|
|
Subscribe / Log in / New account

SPDX Becomes Internationally Recognized Standard for Software Bill of Materials

[Posted September 10, 2021 by jake]

The Linux Foundation has announced that Software Package Data Exchange (SPDX) has become an international standard (ISO/IEC 5962:2021). SPDX has been used in the kernel and other projects to identify the licenses and attach other metadata to software components.
Between eighty and ninety percent (80%-90%) of a modern application is assembled from open source software components. An SBOM [software bill of materials] accounts for the software components contained in an application — open source, proprietary, or third-party — and details their provenance, license, and security attributes. SBOMs are used as a part of a foundational practice to track and trace components across software supply chains. SBOMs also help to proactively identify software issues and risks and establish a starting point for their remediation.

SPDX results from ten years of collaboration from representatives across industries, including the leading Software Composition Analysis (SCA) vendors – making it the most robust, mature, and adopted SBOM standard.


to post comments

SPDX Becomes Internationally Recognized Standard for Software Bill of Materials

Posted Sep 10, 2021 18:07 UTC (Fri) by jebba (guest, #4439) [Link] (30 responses)

I don't see a free (as in beer) publicly available PDF of the standard. On ISO's website it is around $200 USD to buy it. The source code to the standard is available in the git repo, so one should be able to build a PDF of the standard. Then the question is which commit is the actual standard? There is a list here, which says the current version of the standard is 2.2. But that is the SPDX standard version, which isn't necessarily the version that was used for the ISO standard. I'm guessing it is version 2.2, but anyone know for sure?

https://spdx.dev/specifications/

https://github.com/spdx/spdx-spec/releases/tag/v2.2

SPDX Becomes Internationally Recognized Standard for Software Bill of Materials

Posted Sep 10, 2021 18:25 UTC (Fri) by atnot (subscriber, #124910) [Link] (22 responses)

The rules of ISO require this. It's similar for e.g. C++. You are not allowed to publish the official spec freely, however the last draft release is generally known to be identical to the standard.

SPDX Becomes Internationally Recognized Standard for Software Bill of Materials

Posted Sep 10, 2021 18:56 UTC (Fri) by fw (subscriber, #26023) [Link] (21 responses)

The default ISO rules do not allow publication of drafts, not even in source code form. I do not know if ISO has approved the Github repository https://github.com/cplusplus/draft or its HTML rendering at https://eel.is/c++draft/ (although the latter is extremely value as a resource, more so than any PDFs). Workgroup materials (such as submitted papers) are not supposed to be published by the working group. Blogging about committee decisions is not allowed, either. Pretty much everyone seems to ignore these rules, but I do not feel comfortable with that, so I no longer contribute to the ISO process.

However, ISO can and does change the rules for specific standards. The Ada standard is publicly available under a free (libre) license, with the only difference being the front material (basically the ISO copyright statement and self-declaration as an international standard).

SPDX Becomes Internationally Recognized Standard for Software Bill of Materials

Posted Sep 11, 2021 9:40 UTC (Sat) by benjamir (subscriber, #133607) [Link] (14 responses)

Simple solution: boycott ISO

If most ignore them, they can go to hell with their pile of papers.

SPDX Becomes Internationally Recognized Standard for Software Bill of Materials

Posted Sep 11, 2021 11:21 UTC (Sat) by ale2018 (guest, #128727) [Link] (13 responses)

It is surprising that Linux Foundation and SPDX.dec, whose governance model is based on Community Specification predicating something like

The Community Specification allows you to start a specification development effort as easily as an open source project.

chose a Standards Development Organization having such liberticidal rules.

The IETF seems to be much better.

SPDX Becomes Internationally Recognized Standard for Software Bill of Materials

Posted Sep 11, 2021 14:42 UTC (Sat) by jebba (guest, #4439) [Link] (11 responses)

> It is surprising that Linux Foundation ...

The Linux foundation is user hostile. It is run by major corporations. There are zero community members on the Linux Foundation board, and this has been true for years. THIS is the Linux Foundation:

* Microsoft
* VMware
* AT&T
* Facebook
* Qualcomm
* Oracle
* IBM
* Intel
* NEC
* Huawei

SPDX Becomes Internationally Recognized Standard for Software Bill of Materials

Posted Sep 11, 2021 15:12 UTC (Sat) by calumapplepie (guest, #143655) [Link] (10 responses)

And yet our editor sits on the Technical Advisory Board.

Its a board of directors: it's always going to be corporate folks, not community memebers.

SPDX Becomes Internationally Recognized Standard for Software Bill of Materials

Posted Sep 11, 2021 16:24 UTC (Sat) by jebba (guest, #4439) [Link]

> And yet our editor sits on the Technical Advisory Board.

And yet that is not the Board of Directors.

> Its a board of directors: it's always going to be corporate folks, not community memebers.

Where does this come from? A board can be comprised of nearly anyone. For example the Wikimedia Foundation has near zero corporate members, and includes human rights and "digital" activists. A board like that will have different priorities than a board made from trans-national corporations' employees.

SPDX Becomes Internationally Recognized Standard for Software Bill of Materials

Posted Sep 11, 2021 18:00 UTC (Sat) by jebba (guest, #4439) [Link] (8 responses)

> Technical Advisory Board

Per their page the Linux Foundation states:

"The Technical Advisory Board provides the Linux kernel community a direct voice into The Linux Foundation’s activities and fosters bi-directional interaction with application developers, end users, and Linux companies."

Corporations represented on the advisory board:

* Microsoft
* Facebook
* Canonical
* Intel
* Google
* Red Hat
* Vmware
* Another Google

Both Corbet and GregKH are on the advisory board, which is swell, but they represent the development community, imho, not end users.

Technical advisory board

Posted Sep 11, 2021 18:52 UTC (Sat) by corbet (editor, #1) [Link] (7 responses)

Note that, if you are unhappy with the membership of the LF Technical Advisory Board, there is an election for TAB members underway right now. This would be the time to put in your nomination, or to convince somebody you would support to put in theirs.

Technical advisory board

Posted Sep 11, 2021 19:45 UTC (Sat) by atai (subscriber, #10977) [Link]

Honestly speaking, that is not the board itself, which makes the decisions.

Technical advisory board

Posted Sep 12, 2021 9:25 UTC (Sun) by mfuzzey (subscriber, #57966) [Link] (5 responses)

I don't *think* the TAB is the issue here.

Does the TAB get involved in decisions like the one to submit SPDX to ISO (which has policies concerning the availability of their standards that are questionable at best and open source hostile at worst).

I suspect not, though I may be wrong, as it's hardly a "technical" decision (nor a CoC related thing where the TAB also seems to be involved).

Seeing as ISO apparently can set standard specific rules (someone mentionned the ISO ADA standard bring free) I think the LF should have at least made free availability a precondition for submitting SPDX.

Technical advisory board

Posted Sep 18, 2021 14:29 UTC (Sat) by jschrod (subscriber, #1646) [Link] (4 responses)

????

The SPDX standard text is freely available, just like the Ada one - what is your qualm?

The real issue with SPDX is the demand on non-corporate developers to maintain such declarations for the sake of large companies who want to exploit their work without paying for it. Publication as an ISO standard has nothing to do with it.

Technical advisory board

Posted Sep 18, 2021 22:04 UTC (Sat) by anselm (subscriber, #2796) [Link] (3 responses)

The real issue with SPDX is the demand on non-corporate developers to maintain such declarations for the sake of large companies who want to exploit their work without paying for it.

Presumably if a large company wants to use the work of a non-corporate developer without paying and the only thing in their way is the lack of SPDX information, the least they could do is contribute a set of accurate SPDX headers to that project.

Technical advisory board

Posted Sep 18, 2021 22:59 UTC (Sat) by jschrod (subscriber, #1646) [Link] (2 responses)

Yes, but only if they are part of the developer community. Otherwise, the onus of maintaining that information remains at the project - and there the ROI is often questionable. IMHO, of course.

Technical advisory board

Posted Sep 19, 2021 13:27 UTC (Sun) by madscientist (subscriber, #16861) [Link] (1 responses)

I don't see why it should be the responsibility of the project. If something is wrong about the SPDX do users of the project see bugs? Do regression tests fail? If someone who cares about SPDX sees that something is not right, then can supply a patch to fix it. If users of the project are relying on the SPDX content without verifying it themselves and it's wrong, that's a problem for those users who need SPDX.

There is some minimal amount of effort for the project to verify the SPDX patch is correct and apply it but I don't think projects should spend any more time on it than that bare minimum, unless they WANT to do so... in which case it's by definition not a waste of time, for them.

Technical advisory board

Posted Sep 19, 2021 14:22 UTC (Sun) by pizza (subscriber, #46) [Link]

> There is some minimal amount of effort for the project to verify the SPDX patch is correct and apply it but I don't think projects should spend any more time on it than that bare minimum, unless they WANT to do so... in which case it's by definition not a waste of time, for them.

SPDX is a pretty poor example, honestly. It's nearly entirely a one-off cost, and even that's not likely to be all that large. It took under an hour for me to add SPDX headers to a modest 30KLOC (across ~30 files) project that I maintain, and that's mainly because I wrote a script to do it instead of editing each file manually. Going forward, it's zero additional effort to maintain -- Adding it to a new file is trivial when you consider that I already need to ensure the new file has a proper copyright header in it, which in turn is just cut-n-pasted from another file.

Now the other stuff that corporate types want, such as certifications, security processes, testing frameworks, CI systems, maintained "stable" branches, documentation, and unliminted hand-holding represents both upfront and ongoing effort. But SPDX isn't one of those.

SPDX Becomes Internationally Recognized Standard for Software Bill of Materials

Posted Sep 11, 2021 23:52 UTC (Sat) by tialaramex (subscriber, #21167) [Link]

The IETF is not interested in standards like this which are not, in fact, about the Internet. They already have plenty of things to work on, and don't need to become a dumping ground for stuff somebody didn't want to take to any other SDO.

Nothing stops you taking the IETF approach for some new project, no blessing is needed. You can do your own thing and just wait for the recognition to arrive later.

SPDX Becomes Internationally Recognized Standard for Software Bill of Materials

Posted Sep 11, 2021 20:07 UTC (Sat) by bokr (guest, #58369) [Link] (2 responses)

4However, ISO can and does change the rules for specific standards.
5------------------------------------------------------------------
6
7Who made the rules that ISO must adhere to?
8
9Maybe THEY could mandate that official standards
10must be digitally signed and sent to countries' National Libraries
11(e.g. US Library of Congress) for public free (beer and libre) acess.
12
13... And disallow gaming "official"-naming so ISO (or other standard-producers)
14can't say "...not official yet, but for a price..." a
15
16Important public standards work needs to be funded, yes,
17but the current tollgate method is perverse.
18
19Idea: Tax-fund public national libraries to enable them
20 to funnel grants to the standards-producers of anything
21 to be named "official."
22
23 And let them pay recognized developers/writers directly
24 to bypass pay-the-piper controls of organizations.
25 (obviously rules will be needed to keep the pipeline-tappers
26 from this funding flow, so expect a monitoring group to form
27 whose only purpose will eventually be to keep existing :)

SPDX Becomes Internationally Recognized Standard for Software Bill of Materials

Posted Sep 11, 2021 21:54 UTC (Sat) by Vipketsh (guest, #134480) [Link] (1 responses)

The funding situation, I think, is really just an excuse.

There are pretty much two cases of standards: (i) when it is used to unify markets to everyone's benefit (e.g. electrical wiring) and (ii) when companies use standards as advertising and/or a political play to make their crap be used by everyone over a competitor's. The first case is something that works only if backed by big governments or corporations & thus makes sense for them to fund it and in the second case anyone other than the companies involved funding the exercise is unfair.

An example of a good model that works in some cases is the one USB had (don't know the situation with USB4): the text of the standard is available to everyone for free but if you want to sell a device claiming to be "USB compatible" with the logo you need to to pay the organisation some money. Thereby facilitating individuals access all the while making the ones, who have an interest and can, fund further development. I think HDMI before 2.0 had a similar model.

SPDX Becomes Internationally Recognized Standard for Software Bill of Materials

Posted Sep 12, 2021 17:40 UTC (Sun) by jebba (guest, #4439) [Link]

> The funding situation ...

Out of curiosity I looked it up. The latest ISO annual report[1] is from 2019. It shows total revenue as 43,157,000 CHF, around $50 million USD. A bit less than half of that comes from sales royalties and direct sales. So it would cost around $20 mil USD/year for the standards to be publicly available without ISO losing any revenue. Over half that is from royalties though, so member organizations (e.g. ANSI) would potentially be out of revenue too. Overall, considering the companies involved and the global scope, the dollar amounts are trivial. ISO is a NGO (non-governmental organization) based in Switzerland.

[1] PDF page 33, https://www.iso.org/files/live/sites/isoorg/files/store/e...

SPDX Becomes Internationally Recognized Standard for Software Bill of Materials

Posted Sep 12, 2021 18:14 UTC (Sun) by jmclnx (guest, #72456) [Link] (1 responses)

Interesting, it is things like this I am seeing has had me looking at the BSDs for the last 4 years. I just replaced Linux on my main system with a BSD for a long term trial.

Granted Linux will not miss me at all, but I am sorry to say, I do not like the current direction of Linix.

SPDX Becomes Internationally Recognized Standard for Software Bill of Materials

Posted Sep 13, 2021 11:36 UTC (Mon) by tzafrir (subscriber, #11501) [Link]

The Linux Foundation is not Linux.

If big companies scare you, I guess FreeBSD should not be your cup of tea (and again, in my opinion: irrelevant to both).

SPDX Becomes Internationally Recognized Standard for Software Bill of Materials

Posted Sep 16, 2021 7:36 UTC (Thu) by ncm (guest, #165) [Link]

*In fact*, any ISO "Working Group" may, at its option, choose to publish its "Final Draft International Standard", AND guarantee it is bitwise identical to the International Standard down to the punctuation, modulo the cover page.

If this particular WG has not made that choice, they get to change it next time. Or, they can publish another Draft, after, and announce that *that* one is identical.

ISO is not the problem here.

Occasionally, a contract is written to mistakenly require that an IS, rather than the corresponding FDIS (plus Defect Reports!), determine conformance to the contract, thus costing people (often taxpayers) money. That is the lawyers' mistake, which can usually be fixed without negotiating a new contract, if anybody who would want to minimize costs notices.

SPDX Becomes Internationally Recognized Standard for Software Bill of Materials

Posted Sep 11, 2021 14:12 UTC (Sat) by Vipketsh (guest, #134480) [Link] (3 responses)

That's one big complaint I have with ISO in general: their standards are completely inaccessible to private citizens, especially ones from poorer countries. It is just not reasonable to pay $200 to check a few things.

For computer related stuff things are passable since many of their standards either have draft versions available (e.g. C/C++) or are published elsewhere (e.g. JPEG/h26x at ITU) that make them available for free. If all else fails, for some common ones, eastern friends are usually intrepid enough to make them available on the net somewhere.

For non-computer related things ISO is just crazy. Some years ago I was interested in some details on electrical installations that turns out are from ISO standards -- lot's of them, as it would appear that they cut the complete thing up into a large number of standards each of about 10 pages. ISO being ISO each of those documents cost starting from about $50. No way any private person just curious about something can afford to pay for all this stuff.

Before the internet things were workable: as a private person you joined the appropriate library for a month for a (very) small fee, dug through as many standards as you needed, made notes of things of interest, possibly even photocopied some pages. In the digital age none of that seems possible.

SPDX Becomes Internationally Recognized Standard for Software Bill of Materials

Posted Sep 11, 2021 14:36 UTC (Sat) by jebba (guest, #4439) [Link] (1 responses)

The old NASA standards were all public and online. Now NASA is proprietary too. FWIW, I pulled together all I could find of NASA's last open standards related to wiring, soldering, etc. Maybe you find it interesting:

https://code.forksand.com/forksand/NASA-standards

https://code.forksand.com/forksand/NASA-standards/raw/bra...

SPDX Becomes Internationally Recognized Standard for Software Bill of Materials

Posted Sep 11, 2021 15:16 UTC (Sat) by calumapplepie (guest, #143655) [Link]

To be clear: NASA now says "our standard is that published by $LARGER_INDUSTRY_GROUP , which will charge money". They don't say "We produced this standard, so you need to pay us money for it". Copyright doesn't apply to official works of the US federal government, so they can't do that. There are still many NASA standards that are open: of course, that's generally because they are spaceship-specific.

SPDX Becomes Internationally Recognized Standard for Software Bill of Materials

Posted Sep 16, 2021 23:12 UTC (Thu) by pj (subscriber, #4506) [Link]

If that standard is incorporated by reference into law (eg. it's part of the building code), then you should see if the Internet Archive has a copy - they've made a bit of a crusade of buying a copy and publishing it, and since the law - even the bits of it incorporated by reference - can't be copyrighted, they've won every case brought against them. https://archive.org/details/govlaw

SPDX Becomes Internationally Recognized Standard for Software Bill of Materials

Posted Sep 13, 2021 4:18 UTC (Mon) by mdolan (subscriber, #104340) [Link]

SPDX 2.2 is the spec that was submitted to ISO/IEC JTC 1 for approval, which ISO then requires a reformat into their template, and sells access to an ISO templated copy on their website. Nothing prevents the original specification submitter from also making it publicly available (which SPDX has always done).

https://spdx.dev/specifications/

The LF Board has nothing to do with the individual project decisions. The LF Board has never made a decision for the kernel community, nor for SPDX. If you want to participate, just show up and contribute.

SPDX Becomes Internationally Recognized Standard for Software Bill of Materials

Posted Sep 13, 2021 19:34 UTC (Mon) by mdolan (subscriber, #104340) [Link] (1 responses)

There is an unfortunate delay when ISO formally publishes an approved publicly available standard and when it shows up (available for free) on their PAS standards list. PAS standards are available for free, but there is a delay for some reason. When they do update this page below, the ISO templatized SPDX standard will be available for free. We've also done this for the OpenChain standard which you can already find for free on this URL:

https://standards.iso.org/ittf/PubliclyAvailableStandards/

SPDX Becomes Internationally Recognized Standard for Software Bill of Materials

Posted Sep 13, 2021 19:41 UTC (Mon) by jebba (guest, #4439) [Link]

Awesome, thank you.

Do you perchance know which commit is used? Since I wrote above, I see there is a 2.2.1, but isn't tagged in the git repo.

Keep the maintainers in mind

Posted Sep 11, 2021 17:29 UTC (Sat) by mirabilos (subscriber, #84359) [Link] (9 responses)

While this may be nice, remember who’s doing the actual work, most of the time unpaid.

https://opensource.com/article/21/8/open-source-maintainers is a recent nice read on this.

Keep the maintainers in mind

Posted Sep 12, 2021 18:27 UTC (Sun) by halla (subscriber, #14185) [Link] (8 responses)

Yes... That's what I was thinking, too. Only recently, someone went to all the trouble to create patches for Krita to replace all the headers with this stuff. Hours of work. I spent time reviewing it. Then I spent time fixing fall-out. Then I spent time asking our contributors to follow this... And in the end, is there anyone who wants to paint a bit in Krita a bit better off for all this?

Nope.

And since there is no corporate sponsorship, we've been paying for this with our own time, eating into the time we could have spent fixing bugs.

Keep the maintainers in mind

Posted Sep 13, 2021 1:29 UTC (Mon) by mroche (subscriber, #137163) [Link]

> Only recently, someone went to all the trouble to create patches for Krita to replace all the headers with this stuff.
> ...
> Then I spent time fixing fall-out.

Out of curiosity, would you mind elaborating on the issues you ran into caused by these changes?

Keep the maintainers in mind

Posted Sep 13, 2021 5:17 UTC (Mon) by LtWorf (subscriber, #124958) [Link] (6 responses)

But why did you even do it then?

What advantage does making this chance brings?

(I'm honestly asking, not being sarcastic)

Keep the maintainers in mind

Posted Sep 16, 2021 2:54 UTC (Thu) by NYKevin (subscriber, #129325) [Link] (5 responses)

As someone on the corp side, I am curious about this myself. How did my great grandboss (and their friends) convince all of these people to do all of this work for free, when it basically only benefits giant corporations and governments? I wish I could get free stuff just by asking nicely...

Keep the maintainers in mind

Posted Sep 16, 2021 7:53 UTC (Thu) by ncm (guest, #165) [Link] (4 responses)

Typically committee members are sent by the corporations interested in the resulting Standard, and are thus paid.

Depending on circumstance, they may vote (1) their own opinion; often (2) the collective opinion of a company committee; sometimes (3) the collective opinion of a National Body representing a government (often a committee made up of designated experts chosen however that government likes, and deciding how the government likes, often by internal vote); and sometimes (4) as directed by management not interested in their opinion.

Standards are made by a process resembling that for sausage. Quality varies according to how much of it participants are willing to pay for.

Keep the maintainers in mind

Posted Sep 16, 2021 10:00 UTC (Thu) by LtWorf (subscriber, #124958) [Link] (3 responses)

Ok it's a standard but… so what?

Why do unpaid open source developers care to implement a standard that helps giant companies reuse their code without wasting time to read the license?

I guess there is some advantage to using the standard in an open source project? But what's the advantage? I don't know… thus my question.

Keep the maintainers in mind

Posted Sep 16, 2021 11:45 UTC (Thu) by ncm (guest, #165) [Link] (1 responses)

Standards have one main purpose: interoperability.

Sometimes equipment interaction, or substitutibility. Often, education, or interaction with your and others' brains. Often, quality, because international standards get a great deal more attention than things thrown together on the spot.

They are often used just to make contracts shorter and easier to negotiate.

Keep the maintainers in mind

Posted Sep 17, 2021 9:01 UTC (Fri) by LtWorf (subscriber, #124958) [Link]

I don't feel like this answers my question at all. We were talking about a precise specific case, not about standards in general.

Keep the maintainers in mind

Posted Jan 11, 2022 15:39 UTC (Tue) by rpavlik (guest, #125331) [Link]

Makes packaging for e.g. Debian much easier, and makes the maintainers feel better that all their licensing ducks are in a row. Also makes it easy to make sure incoming commits have proper copyright/license if you use something like https://reuse.software/ (which is basically "enforceable spdx headers, with tooling") because you can have a CI job checking it, etc.

Particularly useful if you e.g. publish a standard with open source parts, you can make sure even the internal repo is properly annotated and won't give you headaches at release time. (From experience here - as part of my job, I do spec editing on a Khronos standard, as well as working on open source software)

I'd also say that having a standard license tag at the top of every file, instead of just a license file for the whole repo, helps avoid "there was no license so I copied the code" thing, which is of course wrong but doesn't mean it's not done.

Also helps me re-use the little "ancilliary" files that often get ignored for copyright/license headers, like scripts, CI configs, etc...

SPDX Becomes Internationally Recognized Standard for Software Bill of Materials

Posted Sep 12, 2021 22:32 UTC (Sun) by hazmat (subscriber, #668) [Link] (2 responses)

Last i checked spdx had no way to declare non oss aka commercial/proprietary licenses in metadata outside of unknown :/ making it a standard for sbom seems rather limited in that regard, which given is one its primary purposes (aka declare artifacts and licenses) leaves me with trepidation.

SPDX Becomes Internationally Recognized Standard for Software Bill of Materials

Posted Sep 13, 2021 8:37 UTC (Mon) by k3ninho (subscriber, #50375) [Link] (1 responses)

The strength is the shorthand for common licence declarations and assembling a manifest/bill of materials, but those common F/LOSS licences are declared in an SPDX format. The proprietor of proprietary software could easily enclose theirs in SPDX Licence Expressions as defined in Appendix IV.
 
K3n.

SPDX Becomes Internationally Recognized Standard for Software Bill of Materials

Posted Sep 13, 2021 16:22 UTC (Mon) by perennialmind (guest, #45817) [Link]

There's also the explicit `NONE` for "all rights reserved". That and `NOASSERTION` are special cases slated to be promoted to AND-able expressions.

SPDX Becomes Internationally Recognized Standard for Software Bill of Materials

Posted Sep 13, 2021 9:33 UTC (Mon) by Cyberax (✭ supporter ✭, #52523) [Link] (3 responses)

A sidenote, with the inclusion of the WTFPL in the license list in SPDX, it's the first time an official ISO standard is f**ed.

SPDX Becomes Internationally Recognized Standard for Software Bill of Materials

Posted Sep 13, 2021 15:06 UTC (Mon) by NYKevin (subscriber, #129325) [Link] (1 responses)

PSA: The WTFPL is a terrible license. Nobody with legal training has vetted it. Its phrasing may be too vague to have legal effect in some jurisdictions. It completely lacks a warranty disclaimer.

Use one of the standard permissive licenses instead. MIT and 0BSD are both very short and easy to understand, and lawyers have actually looked at them.

SPDX Becomes Internationally Recognized Standard for Software Bill of Materials

Posted Sep 13, 2021 19:31 UTC (Mon) by mdolan (subscriber, #104340) [Link]

It's still useful to know if you picked up any dependencies under the WTFPL... which SPDX short identifiers in source files enable you to easily identify.

SPDX Becomes Internationally Recognized Standard for Software Bill of Materials

Posted Sep 16, 2021 19:41 UTC (Thu) by ncm (guest, #165) [Link]

I guarantee you it is not the first time.


Copyright © 2021, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds