
 
UI5con 2024 - Boost Your Development Experience with UI5 Tooling Extensions
UI5con 2024 - Boost Your Development Experience with UI5 Tooling ExtensionsUI5con 2024 - Boost Your Development Experience with UI5 Tooling Extensions
UI5con 2024 - Boost Your Development Experience with UI5 Tooling Extensions
Peter Muessig
 
Automated software refactoring with OpenRewrite and Generative AI.pptx.pdf
Automated software refactoring with OpenRewrite and Generative AI.pptx.pdfAutomated software refactoring with OpenRewrite and Generative AI.pptx.pdf
Automated software refactoring with OpenRewrite and Generative AI.pptx.pdf
timtebeek1
 
Empowering Growth with Best Software Development Company in Noida - Deuglo
Empowering Growth with Best Software Development Company in Noida - DeugloEmpowering Growth with Best Software Development Company in Noida - Deuglo
Empowering Growth with Best Software Development Company in Noida - Deuglo
Deuglo Infosystem Pvt Ltd
 
Transform Your Communication with Cloud-Based IVR Solutions
Transform Your Communication with Cloud-Based IVR SolutionsTransform Your Communication with Cloud-Based IVR Solutions
Transform Your Communication with Cloud-Based IVR Solutions
TheSMSPoint
 
Requirement Traceability in Xen Functional Safety
Requirement Traceability in Xen Functional SafetyRequirement Traceability in Xen Functional Safety
Requirement Traceability in Xen Functional Safety
Ayan Halder
 

Recently uploaded (20)

E-commerce Development Services- Hornet Dynamics
E-commerce Development Services- Hornet DynamicsE-commerce Development Services- Hornet Dynamics
E-commerce Development Services- Hornet Dynamics
 
LORRAINE ANDREI_LEQUIGAN_HOW TO USE ZOOM
LORRAINE ANDREI_LEQUIGAN_HOW TO USE ZOOMLORRAINE ANDREI_LEQUIGAN_HOW TO USE ZOOM
LORRAINE ANDREI_LEQUIGAN_HOW TO USE ZOOM
 
ALGIT - Assembly Line for Green IT - Numbers, Data, Facts
ALGIT - Assembly Line for Green IT - Numbers, Data, FactsALGIT - Assembly Line for Green IT - Numbers, Data, Facts
ALGIT - Assembly Line for Green IT - Numbers, Data, Facts
 
OpenMetadata Community Meeting - 5th June 2024
OpenMetadata Community Meeting - 5th June 2024OpenMetadata Community Meeting - 5th June 2024
OpenMetadata Community Meeting - 5th June 2024
 
Vitthal Shirke Java Microservices Resume.pdf
Vitthal Shirke Java Microservices Resume.pdfVitthal Shirke Java Microservices Resume.pdf
Vitthal Shirke Java Microservices Resume.pdf
 
Webinar On-Demand: Using Flutter for Embedded
Webinar On-Demand: Using Flutter for EmbeddedWebinar On-Demand: Using Flutter for Embedded
Webinar On-Demand: Using Flutter for Embedded
 
Graspan: A Big Data System for Big Code Analysis
Graspan: A Big Data System for Big Code AnalysisGraspan: A Big Data System for Big Code Analysis
Graspan: A Big Data System for Big Code Analysis
 
Top Benefits of Using Salesforce Healthcare CRM for Patient Management.pdf
Top Benefits of Using Salesforce Healthcare CRM for Patient Management.pdfTop Benefits of Using Salesforce Healthcare CRM for Patient Management.pdf
Top Benefits of Using Salesforce Healthcare CRM for Patient Management.pdf
 
Hand Rolled Applicative User Validation Code Kata
Hand Rolled Applicative User Validation Code KataHand Rolled Applicative User Validation Code Kata
Hand Rolled Applicative User Validation Code Kata
 
Neo4j - Product Vision and Knowledge Graphs - GraphSummit Paris
Neo4j - Product Vision and Knowledge Graphs - GraphSummit ParisNeo4j - Product Vision and Knowledge Graphs - GraphSummit Paris
Neo4j - Product Vision and Knowledge Graphs - GraphSummit Paris
 
Need for Speed: Removing speed bumps from your Symfony projects ⚡️
Need for Speed: Removing speed bumps from your Symfony projects ⚡️Need for Speed: Removing speed bumps from your Symfony projects ⚡️
Need for Speed: Removing speed bumps from your Symfony projects ⚡️
 
GreenCode-A-VSCode-Plugin--Dario-Jurisic
GreenCode-A-VSCode-Plugin--Dario-JurisicGreenCode-A-VSCode-Plugin--Dario-Jurisic
GreenCode-A-VSCode-Plugin--Dario-Jurisic
 
SMS API Integration in Saudi Arabia| Best SMS API Service
SMS API Integration in Saudi Arabia| Best SMS API ServiceSMS API Integration in Saudi Arabia| Best SMS API Service
SMS API Integration in Saudi Arabia| Best SMS API Service
 
How Can Hiring A Mobile App Development Company Help Your Business Grow?
How Can Hiring A Mobile App Development Company Help Your Business Grow?How Can Hiring A Mobile App Development Company Help Your Business Grow?
How Can Hiring A Mobile App Development Company Help Your Business Grow?
 
What is Master Data Management by PiLog Group
What is Master Data Management by PiLog GroupWhat is Master Data Management by PiLog Group
What is Master Data Management by PiLog Group
 
UI5con 2024 - Boost Your Development Experience with UI5 Tooling Extensions
UI5con 2024 - Boost Your Development Experience with UI5 Tooling ExtensionsUI5con 2024 - Boost Your Development Experience with UI5 Tooling Extensions
UI5con 2024 - Boost Your Development Experience with UI5 Tooling Extensions
 
Automated software refactoring with OpenRewrite and Generative AI.pptx.pdf
Automated software refactoring with OpenRewrite and Generative AI.pptx.pdfAutomated software refactoring with OpenRewrite and Generative AI.pptx.pdf
Automated software refactoring with OpenRewrite and Generative AI.pptx.pdf
 
Empowering Growth with Best Software Development Company in Noida - Deuglo
Empowering Growth with Best Software Development Company in Noida - DeugloEmpowering Growth with Best Software Development Company in Noida - Deuglo
Empowering Growth with Best Software Development Company in Noida - Deuglo
 
Transform Your Communication with Cloud-Based IVR Solutions
Transform Your Communication with Cloud-Based IVR SolutionsTransform Your Communication with Cloud-Based IVR Solutions
Transform Your Communication with Cloud-Based IVR Solutions
 
Requirement Traceability in Xen Functional Safety
Requirement Traceability in Xen Functional SafetyRequirement Traceability in Xen Functional Safety
Requirement Traceability in Xen Functional Safety
 

SPDX 2.0: introduction

  • 1. 1Copyright Linux Foundation 2015 (CC-BY-3.0) SPDX 2.0 summary of the changes
  • 2. 2 SPDX® 2.0 - what’s new? ▪ Multiple packages can now be described in a single SPDX document. ▪ Relationships between packages, files, and external SPDX documents, can now be described. ▪ Annotations can be provided on any specific element in an SPDX document. ▪ Additional file types & checksum algorithms are now supported. ▪ Download location information has been expanded. ▪ A new license expression syntax has been introduced with improved license matching guidelines. ▪ License exceptions are separate section in license list.
  • 3. 3 SPDX® 2.0 - what’s changed from 1.2? ▪ Review Information section replaced by Annotations. ▪ now able to provide specific information on file, package or document level. ▪ Document and Creation Information sections merged into a single section. ▪ all fields from 1.2 remain, just regrouped, and some additional ones added.
  • 4. 4 SPDX® 2.0 - what’s the same as 1.2? ▪ Most of it! ▪ Approx 90% of the fields are basically the same as in 1.2 (42/46). ▪ The 4 deprecated fields have been replaced with more generalized support. ▪ Still can refer to licenses not on SPDX License List ▪ more licenses added to SPDX License List (from Fedora “good” list). ▪ Same basic file formats supported ▪ Tag:Value ▪ RDF/XML ▪ translation to spreadsheets
  • 5. 5 Package Information The SPDX Document SPDX v1.2 File SPDX v2.0 File Creation Information Package Information Other Licensing Information Other Licensing Information Other Licensing Information File Information Other Licensing Information Review Information Document Creation Information Package Information Other Licensing InformationOther Licensing Information Other Licensing InformationFile Information Other Licensing Information Annotations Other Licensing InformationRelationships
  • 6. 6 Document and Creation Information ▪ SPDX Version (used in creation of SPDX file) ▪ Licensing of meta data ▪ SPDX Identifier for the document itself ▪ Name of this Document ▪ SPDX Document Namespace (URI) ▪ External SPDX Doc References ▪ License List Version ▪ Creator (how was the file created) ▪ Manual review (who, when) ▪ Tool (id, version, when) ▪ When was it created ▪ Comments on creator and document itself
  • 7. 7 Package Information ▪ Identification ▪ Formal Name of Package (Full name given by originator and version information) ▪ SPDX Identifier (unique ID for referencing from elsewhere) ▪ Package File Name (Name package obtained under (.tar, .rpm, etc.)) ▪ Package Supplier and Originator ▪ Package Download Location (download URL and repository information ) ▪ Package Verification Code and Checksum (SHA1, MD5, SHA256) ▪ Package Homepage and Source Information ▪ Licensing for Package ▪ Declared License- License(s) that has/have been asserted for the package ▪ Concluded License- License that Creator has concluded ▪ List of file licenses ▪ Comments Field (for example, to explain conclusion) ▪ Copyright Text ▪ Description of Package (summary and detailed options) and comments about the package
  • 8. 8 File Information ▪ Identification ▪ File Name ▪ SPDX Identifier (for referencing from elsewhere) ▪ File Type (source, binary, archive,application,audio,image,text,video,documentation,spdx) ▪ Artifact of Project Name, Homepage & URI (project it came from) ▪ File Checksum (SHA1, MD5, SHA256) ▪ Licensing for File ▪ Concluded License (license determined by SPDX file creator) ▪ License Information in File ▪ Comments on License ▪ Copyright Text ▪ File Notices ▪ File Contributor ▪ File Dependencies ▪ File Comments
  • 9. 9 Other Licensing Information Provides a way to identify licenses not on the SPDX License List ▪ Identifier Assigned (unique short form to this document) ▪ Extracted Text ▪ Name of License ▪ Cross References ▪ Comments
  • 10. 10 Relationships ▪ Each SPDX Document has a unique identifier ▪ Elements within a document have an identifier unique to the SPDX document (e.g. Document itself, Package, File & License) ▪ Elements in external documents are referenced using the external document ID followed by the local unique reference. SPDX Document A …. SPDXRef-DOCUMENT… … File Name: ./abc/def SPDXID: SPDXRef-201 … SPDX Document B …. ExternalDocumentRef: DocumentRef-A … … ... ... DocumentRef-A:SPDXRef-DOCUMENT… ... … DocumentRef-A:SPDXRef-201... …
  • 11. 11 Review Information ▪ Reviewer ▪ Review Date ▪ Review Comment REPLACED BY Annotations
  • 12. 12 Annotations ▪ Annotation allows for comments on any SPDX file, package or document. ▪ Annotations can provide a changelog for any changes made to that file, package, or document (as appropriate). ▪ Annotations contain: ▪ annotator (the person, company, or tool which provided the annotation) ▪ date the annotation made ▪ type of annotation (review or other) ▪ SPDX identifier reference (element the annotation refers to) ▪ comments
  • 13. 13 Matching Guidelines and templates ▪ License Matching Guidelines ▪ For matching licenses and license exceptions against those included on the SPDX License List ▪ http://spdx.org/spdx-license-list/matching-guidelines ▪ License templates ▪ Denotes text which is omittable or replaceable per the license matching guidelines ▪ Markup included in .txt files http://git.spdx.org/?p=license-list.git;a=summary and (will be) illustrated via colored text on spdx.org/licenses HTML pages
  • 14. 14 License Expression Syntax ▪ Enabling more complex licensing scenarios using operators: + WITH AND OR ▪ Licenses with “or later” option: were listed as separate licenses; now can use + operator ▪ License exceptions: were listed as separate licenses; now on a separate list, enabling more combinations using WITH operator ▪ As a result, some licenses were deprecated (will be denoted on SPDX License List and maintained for compatibility purposes) ▪ AND for conjunctive license sets; OR for disjunctive license sets ▪ Can be used with ( ) to create more complex expressions ▪ License Expression Syntax is located in Appendix to spec
  • 15. 15 SPDX® 2.0 - Model Overview ▪ Result of merging two model proposal ▪ Designed to support all of the proposed use cases for 2.0 (and then some) ▪ Contains several new “abstractions” to allow for future extensions ▪ Available in the spec and at http://wiki.spdx. org/view/Technical_Team/Model_2_0
  • 16. 16 RDF Overview ▪ What? ▪ Resource Description Framework - standard for encoding data for the Semantic Web ▪ Why? ▪ Precise ▪ Widely adopted ▪ Web based standard ▪ Support for “reasoning”
  • 17. 17 SPDX 2.0 RDF Changes ▪ Additional classes and properties to match the SPDX 2.0 model ▪ Use of the SPDX document namespace to uniquely identify all SPDX elements in the document ▪ All documents will have a unique URI for a namespace ▪ All elements will have a URI with the namespace + #ElmentID
  • 18. 18 RDF and Tag:Value ▪ Tools to translate both ways ▪ Common names for “most” of the properties ▪ Exceptions for enumeration values which must be unique in RDF (e.g. annotationType_review = REVIEW) ▪ Document Namespace tag key to URI
  • 19. 19 Notes for Implementers ▪ Careful of the Infinite Recursion of Relationships ▪ External Document References key to building URI’s for external documents ▪ Leverage existing implementations (git.linuxfoundation.org) ▪ The RDF schema can be found at http://spdx. org/rdf/ontology/spdx-2-0-rev-11/
  • 20. 20 How to Provide Feedback ▪ Add a Comment or Question on the draft working document: ▪ use this for typos/format errors/etc. ▪ Open a bug on the SPDX spec ▪ https://bugs.linuxfoundation.org/enter_bug.cgi?product=spdx ▪ use this for issues that might be showstoppers and things to consider for the next release. Set the target release to 2.0. We review these weekly. ▪ Send email to spdx-legal mail list ▪ https://lists.spdx.org/mailman/listinfo/spdx-legal ▪ use this for queries about the licenses or issues related to the SPDX License List. ▪ Send email to spdx-tech mail list ▪ https://lists.spdx.org/mailman/listinfo/spdx-tech ▪ use this for general queries about the spec that don’t fit into the other channels.
  • 21. 21Copyright Linux Foundation 2015 (CC-BY-3.0) QUESTIONS? Thank you!
  • 23. 23 SPDX® 2.0 - How? Reworking the Underlying Model
  • 24. 24 SPDX handles Package Relationships MQ Apache Jetty Web Container javax.servlet Apache MQ Jetty Web Container javax.servlet Package SPDX Doc contains contains cont’d by cont’d by
  • 25. 25 SPDX Elements - the fundementals
  • 27. 27 The Big (and complex) Picture
  • 28. 28 SPDX® 2.0 - Why? Key Use Cases to Support
  • 29. 29 Relationship Use Cases Binary only delivery • SPDX for the binary points to SPDX doc for the code used to build it (generatedFrom) • SPDX for the binary points to SPDX doc for a library it links with at run time (dynamicLink) Binary SPDX Source SPDX dynamicLink Library SPDX generatedFrom
  • 30. 30 More precise description of the “bits” • Instead of a single SPDX file with “the kitchen sink” or multiple ones that must have a document to say what they are, we can now be more precise and have the docs refer to themselves Application SPDX Source SPDX (License: BSD-3- Clause) Binary SPDX (License: BSD-3- Clause) Documents SPDX (License: CC- BY-3.0) describes generatedFrom Test Sftw SPDX (License: MIT) testCaseOf Relationship Use Cases
  • 31. 31 Supply Chains • Changes can be tracked as software moves through a supply chain • Entity A gives a library, libA, to Entity B • Entity B makes changes to libA and describes those changes with a new SPDX doc that refers to the original one. libA SPDX Entity A Entity B descendantOf fileAdded fileModified fileRemoved New libA SPDX Relationship Use Cases Package to Package relationship File to Package relationship
  • 32. 32 Resources for SPDX® ▪ Open Source Tools (hosted on SPDX Git Repo) ▪ Viewer ▪ Spreadsheet to RDF/Tag Value xlator ▪ RDF/Tag Value to Spreadsheet xlator ▪ License file generator (from Spreadsheet) ▪ Spreadsheet template ▪ FOSSology via University of Nebraska Omaha ▪ Commercial Tools ▪ Scanning tools to provide SPDX® support ▪ http://spdx.org/
  • 33. 33 Getting involved… ▪ See: ▪ http://www.spdx.org ▪ Mailing lists, meetings, wiki ▪ Contact: ▪ Phil Odence (Chair) - podence@blackducksoftware.com ▪ Kate Stewart (Tech Team Chair) - stewart@linux.com ▪ Gary O’Neal (Tools Lead) - gary@sourceauditor.com ▪ Jilayne Lovejoy (Legal Team Co-Chair) - opensource@jilayne.com ▪ Paul Maddick, (Legal Team Co-Chair) - paul.madick@hp.com ▪ Jack Manbeck (Business Team Co-Chair) - j-manbeck2@ti.com ▪ Mikael Söderberg (Business Team Co-Chair) - mikael.soderberg@pelagicore.com