|
|
Log in / Subscribe / Register

SPDX Becomes Internationally Recognized Standard for Software Bill of Materials

SPDX Becomes Internationally Recognized Standard for Software Bill of Materials

Posted Sep 10, 2021 18:07 UTC (Fri) by jebba (guest, #4439)
Parent article: SPDX Becomes Internationally Recognized Standard for Software Bill of Materials

I don't see a free (as in beer) publicly available PDF of the standard. On ISO's website it is around $200 USD to buy it. The source code to the standard is available in the git repo, so one should be able to build a PDF of the standard. Then the question is which commit is the actual standard? There is a list here, which says the current version of the standard is 2.2. But that is the SPDX standard version, which isn't necessarily the version that was used for the ISO standard. I'm guessing it is version 2.2, but anyone know for sure?

https://spdx.dev/specifications/

https://github.com/spdx/spdx-spec/releases/tag/v2.2

to post comments

SPDX Becomes Internationally Recognized Standard for Software Bill of Materials

Posted Sep 10, 2021 18:25 UTC (Fri) by atnot (guest, #124910) [Link] (22 responses)

The rules of ISO require this. It's similar for e.g. C++. You are not allowed to publish the official spec freely, however the last draft release is generally known to be identical to the standard.

SPDX Becomes Internationally Recognized Standard for Software Bill of Materials

Posted Sep 10, 2021 18:56 UTC (Fri) by fw (subscriber, #26023) [Link] (21 responses)

The default ISO rules do not allow publication of drafts, not even in source code form. I do not know if ISO has approved the Github repository https://github.com/cplusplus/draft or its HTML rendering at https://eel.is/c++draft/ (although the latter is extremely value as a resource, more so than any PDFs). Workgroup materials (such as submitted papers) are not supposed to be published by the working group. Blogging about committee decisions is not allowed, either. Pretty much everyone seems to ignore these rules, but I do not feel comfortable with that, so I no longer contribute to the ISO process.

However, ISO can and does change the rules for specific standards. The Ada standard is publicly available under a free (libre) license, with the only difference being the front material (basically the ISO copyright statement and self-declaration as an international standard).

SPDX Becomes Internationally Recognized Standard for Software Bill of Materials

Posted Sep 11, 2021 9:40 UTC (Sat) by benjamir (guest, #133607) [Link] (14 responses)

Simple solution: boycott ISO

If most ignore them, they can go to hell with their pile of papers.

SPDX Becomes Internationally Recognized Standard for Software Bill of Materials

Posted Sep 11, 2021 11:21 UTC (Sat) by ale2018 (subscriber, #128727) [Link] (13 responses)

It is surprising that Linux Foundation and SPDX.dec, whose governance model is based on Community Specification predicating something like

The Community Specification allows you to start a specification development effort as easily as an open source project.

chose a Standards Development Organization having such liberticidal rules.

The IETF seems to be much better.

SPDX Becomes Internationally Recognized Standard for Software Bill of Materials

Posted Sep 11, 2021 14:42 UTC (Sat) by jebba (guest, #4439) [Link] (11 responses)

> It is surprising that Linux Foundation ...

The Linux foundation is user hostile. It is run by major corporations. There are zero community members on the Linux Foundation board, and this has been true for years. THIS is the Linux Foundation:

* Microsoft
* VMware
* AT&T
* Facebook
* Qualcomm
* Oracle
* IBM
* Intel
* NEC
* Huawei

SPDX Becomes Internationally Recognized Standard for Software Bill of Materials

Posted Sep 11, 2021 15:12 UTC (Sat) by calumapplepie (guest, #143655) [Link] (10 responses)

And yet our editor sits on the Technical Advisory Board.

Its a board of directors: it's always going to be corporate folks, not community memebers.

SPDX Becomes Internationally Recognized Standard for Software Bill of Materials

Posted Sep 11, 2021 16:24 UTC (Sat) by jebba (guest, #4439) [Link]

> And yet our editor sits on the Technical Advisory Board.

And yet that is not the Board of Directors.

> Its a board of directors: it's always going to be corporate folks, not community memebers.

Where does this come from? A board can be comprised of nearly anyone. For example the Wikimedia Foundation has near zero corporate members, and includes human rights and "digital" activists. A board like that will have different priorities than a board made from trans-national corporations' employees.

SPDX Becomes Internationally Recognized Standard for Software Bill of Materials

Posted Sep 11, 2021 18:00 UTC (Sat) by jebba (guest, #4439) [Link] (8 responses)

> Technical Advisory Board

Per their page the Linux Foundation states:

"The Technical Advisory Board provides the Linux kernel community a direct voice into The Linux Foundation’s activities and fosters bi-directional interaction with application developers, end users, and Linux companies."

Corporations represented on the advisory board:

* Microsoft
* Facebook
* Canonical
* Intel
* Google
* Red Hat
* Vmware
* Another Google

Both Corbet and GregKH are on the advisory board, which is swell, but they represent the development community, imho, not end users.

Technical advisory board

Posted Sep 11, 2021 18:52 UTC (Sat) by corbet (editor, #1) [Link] (7 responses)

Note that, if you are unhappy with the membership of the LF Technical Advisory Board, there is an election for TAB members underway right now. This would be the time to put in your nomination, or to convince somebody you would support to put in theirs.

Technical advisory board

Posted Sep 11, 2021 19:45 UTC (Sat) by atai (subscriber, #10977) [Link]

Honestly speaking, that is not the board itself, which makes the decisions.

Technical advisory board

Posted Sep 12, 2021 9:25 UTC (Sun) by mfuzzey (subscriber, #57966) [Link] (5 responses)

I don't *think* the TAB is the issue here.

Does the TAB get involved in decisions like the one to submit SPDX to ISO (which has policies concerning the availability of their standards that are questionable at best and open source hostile at worst).

I suspect not, though I may be wrong, as it's hardly a "technical" decision (nor a CoC related thing where the TAB also seems to be involved).

Seeing as ISO apparently can set standard specific rules (someone mentionned the ISO ADA standard bring free) I think the LF should have at least made free availability a precondition for submitting SPDX.

Technical advisory board

Posted Sep 18, 2021 14:29 UTC (Sat) by jschrod (subscriber, #1646) [Link] (4 responses)

????

The SPDX standard text is freely available, just like the Ada one - what is your qualm?

The real issue with SPDX is the demand on non-corporate developers to maintain such declarations for the sake of large companies who want to exploit their work without paying for it. Publication as an ISO standard has nothing to do with it.

Technical advisory board

Posted Sep 18, 2021 22:04 UTC (Sat) by anselm (subscriber, #2796) [Link] (3 responses)

The real issue with SPDX is the demand on non-corporate developers to maintain such declarations for the sake of large companies who want to exploit their work without paying for it.

Presumably if a large company wants to use the work of a non-corporate developer without paying and the only thing in their way is the lack of SPDX information, the least they could do is contribute a set of accurate SPDX headers to that project.

Technical advisory board

Posted Sep 18, 2021 22:59 UTC (Sat) by jschrod (subscriber, #1646) [Link] (2 responses)

Yes, but only if they are part of the developer community. Otherwise, the onus of maintaining that information remains at the project - and there the ROI is often questionable. IMHO, of course.

Technical advisory board

Posted Sep 19, 2021 13:27 UTC (Sun) by madscientist (subscriber, #16861) [Link] (1 responses)

I don't see why it should be the responsibility of the project. If something is wrong about the SPDX do users of the project see bugs? Do regression tests fail? If someone who cares about SPDX sees that something is not right, then can supply a patch to fix it. If users of the project are relying on the SPDX content without verifying it themselves and it's wrong, that's a problem for those users who need SPDX.

There is some minimal amount of effort for the project to verify the SPDX patch is correct and apply it but I don't think projects should spend any more time on it than that bare minimum, unless they WANT to do so... in which case it's by definition not a waste of time, for them.

Technical advisory board

Posted Sep 19, 2021 14:22 UTC (Sun) by pizza (subscriber, #46) [Link]

> There is some minimal amount of effort for the project to verify the SPDX patch is correct and apply it but I don't think projects should spend any more time on it than that bare minimum, unless they WANT to do so... in which case it's by definition not a waste of time, for them.

SPDX is a pretty poor example, honestly. It's nearly entirely a one-off cost, and even that's not likely to be all that large. It took under an hour for me to add SPDX headers to a modest 30KLOC (across ~30 files) project that I maintain, and that's mainly because I wrote a script to do it instead of editing each file manually. Going forward, it's zero additional effort to maintain -- Adding it to a new file is trivial when you consider that I already need to ensure the new file has a proper copyright header in it, which in turn is just cut-n-pasted from another file.

Now the other stuff that corporate types want, such as certifications, security processes, testing frameworks, CI systems, maintained "stable" branches, documentation, and unliminted hand-holding represents both upfront and ongoing effort. But SPDX isn't one of those.

SPDX Becomes Internationally Recognized Standard for Software Bill of Materials

Posted Sep 11, 2021 23:52 UTC (Sat) by tialaramex (subscriber, #21167) [Link]

The IETF is not interested in standards like this which are not, in fact, about the Internet. They already have plenty of things to work on, and don't need to become a dumping ground for stuff somebody didn't want to take to any other SDO.

Nothing stops you taking the IETF approach for some new project, no blessing is needed. You can do your own thing and just wait for the recognition to arrive later.

SPDX Becomes Internationally Recognized Standard for Software Bill of Materials

Posted Sep 11, 2021 20:07 UTC (Sat) by bokr (guest, #58369) [Link] (2 responses)

4However, ISO can and does change the rules for specific standards.
5------------------------------------------------------------------
6
7Who made the rules that ISO must adhere to?
8
9Maybe THEY could mandate that official standards
10must be digitally signed and sent to countries' National Libraries
11(e.g. US Library of Congress) for public free (beer and libre) acess.
12
13... And disallow gaming "official"-naming so ISO (or other standard-producers)
14can't say "...not official yet, but for a price..." a
15
16Important public standards work needs to be funded, yes,
17but the current tollgate method is perverse.
18
19Idea: Tax-fund public national libraries to enable them
20 to funnel grants to the standards-producers of anything
21 to be named "official."
22
23 And let them pay recognized developers/writers directly
24 to bypass pay-the-piper controls of organizations.
25 (obviously rules will be needed to keep the pipeline-tappers
26 from this funding flow, so expect a monitoring group to form
27 whose only purpose will eventually be to keep existing :)

SPDX Becomes Internationally Recognized Standard for Software Bill of Materials

Posted Sep 11, 2021 21:54 UTC (Sat) by Vipketsh (guest, #134480) [Link] (1 responses)

The funding situation, I think, is really just an excuse.

There are pretty much two cases of standards: (i) when it is used to unify markets to everyone's benefit (e.g. electrical wiring) and (ii) when companies use standards as advertising and/or a political play to make their crap be used by everyone over a competitor's. The first case is something that works only if backed by big governments or corporations & thus makes sense for them to fund it and in the second case anyone other than the companies involved funding the exercise is unfair.

An example of a good model that works in some cases is the one USB had (don't know the situation with USB4): the text of the standard is available to everyone for free but if you want to sell a device claiming to be "USB compatible" with the logo you need to to pay the organisation some money. Thereby facilitating individuals access all the while making the ones, who have an interest and can, fund further development. I think HDMI before 2.0 had a similar model.

SPDX Becomes Internationally Recognized Standard for Software Bill of Materials

Posted Sep 12, 2021 17:40 UTC (Sun) by jebba (guest, #4439) [Link]

> The funding situation ...

Out of curiosity I looked it up. The latest ISO annual report[1] is from 2019. It shows total revenue as 43,157,000 CHF, around $50 million USD. A bit less than half of that comes from sales royalties and direct sales. So it would cost around $20 mil USD/year for the standards to be publicly available without ISO losing any revenue. Over half that is from royalties though, so member organizations (e.g. ANSI) would potentially be out of revenue too. Overall, considering the companies involved and the global scope, the dollar amounts are trivial. ISO is a NGO (non-governmental organization) based in Switzerland.

[1] PDF page 33, https://www.iso.org/files/live/sites/isoorg/files/store/e...

SPDX Becomes Internationally Recognized Standard for Software Bill of Materials

Posted Sep 12, 2021 18:14 UTC (Sun) by jmclnx (guest, #72456) [Link] (1 responses)

Interesting, it is things like this I am seeing has had me looking at the BSDs for the last 4 years. I just replaced Linux on my main system with a BSD for a long term trial.

Granted Linux will not miss me at all, but I am sorry to say, I do not like the current direction of Linix.

SPDX Becomes Internationally Recognized Standard for Software Bill of Materials

Posted Sep 13, 2021 11:36 UTC (Mon) by tzafrir (subscriber, #11501) [Link]

The Linux Foundation is not Linux.

If big companies scare you, I guess FreeBSD should not be your cup of tea (and again, in my opinion: irrelevant to both).

SPDX Becomes Internationally Recognized Standard for Software Bill of Materials

Posted Sep 16, 2021 7:36 UTC (Thu) by ncm (guest, #165) [Link]

*In fact*, any ISO "Working Group" may, at its option, choose to publish its "Final Draft International Standard", AND guarantee it is bitwise identical to the International Standard down to the punctuation, modulo the cover page.

If this particular WG has not made that choice, they get to change it next time. Or, they can publish another Draft, after, and announce that *that* one is identical.

ISO is not the problem here.

Occasionally, a contract is written to mistakenly require that an IS, rather than the corresponding FDIS (plus Defect Reports!), determine conformance to the contract, thus costing people (often taxpayers) money. That is the lawyers' mistake, which can usually be fixed without negotiating a new contract, if anybody who would want to minimize costs notices.

SPDX Becomes Internationally Recognized Standard for Software Bill of Materials

Posted Sep 11, 2021 14:12 UTC (Sat) by Vipketsh (guest, #134480) [Link] (3 responses)

That's one big complaint I have with ISO in general: their standards are completely inaccessible to private citizens, especially ones from poorer countries. It is just not reasonable to pay $200 to check a few things.

For computer related stuff things are passable since many of their standards either have draft versions available (e.g. C/C++) or are published elsewhere (e.g. JPEG/h26x at ITU) that make them available for free. If all else fails, for some common ones, eastern friends are usually intrepid enough to make them available on the net somewhere.

For non-computer related things ISO is just crazy. Some years ago I was interested in some details on electrical installations that turns out are from ISO standards -- lot's of them, as it would appear that they cut the complete thing up into a large number of standards each of about 10 pages. ISO being ISO each of those documents cost starting from about $50. No way any private person just curious about something can afford to pay for all this stuff.

Before the internet things were workable: as a private person you joined the appropriate library for a month for a (very) small fee, dug through as many standards as you needed, made notes of things of interest, possibly even photocopied some pages. In the digital age none of that seems possible.

SPDX Becomes Internationally Recognized Standard for Software Bill of Materials

Posted Sep 11, 2021 14:36 UTC (Sat) by jebba (guest, #4439) [Link] (1 responses)

The old NASA standards were all public and online. Now NASA is proprietary too. FWIW, I pulled together all I could find of NASA's last open standards related to wiring, soldering, etc. Maybe you find it interesting:

https://code.forksand.com/forksand/NASA-standards

https://code.forksand.com/forksand/NASA-standards/raw/bra...

SPDX Becomes Internationally Recognized Standard for Software Bill of Materials

Posted Sep 11, 2021 15:16 UTC (Sat) by calumapplepie (guest, #143655) [Link]

To be clear: NASA now says "our standard is that published by $LARGER_INDUSTRY_GROUP , which will charge money". They don't say "We produced this standard, so you need to pay us money for it". Copyright doesn't apply to official works of the US federal government, so they can't do that. There are still many NASA standards that are open: of course, that's generally because they are spaceship-specific.

SPDX Becomes Internationally Recognized Standard for Software Bill of Materials

Posted Sep 16, 2021 23:12 UTC (Thu) by pj (subscriber, #4506) [Link]

If that standard is incorporated by reference into law (eg. it's part of the building code), then you should see if the Internet Archive has a copy - they've made a bit of a crusade of buying a copy and publishing it, and since the law - even the bits of it incorporated by reference - can't be copyrighted, they've won every case brought against them. https://archive.org/details/govlaw

SPDX Becomes Internationally Recognized Standard for Software Bill of Materials

Posted Sep 13, 2021 4:18 UTC (Mon) by mdolan (subscriber, #104340) [Link]

SPDX 2.2 is the spec that was submitted to ISO/IEC JTC 1 for approval, which ISO then requires a reformat into their template, and sells access to an ISO templated copy on their website. Nothing prevents the original specification submitter from also making it publicly available (which SPDX has always done).

https://spdx.dev/specifications/

The LF Board has nothing to do with the individual project decisions. The LF Board has never made a decision for the kernel community, nor for SPDX. If you want to participate, just show up and contribute.

SPDX Becomes Internationally Recognized Standard for Software Bill of Materials

Posted Sep 13, 2021 19:34 UTC (Mon) by mdolan (subscriber, #104340) [Link] (1 responses)

There is an unfortunate delay when ISO formally publishes an approved publicly available standard and when it shows up (available for free) on their PAS standards list. PAS standards are available for free, but there is a delay for some reason. When they do update this page below, the ISO templatized SPDX standard will be available for free. We've also done this for the OpenChain standard which you can already find for free on this URL:

https://standards.iso.org/ittf/PubliclyAvailableStandards/

SPDX Becomes Internationally Recognized Standard for Software Bill of Materials

Posted Sep 13, 2021 19:41 UTC (Mon) by jebba (guest, #4439) [Link]

Awesome, thank you.

Do you perchance know which commit is used? Since I wrote above, I see there is a 2.2.1, but isn't tagged in the git repo.


Copyright © 2026, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds