英雄联盟比赛押注登录

From Wikipedia, the free encyclopedia
Jump to navigation Jump to search
For networking protocol, see SPDY .
SPDX logo with black letters

Software Package Data Exchange ( SPDX ) is an open standard for software bill of materials (SBOM) . [1] SPDX allows the expression of components, licenses , copyrights, security references and other metadata relating to software. [2] Its original purpose was to improve license compliance, [3] and has since been expanded to facilitate additional use-cases, such as supply-chain transparency and security. [4] SPDX is authored by the community-driven SPDX Project under the auspices of the Linux Foundation .

The current version of the standard is 2.2.2. [5]

Version history [ edit ]

Specification versions
Version number Publication date Notes References
1.0 August 2011 The first release of the SPDX specification; handles packages. [3]
1.1 August 2012 Fixed a flaw in the SPDX Package Verification Code (a cryptographic hash function ) and added support for free-form comments. [6]
1.2 October 2013 Improved interaction with the SPDX License List, and added new fields for documenting extra information about software projects. [7]
2.0 May 2015 Added the ability to describe multiple packages and the relationships between different packages and files. [8]
2.1 November 2016 Added support for describing 'snippets' of code and the ability to reference non-SPDX data (such as CVEs ). [9] [10]
2.2 May 2020 Added 'SPDX-lite' profile for minimal software bill of materials and improved support for external references. [11]
2.2.1 October 2020 Functionally equivalent to SPDX 2.2 but with typesetting for publication as an ISO standard. [12]
2.2.2 April 2022 Functionally equivalent to SPDX 2.2.1 but with spelling, grammar and other editorial improvements. [13]

The first version of the SPDX specification was intended to make compliance with software licenses easier, [3] but subsequent versions of the specification added capabilities intended for other use-cases, such as being able to contain references to known software vulnerabilities . [10] Recent versions of SPDX fulfill the NTIA's 'Minimum Elements For a Software Bill of Materials'. [14]

SPDX 2.2.1 was submitted to the International Organization for Standardization (ISO) in October, 2020, and was published as ISO/IEC 5962:2021 Information technology — SPDX® Specification V2.2.1 in August, 2021. [12] [15]

License syntax [ edit ]

Each license is identified by a full name, such as "Mozilla Public License 2.0" and a short identifier, here "MPL-2.0". Licenses can be combined by operators AND and OR , and grouping ( , ) .

For example, (Apache-2.0 OR MIT) means that one can choose between Apache-2.0 ( Apache License ) or MIT ( MIT license ). On the other hand, (Apache-2.0 AND MIT) means that both licenses apply.

There is also a "+" operator, when applied to a license, means that future versions of the license apply as well. For example, Apache-1.1+ means that Apache-1.1 and Apache-2.0 may apply (and future versions if any).

SPDX describes the exact terms under which a piece of software is licensed. It does not attempt to categorize licenses by type, for instance by describing licenses with similar terms to the BSD License as "BSD-like". [16]

In 2020, the European Commission publishes its Joinup Licensing Assistant, [17] which makes possible the selection and comparison of more than 50 licenses, with access to their SPDX identifier and full text.

Deprecated license identifiers [ edit ]

The GNU family of licenses (e.g., GNU General Public License version 2 ) have the choice of choosing a later version of the license built in. Sometimes, it was not clear, whether the SPDX expression GPL-2.0 meant "exactly GPL version 2.0" or "GPL version 2.0 or any later version". [18] Thus, since version 3.0 of the SPDX License List, the GNU family of licenses got new names. [19] GPL-2.0-only means "exactly version 2.0" and GPL-2.0-or-later means "version 2.0 or any later version".

See also [ edit ]

References [ edit ]

  1. ^ Stewart, Kate (May 25, 2021). "SPDX: It's Already in Use for Global Software Bill of Materials (SBOM) and Supply Chain Security" . Linux Foundation . Retrieved 2021-08-13 .
  2. ^ "Survey of Existing SBOM Formats and Standards" (PDF) . National Telecommunications and Information Administration . October 25, 2019. p. 9 . Retrieved 2021-08-13 .
  3. ^ a b c Bridgwater, Adrian (August 19, 2011). "Linux Foundation eases open source licensing woes" . Computer Weekly . Retrieved 2021-08-13 .
  4. ^ Rushgrove, Gareth (June 16, 2021). "Advancing SBOM standards: Snyk and SPDX" . Retrieved 2021-08-14 .
  5. ^ "SPDX Current version" . spdx.dev . Retrieved 2022-06-11 .
  6. ^ "The Linux Foundation's SPDX Workgroup Releases New Version of Software Package Data Exchange Standard" . Linux Foundation. August 30, 2012 . Retrieved 2021-12-01 .
  7. ^ "The Linux Foundation's SPDX Workgroup Releases New Version of Software Package Data Exchange Standard" . Linux Foundation. October 22, 2013 . Retrieved 2021-12-01 .
  8. ^ "What's new in SPDX 2.0" . LWN.net . May 20, 2015 . Retrieved 2021-12-01 .
  9. ^ "General Meeting/Minutes/2016-11-03" . wiki.spdx.org . November 3, 2016 . Retrieved 2021-12-01 .
  10. ^ a b "The Linux Foundation's Open Compliance Initiative Releases New SPDX Specification" . Linux Foundation. October 4, 2016 . Retrieved 2021-12-01 .
  11. ^ "SPDX 2.2 Specification Released" . Linux Foundation. May 7, 2020 . Retrieved 2021-12-01 .
  12. ^ a b "ISO/IEC 5962:2021 Information technology — SPDX® Specification V2.2.1" . iso.org . Retrieved 2021-12-01 .
  13. ^ "Release v2.2.2" . github.com/spdx . Retrieved 2022-06-11 .
  14. ^ "The Minimum Elements For a Software Bill of Materials (SBOM)" (PDF) . National Telecommunications and Information Administration . Retrieved 2021-12-01 .
  15. ^ Bernard, Allen (September 9, 2021). "SPDX becomes internationally recognized standard" . TechRepublic . Retrieved 2021-12-01 .
  16. ^ Odence, Phil (2010-06-23). "The Software Package Data Exchange (SPDX) Format" . Dr Dobb's . Retrieved 2012-08-31 .
  17. ^ "Joinup Licensing Assistant" . Retrieved 31 March 2020 .
  18. ^ Richard Stallman. "For Clarity's Sake, Please Don't Say "Licensed under GNU GPL 2"!" . gnu.org . Retrieved 2018-05-24 .
  19. ^ Jilayne Lovejoy (5 January 2018). "License List 3.0 Released!" . spdx.dev . Archived from the original on 2018-01-05 . Retrieved 2021-09-02 .

External links [ edit ]

Retrieved from " https://en.wikipedia.org/w/index.php?title=Software_Package_Data_Exchange&oldid=1092632332 "