工程师 - 什么是SPDX-优快云博客

System Package Data Exchange (SPDX®)

这是一种开放标准，能够以 SBOM（软件物料清单）和其他人工智能、数据和安全参考资料的形式表示带有软件组件的系统，支持一系列风险管理用例。

SPDX 规范是一项免费提供的国际开放标准（ISO/IEC 5692:2021）。

An open standard capable of representing systems with software components in as SBOMs (Software Bill of Materials) and other AI, data and security references supporting a range of risk management use cases.

The SPDX specification is a freely available international open standard (ISO/IEC 5692:2021).

Overview

SPDX 是一种开放标准，用于交流软件物料清单信息，包括出处、许可证、安全性和其他相关信息。SPDX 通过为组织和社区提供共享重要数据的通用格式，减少了冗余工作，从而简化并提高了合规性、安全性和可靠性。SPDX 规范被公认为是用于安全性、许可证合规性和其他软件供应链工件的国际开放标准 - ISO/IEC 5962:2021。

SPDX is an open standard for communicating software bill of material information, including provenance, license, security, and other related information. SPDX reduces redundant work by providing common formats for organizations and communities to share important data, thereby streamlining and improving compliance, security, and dependability. The SPDX specification is recognized as the international open standard for security, license compliance, and other software supply chain artifacts as ISO/IEC 5962:2021.

Our Mission

SPDX 的使命是开发和推广用于交流软件物料清单信息（包括出处、许可证、安全性和其他相关信息）的开放标准。

The mission of SPDX is to develop and promote open standards for communicating software bill of material information, including provenance, license, security, and other related information.

Our Vision

SPDX 的愿景是通过为组织和社区提供共享重要数据的通用格式来减少冗余工作，从而简化和提高合规性、安全性和可靠性。

The vision of SPDX is to reduce redundant work by providing common formats for organizations and communities to share important data, thereby streamlining and improving compliance, security, and dependability.

About

SPDX 是 Linux 基金会主办的一个开放源代码项目。该基层项目包括来自不同组织的代表--软件、系统和工具供应商、基金会和系统集成商。工作由三个小组完成：技术小组、法律小组和外联小组。此外，每月还举行一次电话会议，概述整个项目的进展情况。有关参与的更多信息，请参阅 "参与 "页面。

SPDX 项目由以下部分组成

SPDX 规范本身
SPDX 许可证列表（包括例外情况、匹配指南、许可证 ID 和许可证表达式语法）
用于处理 SPDX 文档和 SPDX 许可列表的 SPDX 工具和库

SPDX is an open source project hosted by the Linux Foundation. The grass-roots effort includes representatives from a diverse set of organizations—software, systems and tool vendors, foundations and systems integrators. Work is done by three sub-groups: the tech team, the legal team, and the outreach team. There is also a monthly general call which provides an overview of progress on the entire project. For more information about getting involved, see the Participate page.

The SPDX project is composed of:

The SPDX Specification itself
The SPDX License List (including exceptions, matching guidelines, license IDs, and license expression syntax)
SPDX tools and libraries for working with the SPDX documents and SPDX License List

Guiding Principles

SPDX 以机器可读和人类可读的格式表示数据。
SPDX 侧重于收集和交流事实，并提供一个框架来对这些事实作出断言。
SPDX 不做任何法律解释（关于许可证或许可证合规性）。
SPDX 促进了供应链中元数据的有效交换

SPDX represents data in formats that are both machine- and human-readable.
SPDX focuses on collecting and communicating facts; and provides a framework to make assertions about those facts.
SPDX makes no legal interpretations (of licenses or license compliance).
SPDX facilitates the efficient exchange of metadata in the supply chain

Governance Model

SPDX 治理模式的完整描述和文件可在 SPDX 治理库中获取，网址为 GitHub - spdx/governance: SPDX Governance, based on Community Specification model。

The SPDX Governance model is described in full and documentation is available in the SPDX governance repository at https://github.com/spdx/governance.

SPDX Continuously Improves

2010/02 - Linux 基金会下的 FOSSBazaar 工作组开始起草规范，该工作组后来被称为 "SPDX"，最初被称为 "Package Facts"。

2010/08 - "SPDX "宣布成为 Linux 基金会开放合规计划的支柱之一。

2011/08 - SPDX 1.0 规范处理软件包。

......

2024/04 - SPDX 3.0.0 发布

2010/02 — specification drafting began in a work-group of FOSSBazaar under Linux Foundation that came to be called “SPDX,” was originally referred to as Package Facts.

2010/08 — “SPDX” announced as one of the pillars of the Linux Foundation’s Open Compliance Program.

2011/08 — SPDX 1.0 specification handles packages.

......

2024/04 — SPDX 3.0.0 released

What is SPDX?

软件包数据交换 (SPDX) 是一种开放标准（或格式），用于交流软件物料清单 (SBOM) 信息，包括组件、许可证、版权和安全参考。使用标准化格式来展示这些信息可确保不同行业和公司的信息保持一致，这有助于减少重新格式化的工作量，使信息共享更容易，并简化合规活动。

Software Package Data Exchange (SPDX) is an open standard (or format) for communicating software Bill of Materials (SBOM) information including components, licenses, copyrights, and security references. Using a standardized format for presenting this information ensures that it is consistent across industries and companies, which helps reduce reformatting efforts, makes it easier to share information, and streamlines compliance activities.

How does SPDX work?

公司采用 SPDX 来无缝交流与其软件包相关的组件、许可证和版权数据。通过使用标准化的机器可读格式，软件 "成分 "信息的提供和接收都变得非常简单。

Companies adopt SPDX to seamlessly communicate data about the components, licenses, and copyrights associated with their software packages. Giving and receiving information about software “ingredients” is made simple by the use of a standardized and machine-readable format.

Who uses SPDX?

任何人都可以使用它。目前，无论是开源项目还是创建商业软件的组织，对它的采用都在不断增加。随着拜登总统去年颁布的行政命令提高了供应链安全标准，其采用率也持续上升。SPDX 对构建软件或运营企业软件的组织特别有用。

Anyone can use it. Currently, its adoption is growing with both open source projects and organizations creating commercial software. With the increased standards around supply chain security resulting from President Biden’s executive order last year, adoption has continued to increase. SPDX is particularly useful for organizations that build software or operate enterprise software.

What are the benefits of using SPDX?

SPDX 包含可识别软件包、软件包级别以及文件级别许可和版权数据的信息。它还显示文件的创建者、创建时间和创建方式。这些信息对于安全和许可证合规活动和要求至关重要。标准格式化还能更容易地选择标准化工具，从而提高安全流程的效率。

SPDX includes information that identifies the software package, the package level, and the file level licensing and copyright data. It also shows who created the file, and when and how. This information is critical for security and license compliance activities and requirements. Standard formatting also makes it easier to select standardized tooling, which makes security processes more efficient.

Why is SPDX important?

SPDX 解决了 EO 14028 中有关软件物料清单的要求。它提供了一种特定的文件格式，可识别大型软件中的软件组件以及与其组件相关的许可证。

更广泛地说，SPDX 还有助于解决常见的难题。

* SPDX 解决了在使用从供应商处获得的软件和二进制文件时可能出现的许可问题。

* SPDX 消除了创建定制 SBOM 的需要。有了标准化的格式，每个人都能创建一致的文档，因此无需花费时间和精力重新制定格式。

* SPDX 无需为软件供应商和消费者定义和创建 SBOM 格式，从而释放了资源和带宽。

SPDX resolves requirements in EO 14028 pertaining to a software Bill of Materials. It provides a specific file format that identifies the software components within larger pieces of software and the licenses associated with their components.

More generally, SPDX also helps resolve common challenges.

* SPDX addresses the licensing complications that can arise from the use of software and binaries received from suppliers.

* SPDX eliminates the need to create customized SBOMs. With a standardized format, everyone creates consistent documents, so there’s no need to spend time and effort reformatting.

* SPDX removes the need to define and create SBOM formats for both suppliers and consumers of software, freeing up resources and bandwidth.

SPDX（System Package Data Exchange）格式是一种用于描述软件组件（如源代码）的规范，它提供了一种标准化的方法来描述软件组件的元数据