https://wiki.spdx.org/api.php?action=feedcontributions&feedformat=atom&user=JNWSPDX Wiki - User contributions [en]2026-05-07T12:28:58ZUser contributionsMediaWiki 1.23.13https://wiki.spdx.org/view/SPDX_FAQSPDX FAQ2011-06-16T15:25:21Z<p>JNW: typo</p>
<hr />
<div><p>The following FAQ covers questions about the SPDX specification and organization.</p><ul><li>What is the SPDX Specification?<ul><li>The SPDX Specification enables suppliers and consumers of software that contains open source code to provide a "bill of materials" that describes the open source licenses and components that are included.&nbsp; The specification defines a common file format to communicate this information.</li></ul></li></ul><ul><li>Who do you expect to use the SPDX Specification?<ul><li>The specification is designed for use by participants in the software supply chain.&nbsp; Some potential use cases for the spec:<ul><li>Developers of open source projects could provide an SPDX file to users of that project</li><li>Linux distros could require upstream projects that are included in the distro to provide an SPDX file</li><li>Developers of software that includes a Linux distro or open source project could provide an SPDX file to their users or customers</li><li>In the mobile industry, chipset providers, mobile providers and carriers could exchange SPDX files as software moves through the supply chain</li></ul></li></ul></li></ul><ul><li>Am I required to use the SPDX specification?<ul><li>The SPDX organization does not and can not make it a requirement for anyone to use the SPDX specification.&nbsp; However, we do encourage the use of SPDX as a way to streamline the processes needed to analyze software for open source licenses.&nbsp; However, there may be companies or organizations that DO require use of the SPDX specification and the creation of SPDX files as part of contracts with their supply chain partners.&nbsp; For example, a mobile handset vendor might require, as part of a contract, that it's supplier provide an SPDX file along with any software.</li></ul></li></ul><ul><li>Is an SPDX file assoociated with a particular piece of software?<ul><li>Yes.&nbsp; An SPDX file is associated with a piece of software.&nbsp; When any changes are made to that piece of software, the SPDX file will need to be changed as well to correspond.&nbsp; So, for example, when a new version of a piece of software is released, the SPDX file associated with it would need to be updated.&nbsp; </li></ul></li></ul><ul><li>What information is included in an SPDX file?<ul><li>Review the SPDX spec for complete details, but at a high level, the SPDX file contains information about each and every file that is included in a particular piece of software.&nbsp; The information in the SPDX file indicates what license (if any) is associated with that file.&nbsp; It may also include information about what open source project or component that file originated from.&nbsp; </li></ul></li></ul><ul><li>How do I know if the information included in the SPDX file is accurate?<ul><li>There are several ways to assess the level of trust in an SPDX file.<ul><li>&nbsp;Each SPDX file includes a history of who created and reviewed the information -- similar to what you would see for authors of open source code.&nbsp; By reviewing that information, you can make your own assessement of the level of trust you place in the creators.&nbsp; </li><li>In cases where you receive the SPDX file from a suppliy chain partner, you may also have separate contractual arrangements whereby a supplier is vouching for or guaranteeing the accuracy of the SPDX file.&nbsp;</li><li>You may choose to use software tools that can scan software and validate the accuracy of the SPDX file.</li><li>You can review the software yourself and compare what you find to the contents of the SPDX file.</li></ul></li></ul></li></ul><ul><li>Are their tools available that can help me create, validate or read an SPDX file?<ul><li>The SPDX organization is working to create tools that help create, validate or read SPDX files.&nbsp; In addition, we expect that both open source and proprietary tools will be created to help with these tasks.&nbsp; See the Tools page for more information.</li></ul></li></ul><ul><li>Who created the SPDX spec?<ul><li>The specification is being created by a working group of the Linux Foundation.&nbsp; Its members represent a wide spectrum of open source creators and consumers, including open source communities, Linux distros, mobile supply chain companies, software companies, makers of open source scanning tools and service providers.&nbsp; The process is an open process, run much like an open source community, and the group is open for anyone that wants to participate.&nbsp; Membership in the Linux Foundation is not required to participate.</li></ul></li><li>How do we handle non-OSS licenses?</li><li>How does SPDX work with binaries?</li><li>How does SPDX work with sub-archives?</li><li>Need explanations of compound licensing?</li><li>Specify what things aren't included yet</li></ul></div>JNW