Following our announcements at Open Source Summit North America last month <https://www.linuxfoundation.org/press/spdx-3-revolutionizes-software-management-in-systems-with-enhanced-functionality-and-streamlined-use-cases#:~:text=SEATTLE%2C%20Washington%20%E2%80%93%20APRIL%2016%2C,Materials%20(SBOM)%20communication%20format.>, we’re pleased to announce that SPDX 3.0 Specification is now available at: https://spdx.github.io/spdx-spec/v3.0/.
This release of SPDX extends the specification to handle a wider array of system use cases, and brings the ability to have common underpinnings across different domains with the introduction of a simplified core profile. SPDX profiles enable a subset of information tailored for the most popular use cases, including security, software build attestation, licensing, AI model training and characterization, data set provenance, and more. This new addition improves the way SPDX is utilized, ensuring that it remains versatile and scalable across a wide spectrum of system scenarios. With the improved and flexible model of core and profiles, SPDX can scale to track products, services and AI data systems with a large amount of metadata. All the existing prior SPDX use cases continue to remain supported by the specification, with updated syntax in some cases. The 3.0 release reflects the efforts of hundreds of contributors, commenters and participants over the past five years. We’ve incorporated feedback from across widely varying communities to establish the framework for a system bill of materials format that can meet evolving use cases, based entirely on open source, open data and open standards principles. As part of our efforts to ensure interoperability and buy-in from the broader community, in collaboration with the Object Management Group (OMG) <https://www.omg.org>, the SPDX 3.0 data model has also gone through the formal review process with the OMG Architectural Board <https://www.omg.org/about/ab.htm>, and has been approved by them. Additionally, in connection with the SPDX project’s use of the Community Specification License 1.0 <https://github.com/spdx/governance/blob/main/1._Community_Specification_License-v1.md> (Community-Spec-1.0) for the new 3.0 release, this email serves as formal notice under the SPDX project’s governance process <https://github.com/spdx/governance/blob/main/5._Governance.md> that the release is a candidate for "Approved Specification" status under Community-Spec-1.0. This also confirms the start of the formal two-week Review Period as described in the governance process. Any issues to be raised should be reported in the SPDX specification repository at https://github.com/spdx/spdx-spec,as per the governance process. Following the completion of the Review Period, we will follow up to the general mailing list to confirm final progression to “Approved Specification” status. If you’re interested in implementing the 3.0 specification, please feel free to join the SPDX implementers’ working group call <https://github.com/spdx/meetings#implementers-group-meetings>. For those who are interested in helping to evolve the SPDX specification further, and if you have new use cases for the community to consider incorporating into future versions of SPDX, please feel free to join the Tech Team call <https://github.com/spdx/meetings#tech-team-meetings> and mailing list <https://lists.spdx.org/g/Spdx-tech>. Many thanks to the entire SPDX community for helping us to achieve this milestone! Kate and Gary, on behalf of the SPDX Tech Team -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#1849): https://lists.spdx.org/g/spdx/message/1849 Mute This Topic: https://lists.spdx.org/mt/105848365/21656 Group Owner: [email protected] Unsubscribe: https://lists.spdx.org/g/spdx/leave/2655439/21656/1698928721/xyzzy [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
