Phil Odence
Vice President of Business Development
podence@blackducksoftware.com
Peter Vescuso begin_of_the_skype_highlighting     end_of_the_skype_highlightingIn her opening remarks at last week’s Linux Foundation Collaboration Summit, Karen Copenhaver, counsel for the Linux Foundation, made some great observations about how rapidly the industry’s views about open source legal issues were evolving. She described that whereas only two years ago, a typical company developing software was trying to understand the minimum compliance they could get away with, today it’s more about how to practically do the right thing. With many organizations now wrestling with this issue, they have naturally begun to exchange best practices, and this has spawned a standardization effort.

I co-chair the FOSSBazaar SPDX (Software Package Data Exchange) Working Group.  FOSSBazzar, part of the Linux Foundation, is a forum for exchanging ideas about managing open source. The SPDX group is, in essence, defining a standard way for companies to share license and copyright information about software packages they exchange.

Spearheading the work is my co-chair Kate Stewart from Freescale, a semi-conductor manufacturer. It’s not surprising that the impetus comes from a company that sits in the middle of the supply chain, as they are getting it from both sides, if you will. As a consumer in the supply chain, they need to understand exactly what software they’re getting from multiple sources, how it’s licensed and the associated obligations. As a supplier, they are being asked for a mix of different information in multiple different forms. Frustrated by the redundant work she knew was going on across multiple organizations and inherent inefficiencies Kate came up with the idea of a data standard. At last Fall’s Linuxcon, she stepped up on her soapbox for anyone who would listen (I being one) and out of that grew SPDX.

SPDX has the potential to provide the classic value of a community: Working collectively to make everyone’s life a little easier. There is active participation from HP, TI, Motorola, Red Hat and others. We’re working on the first draft of a spec that identifies a package, its licensing and copyright, and the licensing and copyright of all of its constituent files. The effort is fraught with subtle issues, but once the group slogs through them, it will be far easier for those that follow. We expect to put up an FYI website shortly, and I’ll report back here on our progress.

Post to Twitter