License Identification

David Kemp <dk190a@...>


I strongly support Gary's approach of identifying requirements first, then identifying and selecting from technical solutions that meet all requirements.

The requirements are:

* The SPDX legal team must:
  - define criteria for accepting licenses
  - evaluate licenses for conformance with the criteria
  - publish a list of licenses that meet the criteria

* The SPDX technical team must:
  - define SBOM data formats that unambiguously identify licenses applicable to all software of interest in the cybersecurity domain.

Today's discussion presupposes a technical solution, e.g., using namespaces, tying namespaces to DNS names, resolving IP issues related to licenses and namespaces, etc.  Other technical solutions that avoid namespaces are on the table and have not yet been discussed.

* Software licenses that apply only to executables and do not provide for the availability of the source code will not be included on the SPDX License List.

The U.S. Government has an interest in promoting cybersecurity through supply chain assurance, which includes SBOMs for software that is out of scope for SPDX registration (e.g., software for which source code is not available).  The U.S. Government has an interest in promoting efficient SCRM solutions.

Using different technical mechanisms to identify source-available licenses and other licenses is not efficient, and we strongly support the use of a single technical mechanism (a deconflicted unified license identifier list) for use in SBOM files.

(On a related note, we also support registration of a numeric identifier for each license identifier, as ISO 3166 ( assigns both a number and a text ID to each country..  This is for use in efficient non-human-readable data formats such as Protobuf and CBOR.  referenceNumber is already populated in the license list database but is not visible in the web version.)

David Kemp
NSA Cybersecurity Collaboration Center

Join to automatically receive all group messages.