Re: Hello World!

Philip Odence

Hey Jeremiah,

It’s been a while. Forgive me for doing a lousy job educating you on SPDX. Thanks, MarkG for filling in.

Having been involved in SPDX from the outset, I can tell you that there are many issues, but lack of a problem focus really isn’t one. Attached is the high level way we’ve expressed it. We’ve been well-focused, I believe, on providing a lingua franca for partners in a supply chain to exchange software BoM information. There’s been external pressure, by the way, to expand our focus, for example into OpenChain type activities—thanks, Dave Marr, for starting OC and thereby relieving the pressure. 

Adoption is a challenge, a real chicken/egg problem. How do you get people to communicate in your language when it’s hard to find others who are fluent? That said Wind River, TI, Siemens, Samsung, Alcatel-Lucent and others have all started using SPDX internally and increasingly with partners. I have been heartened this year to learn of a number of companies using SPDX who have never been involved with the group developing the standard. We would love their involvement, but that fact that organizations can get value, without being in the middle of SPDX specification development, says to me we’ve turned a corner and that the virtuous cycles are starting to spin.

The SPDX group will stay close to the OpenChain activities. As Bogart said, “I think this is the beginning of a beautiful friendship.” 


L. Philip Odence
Chair, Linux Foundation SPDX Workgroup
Vice President and General Manager
Black Duck
8 New England Executive Park, Suite 211, Burlington MA 01803
Phone: 781.810.1819, Mobile: 781.258.9502
Skype: philip.odence

From: Jeremiah Foster <jeremiah.foster@...>
Date: Fri, 29 Aug 2014 09:17:56 +0200
To: Mark Gisi <Mark.Gisi@...>
Cc: "openchain@..." <openchain@...>
Subject: Re: [OpenChain] Hello World!

On Fri, Aug 29, 2014 at 7:37 AM, Gisi, Mark <Mark.Gisi@...> wrote:

Jeremiah raised some common concerns about SPDX that, as an early adopter, I wanted to share my experiences.


>> while SPDX looks great, its not widely adopted. Debian has its own format and Yocto is using SPDX

>> version 1.1. Its hard to use, has numerous supported versions (1.1, 1.2 and 2.0 in development)


SPDX is a specification and not a tool.

Okay, I confess I view it more as a tool, good to have this clarified for me.

It is analogous to PDF, which is also a specification. Specification details are largely relevant to tool developers and not so much to the tool end users. Most of us view PDF files using one tool or another, but very few of us know what the specifications looks like (nor should we need to). Therefore updates to a specification largely only impact tool developers. Adobe released multiple versions of the PDF spec over the course of the first few years.  This is to be expected.


>> Being Java based (there is Go code and python code now) its better suited for those working in a

>> Windows environment and while I'm certain that is a highly lucrative market,

>> for Free Software developers it tends to be anathema.


Since SPDX is a specification I assume you are referring to tool support. I understand your concerns here. Additional tool support is a place where SPDX could benefit.


>> For example, while SPDX looks great, its not widely adopted.


Although the jury is still out on SPDX, it is progressing through the typical stages of technology adoption as described in Geoffrey Moore’s entrepreneurial bible: “Crossing the Chasm”.  At Wind River we see early adopter participation rapidly increasing.  We have seen a tripling in customer usage over the past 12 months which includes traffic to our free SPDX file generation website ( Similarly, PDF too got off to a slow start, yet triumphed in the end.


>> and feels a bit like a solution looking for a problem.


Wind River’s adoption was heavily driven by a mission critical problem we faced. Wind River offers a Linux Distro kit consisting of more than 1000 software packages plus a kernel. In the beginning, customers demanded contractually that we deliver “complete” licensing information using their “customized” format. This was a nightmare. We were required to rummage through millions of source files to grab the specified licensing information to be put into the customer’s “custom” format.  After we preformed this task it was repeated by other organizations downstream in the supply chain. We understood this cost could be significantly mitigated if there was a commonly accepted file format we could use to record and exchange licensing information. SPDX directly solved this problem. We also utilize SPDX data in our internal compliance program.

Thanks very much for this email. Puts SPDX into the right perspective for me. I've sort of viewed it from a software engineer's view as this thing I have to add not knowing really why. If it does provide a software Bill of Materials that can effectively provide assurance in the supply chain then clearly its a solution to a very real problem.


_______________________________________________ OpenChain mailing list OpenChain@...

Join { to automatically receive all group messages.