Business Team/SPDX Vision and Mission Discussion Document

From SPDX Wiki
Jump to: navigation, search


This is a discussion document regarding the vision, mission and charter of SPDX. This discussion is in the context of planning for version 2.0 of the SPDX specification.

Original (Current) Charter

  • Spec 1.1 Charter:

Create a set of data exchange standards that enable companies and organizations to share license and component information (metadata) for software packages and related content with the aim of facilitating license and other policy compliance.

  • Spec 1.2 Why is a common format for data exchange needed?

Companies and organizations (collectively “Organizations”) are widely using and reusing open source and other software packages. Compliance with the associated licenses requires a set of due diligence activities that each Organization performs independently: a manual and/or automated scan of software and identification of associated licenses followed by manual verification. Software development teams across the globe use the same open source packages, but they have not yet set-up a way to collaborate on license discovery – many groups are performing the same work leading to duplicated effort and redundancy. This working group seeks to create a data exchange format so that information about software packages and related content, may be collected and shared in a common format with the goal of saving time and improving data accuracy.

Key Themes from SPDX Intro Slides

  • Goal: Create a defined format for a file of license fact information describing a software package.
  • Guiding Principle: Focus on capturing facts; avoid interpretations.

Current SPDX Solution Statement from SPDX Intro Slides

  • A file format for license information to accompany open source packages
  • A standardized short form to refer to the official version of common licenses
  • Benefits:
    • Allows easy exchange of license information between companies reducing burden on both suppliers and consumers.
    • Avoids due diligence redundancy where the same source code package is analyzed multiple times by different recipients.
    • Provides a unified method for exchanging license information.

What is the issue?

Our current solution approach may not be sufficient to provide the desired Benefits; e.g. the means do not seem to match the ends. Many current participants do not see how we can get to the desired benefits without expanding the mission and scope to encompass more of the compliance cycle. If we expand the mission, then we may also need organization changes to support that mission, especially some form of product management across the teams.

Many SPDX participants are now talking about a broader and deeper mission beyond a data exchange format specification including a broader/deeper role in providing standards and open source software to facilitate software licensing due diligence and compliance activities across the supply chain:

  • Expanding the specification to include comprehensive information for meeting license obligations such as complete attribution data required by open source licenses – e.g. copyright and other notices,
  • Developing comprehensive open source tools to support many or most due diligence and compliance activities,
  • Analyzing licenses in a package using scanning and/or matching techniques to detect the licenses and generate an SPDX file from that analysis,
  • Managing large volume of SPDX files – inbound and outbound,
  • Automating obligation fulfillment such as generation of attribution text or creation of a source code redistribution package,
  • Establishing a trusted repository of more comprehensive data about licenses – e.g. extend the License List to provide data for use by license detection tools,
  • Possibly establishing a trusted repository of software components with their origin and license information

Specification vs. Implementation

There is some fundamental creative tension between our charter to create a Software Package Data Exchange specification and foster its adoption versus a broader mission to create open source software to actively facilitate/enable that adoption.

  • The SPDX original/current charter is to create a data specification and foster its adoption.
  • We agreed early on to create some basic software tools to read and write SPDX files and encourage commercial vendors to support SPDX in their existing products.
  • We also agreed to emulate an open source project, but we are not an open source project whose primary “work product” is software – our primary work product is the specification itself.
  • As the SPDX specification evolves (and presumably becomes more complex), it may be highly desirable or even necessary to provide some elements of a reference implementation to validate the specification before general release.
  • We may be able to better leverage and extend existing open source projects, such as FOSSology, to offer elements of a reference implementation.

If we change our charter to include development of open source software to support software licensing due diligence and compliance activities across the supply chain, then we need to look closely at our form of organization.

Vision and Mission Statements

We currently have several documents that document and explain our vision and mission including:

  • The SPDX Charter, Definition and other principles listed in Section 1. Rationale of the in the specification itself
  • The white paper - A Common Software Package Data Exchange Format: 1.0 Release Update and Discussion
  • Other materials such as several versions of the introductory presentations

Some members have already been thinking about expanding how we talk about our vision, mission, charter, and guiding principles – there are many names for specific elements of how an organization describes itself.

One approach is to add a Vision statement and a Mission statement for SPDX where the Vision statement describes what the future looks like when you execute on the mission and the Mission statement says what you do on a daily basis (similar to a guiding principle).

The following draft Vision and Mission statements are recent draft contributions from SPDX members:

Proposed Vision Statement

Phil Odence has proposed the following Vision statement for the website:

“The vision of SPDX is to achieve license compliance with minimal cost across the supply chain. Ideally, upstream component developers begin the process by supplying SPDX files as part of their downloads. Users of those components therefore have a starting point with the SPDX files that they create for their "customers," and so on. If everything is working properly, the provenance of each piece of code is researched and documented only once during its journey through a supply chain, and that information is passed on in parallel with the code in the SPDX format.”

Proposed Mission Statement

The Cisco team has proposed the following Mission statement:

"Deliver and promote adoption of a specification to enable any party in a software supply chain, from the original author to the final end user, to accurately communicate the licensing information for any piece of copyrightable material that such party may create, alter, combine, pass on, or receive, and to make such information available in a consistent, understandable, and re-usable fashion, with the aim of facilitating license and other policy compliance."