Difference between revisions of "SPDX FAQ"

<p>&nbsp;</p><p><strong>FAQ Sections</strong></p><p><strong>General - Kim<br /></strong></p><p>-- about the spec and org</p><p><strong>Using the SPDX Spec - Mark Gisi<br /></strong></p><p>-how to get started, how to use license fields, handling binaries and archives, creator/reviewer fields, license of spec and data in SPDX, using the TM</p><p><strong>Licenses - Jilayne<br /></strong></p><p>-what is standardlicense list, why does it exist, why aren't certain licenses there, how to handle license variations, dealing with non-standard licenses, how to request adding a license to standard list, </p><p><strong>Tools - Kirsten with help from Gary<br /></strong></p><p>-what the tools are, how to use, license they are under, contributing to, reporting bugs, steal info from the doc</p><p><strong>Technical Details - Kate<br /></strong></p><p>-Using Tag value vs RDF, Resources for learning more</p><p>&nbsp;</p><p>&nbsp;</p><p><strong>General</strong></p><ul><li>What is the SPDX Specification? <ul><li>The SPDX Specification enables suppliers and consumers of software that contains open source code to provide a "bill of materials" that describes the open source licenses and components that are included.&nbsp; The specification defines a common file format to communicate this information.</li></ul></li></ul><ul><li>Who do you expect to use the SPDX Specification? <ul><li>The specification is designed for use by participants in the software supply chain.&nbsp; Some potential use cases for the spec: <ul><li>Developers of open source projects could provide an SPDX file to users of that project</li><li>Linux distros could require upstream projects that are included in the distro to provide an SPDX file</li><li>Developers of software that includes a Linux distro or open source project could provide an SPDX file to their users or customers</li><li>In the mobile industry, chipset providers, mobile providers and carriers could exchange SPDX files as software moves through the supply chain</li></ul></li></ul></li></ul><ul><li>Am I required to use the SPDX specification? <ul><li>The SPDX organization does not and can not make it a requirement for anyone to use the SPDX specification.&nbsp; However, we do encourage the use of SPDX as a way to streamline the processes needed to analyze software for open source licenses.&nbsp; However, there may be companies or organizations that DO require use of the SPDX specification and the creation of SPDX files as part of contracts with their supply chain partners.&nbsp; For example, a mobile handset vendor might require, as part of a contract, that it's supplier provide an SPDX file along with any software.</li></ul></li></ul><ul><li>Who created the SPDX spec? <ul><li>The specification is being created by a working group of the Linux Foundation.&nbsp; Its members represent a wide spectrum of open source creators and consumers, including open source communities, Linux distros, mobile supply chain companies, software companies, makers of open source scanning tools and service providers.&nbsp; The process is an open process, run much like an open source community, and the group is open for anyone that wants to participate.&nbsp; Membership in the Linux Foundation is not required to participate.</li></ul><strong>&nbsp;</strong></li></ul><p><strong>Using the SPDX Spec</strong></p><ul><li>Is an SPDX file associated with a particular version of software? <ul><li>Yes.&nbsp; An SPDX file is associated with a specific version of software.&nbsp; When any changes are made to the software, the SPDX file will need to be changed to reflect any changes to the licenses of the respective files.&nbsp; So, for example, when a new version of a piece of software is released, the SPDX file associated with it would need to be updated to reflect any changes or additions to licensing.&nbsp; </li></ul></li><li>What information is included in an SPDX file?</li><li><ul><li>We refer you to the SPDX specification for complete details, but at a high level, the SPDX file contains license information about each file that is included in a particular piece of software.&nbsp; For example, the information in the SPDX file indicates what license (if any) is associated with each file.&nbsp; It may also include information about what open source project or component that file originated from.&nbsp; </li></ul></li><li>How do I know if the information included in the SPDX file is accurate? <ul><li>There are several ways to assess the level of trust in an SPDX file. <ul><li>&nbsp;Each SPDX file includes a history of who created and reviewed the information -- similar to what you would see for authors of open source code.&nbsp; By reviewing that information, you can make your own assessement of the level of trust you place in the creators.&nbsp; </li><li>In cases where you receive the SPDX file from a suppliy chain partner, you may also have separate contractual arrangements whereby a supplier is vouching for or guaranteeing the accuracy of the SPDX file.&nbsp;</li><li>You may choose to use software tools that can scan software and validate the accuracy of the SPDX file.</li><li>You can review the software yourself and compare what you find to the contents of the SPDX file.</li></ul></li></ul></li><li>How do we handle non-OSS licenses?</li><li>How does SPDX work with binaries?</li><li>How does SPDX work with sub-archives?</li><li>Need explanations of compound licensing?</li><li>Specify what things aren't included yet</li></ul><p><strong>Licenses (i.e. the SPDX License List)</strong></p><ul><li>What is the SPDX License List?<ul><li>The SPDX License List is a list of well known, commonly-used, and Open Source Initiative (OSI) approved open source software licenses.&nbsp; The list includes the following fields for each license:<ul><li>The full name of the license</li><li>A short identifier for use in an SPDX file</li><li>A url for where the original license can be found</li><li>Any relevant notes about the license, (such as if its been since deprecated or its relationship to other license)</li><li>The license text itself</li></ul></li></ul></li><li><span lang="EN-GB">Why does it exist?</span><ul><li>The purpose of the SPDX License List is to provide short identifiers for popular and common licenses.&nbsp; The full license text associated with each license on the SPDX License list will have a unique, permanent URL on the SPDX.org website. Being able to refer to licenses via the short form identifier lessens the SPDX file size and allows for unambiguous license identification.</li></ul></li><li><span lang="EN-GB">How do I identify licenses not on the SPDX License List?</span><ul><li>The SPDX specification includes a way to identify and include open source licenses that are not on the SPDX License List.&nbsp; In this case, a short form identifier for the license is created and the full text of the license included in the SPDX file.</li></ul></li><li>Why are some licenses I've heard of included on the list and some not?<ul><li>The primary purpose of the list is to provide a short form identifier for common or popular open source software licenses.&nbsp; To create this list, the SPDX legal work group included all the OSI approved licenses and any other license members of the work group had experience with "in the wild."&nbsp; All versions (even if since deprecated) of these licenses were also included.&nbsp; It was always contemplated that the list would grow over time, so the initial goal was to provide a sensible starting point such that the most commonly found licenses would have a short identifier.</li></ul></li><li>How to request adding a license to SPDX License List?</li><li>What if I find a license or license variation that is not on the SPDX License List - how do I identify that license?</li></ul><p>&nbsp;</p><p><strong>Tools</strong></p><ul><li>Are there tools available that can help me create, validate or read an SPDX file?</li></ul><blockquote><ul><li>The SPDX organization is working to create tools that help create, validate or read SPDX files.&nbsp; In addition, we expect that both open source and proprietary tools will be created to help with these tasks.&nbsp; See the Tools page for more information.</li></ul></blockquote>