The Linux Foundation Software Package Data Exchange (SPDX) Project

&

The Linux Foundation Automated Compliance Tooling (ACT) Project

Gary O'Neall (Source Auditor)

Kate Stewart (Linux Foundation)

Abstract: Any organization which utilizes open source software needs to comply with the open source license terms and the specific security policies of their industry.  To satisfy the basic requirement of knowing the specific open source packages included in the software, several tools have been produced which create or manage a software “Bill of Materials”.  The Software Package Data Exchange (SPDX) defines a standard format for a Bill of Materials which can facilitate harmonious integration of multiple tools.

The first part of this talk will discuss the current state of SPDX, the compliance tooling landscape, the SPDX tools used to support compliance.  The second part of this talk will discuss ACT, an Umbrella Project sponsored by the Linux Foundation to provide support to open source compliance tooling being able to share data between different tools.

Bio: Gary is a contributor to the Software Package Data Exchange® (SPDX™) - a standard format for communicating the components, licenses and copyrights associated with a software package. He has contributed several open source tools which can be found at https://github.com/spdx/tools.

Gary is responsible for product development and technology for Source Auditor Inc., a software and service company helping software companies manage the technical and legal risks of open source software. Prior to Source Auditor, Gary was CTO for Placeware Inc. (acquired by Microsoft in 2003), General Manager for Electronic Commerce at Hewlett Packard and R&D Manager for the Financial Services Business Unit at Hewlett Packard.