SPDX and LF's Open Compliance Program

FOSSBazaar is no longer being updated. The information on this site is preserved for your convenience but may be out of date. Please visit Linux Foundation's Open Compliance Program for current information and activities.

podence's picture

The SPDX Group is incredibly pleased to have the specification adopted as one of the key elements of the Linux Foundation’s Open Compliance Program. The Foundation has been supportive from the outset, but this is a huge step beyond. It was at LinuxCon in the fall of 2009 that I first met Kate Stewart chirping about for other birds of her feather, folks who shared the pain and were up for tackling the industry problem of exchanging package data. A number of us expressed interest, but it was Jim Zemlin and the Linux Foundation that gave the effort the home it needed as part of FOSSBazaar.


This week the Linux Foundation announces the Open Compliance Program. The inclusion of SPDX is an incredible vote of support for our work. At the same time we are proud to know that the program too benefits greatly from incorporating a standard for which there is so clearly a need. I’ve always been a trusting soul believing that by and large companies want to follow the rules. But it’s hard to do the right thing when the right thing is so hard to do. The Open Compliance Program makes it easier for everyone to do follow the rules and SPDX in particular deals with some of the gnarliest issues around license compliance.


Our original goal was to have a spec ready for public consumption in Q4 of this year. The adoption of SPDX into the compliance program put the pressure on to have something in place by this week. The team did an incredible job shifting into high gear to produce a very solid beta release of the specification. There remains plenty of work to do before V1.0 is ready for prime time in the fall. We are eager for feedback and encourage anyone involved with managing open source licensing information to look it over and give it a try. If you want to roll up your sleeves up and participate, just create and account and start exploring the Participation section. “Given enough eyeballs…” as they say.

Comment on the file format specification

One observation on the specifications contained within this document is that there is a tremendous amount of details regarding the individual parts but nothing that put them all together in one form. There is a data model on page 38 but this is really part of the semantic implementation for compliance tools.

For a document that specifies a file format (i.e., syntax), a grammar in BNF is required to complete the file format  formal definition. The document already contains all of the leaf sub-trees of the grammar. The requested addition should not require a major investment in time or effort.


Louay Gammo

Louay, Submitting a bug


Submitting a bug against the spec is probably the best way to get a formal grammar added to the spec.

The SPDX RDF model and serializations are, i think, fairly clearly specified. If you find the RDF/XML format (or other RDF serialization format such as Turtle) acceptable you might consider using that.