The Linux Foundation today announced that the latest SPDX release (version 2.2) is the second specification to be submitted through the JDF to ISO/IEC JTC 1 for approval.
Last month, the Joint Development Foundation (JDF), which became part of the Linux Foundation family in 2019, was recognized as an ISO/IEC JTC 1 PAS (Publicly Available Specification) submitter.
With that recognition, Linux Foundation can put forward specifications to JTC 1 for national body approval and international recognition. Once JTC 1 approves a PAS submission, it becomes an international standard. Also in May, the JDF announced that the OpenChain Specification was the first specification submitted for JTC 1 review for recognition as an international standard.
Coming to the Software Package Data Exchange (SPDX), it is an open standard for communicating software bill of material information, including components, licenses, copyrights, and security references. SPDX reduces redundant work by providing a common format for companies and communities to share important data, thereby streamlining and improving compliance. The first version of the SPDX specification was 10 years ago, and it has continued to improve and evolve to support the automation of more software bill of materials information over the years.
While many consider SPDX a defacto standard already, JTC1 certification will encourage accelerated adoption and acceptance on a global scale.
“The SPDX specification has played a vital role over the last 10 years in enabling open source adoption and establishing a foundation for automating compliance,” said Jim Zemlin, Executive Director at Linux Foundation.
Through the submission to the ISO/IEC JTC 1 by JDF, Zemlin expects the SPDX specification to become “an accepted international standard that addresses how open source metadata information is shared, while reducing the risks and costs of compliance for organizations.”