THE SPDX WIKI IS NO LONGER ACTIVE. ALL CONTENT HAS BEEN MOVED TO https://github.com/spdx

Difference between revisions of "SPDX FAQ"

From SPDX Wiki
Jump to: navigation, search
(typo)
Line 1: Line 1:
<p>The following FAQ covers questions about the SPDX specification and organization.</p><ul><li>What is the SPDX Specification?<ul><li>The SPDX Specification enables suppliers and consumers of software that contains open source code to provide a "bill of materials" that describes the open source licenses and components that are included.&nbsp; The specification defines a common file format to communicate this information.</li></ul></li></ul><ul><li>Who do you expect to use the SPDX Specification?<ul><li>The specification is designed for use by participants in the software supply chain.&nbsp; Some potential use cases for the spec:<ul><li>Developers of open source projects could provide an SPDX file to users of that project</li><li>Linux distros could require upstream projects that are included in the distro to provide an SPDX file</li><li>Developers of software that includes a Linux distro or open source project could provide an SPDX file to their users or customers</li><li>In the mobile industry, chipset providers, mobile providers and carriers could exchange SPDX files as software moves through the supply chain</li></ul></li></ul></li></ul><ul><li>Am I required to use the SPDX specification?<ul><li>The SPDX organization does not and can not make it a requirement for anyone to use the SPDX specification.&nbsp; However, we do encourage the use of SPDX as a way to streamline the processes needed to analyze software for open source licenses.&nbsp; However, there may be companies or organizations that DO require use of the SPDX specification and the creation of SPDX files as part of contracts with their supply chain partners.&nbsp; For example, a mobile handset vendor might require, as part of a contract, that it's supplier provide an SPDX file along with any software.</li></ul></li></ul><ul><li>Is an SPDX file assoociated with a particular piece of software?<ul><li>Yes.&nbsp; An SPDX file is associated with a piece of software.&nbsp; When any changes are made to that piece of software, the SPDX file will need to be changed as well to correspond.&nbsp; So, for example, when a new version of a piece of software is released, the SPDX file associated with it would need to be updated.&nbsp; </li></ul></li></ul><ul><li>What information is included in an SPDX file?<ul><li>Review the SPDX spec for complete details, but at a high level, the SPDX file contains information about each and every file that is included in a particular piece of software.&nbsp; The information in the SPDX file indicates what license (if any) is associated with that file.&nbsp; It may also include information about what open source project or component that file originated from.&nbsp; </li></ul></li></ul><ul><li>How do I know if the information included in the SPDX file is accurate?<ul><li>There are several ways to assess the level of trust in an SPDX file.<ul><li>&nbsp;Each SPDX file includes a history of who created and reviewed the information -- similar to what you would see for authors of open source code.&nbsp; By reviewing that information, you can make your own assessement of the level of trust you place in the creators.&nbsp; </li><li>In cases where you receive the SPDX file from a suppliy chain partner, you may also have separate contractual arrangements whereby a supplier is vouching for or guaranteeing the accuracy of the SPDX file.&nbsp;</li><li>You may choose to use software tools that can scan software and validate the accuracy of the SPDX file.</li><li>You can review the software yourself and compare what you find to the contents of the SPDX file.</li></ul></li></ul></li></ul><ul><li>Are their tools available that can help me create, validate or read an SPDX file?<ul><li>The SPDX organization is working to create tools that help create, validate or read SPDX files.&nbsp; In addition, we expect that both open source and proprietary tools will be created to help with these tasks.&nbsp; See the Tools page for more information.</li></ul></li></ul><ul><li>Who created the SPDX spec?<ul><li>The specification is being created by a working group of the Linux Foundation.&nbsp; Its members represent a wide spectrum of open source creators and consumers, including open source communities, Linux distros, mobile supply chain companies, software companies, makers of open source scanning tools and service providers.&nbsp; The process is an open process, run much like an open source community, and the group is open for anyone that wants to participate.&nbsp; Membership in the Linux Foundation is not required to participate.</li></ul></li><li>How do we handle non-OSS licenses?</li><li>How does SPDX work with binaries?</li><li>How does SPDX work with sub-archives?</li><li>Need explanations of combound licensing?</li><li>Specify what things aren't included yet</li></ul>
+
<p>The following FAQ covers questions about the SPDX specification and organization.</p><ul><li>What is the SPDX Specification?<ul><li>The SPDX Specification enables suppliers and consumers of software that contains open source code to provide a "bill of materials" that describes the open source licenses and components that are included.&nbsp; The specification defines a common file format to communicate this information.</li></ul></li></ul><ul><li>Who do you expect to use the SPDX Specification?<ul><li>The specification is designed for use by participants in the software supply chain.&nbsp; Some potential use cases for the spec:<ul><li>Developers of open source projects could provide an SPDX file to users of that project</li><li>Linux distros could require upstream projects that are included in the distro to provide an SPDX file</li><li>Developers of software that includes a Linux distro or open source project could provide an SPDX file to their users or customers</li><li>In the mobile industry, chipset providers, mobile providers and carriers could exchange SPDX files as software moves through the supply chain</li></ul></li></ul></li></ul><ul><li>Am I required to use the SPDX specification?<ul><li>The SPDX organization does not and can not make it a requirement for anyone to use the SPDX specification.&nbsp; However, we do encourage the use of SPDX as a way to streamline the processes needed to analyze software for open source licenses.&nbsp; However, there may be companies or organizations that DO require use of the SPDX specification and the creation of SPDX files as part of contracts with their supply chain partners.&nbsp; For example, a mobile handset vendor might require, as part of a contract, that it's supplier provide an SPDX file along with any software.</li></ul></li></ul><ul><li>Is an SPDX file assoociated with a particular piece of software?<ul><li>Yes.&nbsp; An SPDX file is associated with a piece of software.&nbsp; When any changes are made to that piece of software, the SPDX file will need to be changed as well to correspond.&nbsp; So, for example, when a new version of a piece of software is released, the SPDX file associated with it would need to be updated.&nbsp; </li></ul></li></ul><ul><li>What information is included in an SPDX file?<ul><li>Review the SPDX spec for complete details, but at a high level, the SPDX file contains information about each and every file that is included in a particular piece of software.&nbsp; The information in the SPDX file indicates what license (if any) is associated with that file.&nbsp; It may also include information about what open source project or component that file originated from.&nbsp; </li></ul></li></ul><ul><li>How do I know if the information included in the SPDX file is accurate?<ul><li>There are several ways to assess the level of trust in an SPDX file.<ul><li>&nbsp;Each SPDX file includes a history of who created and reviewed the information -- similar to what you would see for authors of open source code.&nbsp; By reviewing that information, you can make your own assessement of the level of trust you place in the creators.&nbsp; </li><li>In cases where you receive the SPDX file from a suppliy chain partner, you may also have separate contractual arrangements whereby a supplier is vouching for or guaranteeing the accuracy of the SPDX file.&nbsp;</li><li>You may choose to use software tools that can scan software and validate the accuracy of the SPDX file.</li><li>You can review the software yourself and compare what you find to the contents of the SPDX file.</li></ul></li></ul></li></ul><ul><li>Are their tools available that can help me create, validate or read an SPDX file?<ul><li>The SPDX organization is working to create tools that help create, validate or read SPDX files.&nbsp; In addition, we expect that both open source and proprietary tools will be created to help with these tasks.&nbsp; See the Tools page for more information.</li></ul></li></ul><ul><li>Who created the SPDX spec?<ul><li>The specification is being created by a working group of the Linux Foundation.&nbsp; Its members represent a wide spectrum of open source creators and consumers, including open source communities, Linux distros, mobile supply chain companies, software companies, makers of open source scanning tools and service providers.&nbsp; The process is an open process, run much like an open source community, and the group is open for anyone that wants to participate.&nbsp; Membership in the Linux Foundation is not required to participate.</li></ul></li><li>How do we handle non-OSS licenses?</li><li>How does SPDX work with binaries?</li><li>How does SPDX work with sub-archives?</li><li>Need explanations of compound licensing?</li><li>Specify what things aren't included yet</li></ul>

Revision as of 15:25, 16 June 2011

The following FAQ covers questions about the SPDX specification and organization.

  • What is the SPDX Specification?
    • The SPDX Specification enables suppliers and consumers of software that contains open source code to provide a "bill of materials" that describes the open source licenses and components that are included.  The specification defines a common file format to communicate this information.
  • Who do you expect to use the SPDX Specification?
    • The specification is designed for use by participants in the software supply chain.  Some potential use cases for the spec:
      • Developers of open source projects could provide an SPDX file to users of that project
      • Linux distros could require upstream projects that are included in the distro to provide an SPDX file
      • Developers of software that includes a Linux distro or open source project could provide an SPDX file to their users or customers
      • In the mobile industry, chipset providers, mobile providers and carriers could exchange SPDX files as software moves through the supply chain
  • Am I required to use the SPDX specification?
    • The SPDX organization does not and can not make it a requirement for anyone to use the SPDX specification.  However, we do encourage the use of SPDX as a way to streamline the processes needed to analyze software for open source licenses.  However, there may be companies or organizations that DO require use of the SPDX specification and the creation of SPDX files as part of contracts with their supply chain partners.  For example, a mobile handset vendor might require, as part of a contract, that it's supplier provide an SPDX file along with any software.
  • Is an SPDX file assoociated with a particular piece of software?
    • Yes.  An SPDX file is associated with a piece of software.  When any changes are made to that piece of software, the SPDX file will need to be changed as well to correspond.  So, for example, when a new version of a piece of software is released, the SPDX file associated with it would need to be updated. 
  • What information is included in an SPDX file?
    • Review the SPDX spec for complete details, but at a high level, the SPDX file contains information about each and every file that is included in a particular piece of software.  The information in the SPDX file indicates what license (if any) is associated with that file.  It may also include information about what open source project or component that file originated from. 
  • How do I know if the information included in the SPDX file is accurate?
    • There are several ways to assess the level of trust in an SPDX file.
      •  Each SPDX file includes a history of who created and reviewed the information -- similar to what you would see for authors of open source code.  By reviewing that information, you can make your own assessement of the level of trust you place in the creators. 
      • In cases where you receive the SPDX file from a suppliy chain partner, you may also have separate contractual arrangements whereby a supplier is vouching for or guaranteeing the accuracy of the SPDX file. 
      • You may choose to use software tools that can scan software and validate the accuracy of the SPDX file.
      • You can review the software yourself and compare what you find to the contents of the SPDX file.
  • Are their tools available that can help me create, validate or read an SPDX file?
    • The SPDX organization is working to create tools that help create, validate or read SPDX files.  In addition, we expect that both open source and proprietary tools will be created to help with these tasks.  See the Tools page for more information.
  • Who created the SPDX spec?
    • The specification is being created by a working group of the Linux Foundation.  Its members represent a wide spectrum of open source creators and consumers, including open source communities, Linux distros, mobile supply chain companies, software companies, makers of open source scanning tools and service providers.  The process is an open process, run much like an open source community, and the group is open for anyone that wants to participate.  Membership in the Linux Foundation is not required to participate.
  • How do we handle non-OSS licenses?
  • How does SPDX work with binaries?
  • How does SPDX work with sub-archives?
  • Need explanations of compound licensing?
  • Specify what things aren't included yet