Re: Clarification on purpose and participation

Kim Weins

Hi Karim

Thanks so much for your interest and sorry for the slow response!

All of the questions that you have asked are exactly on track with our next
steps for SPDX. Now that we have a v1 of the SPDX spec, we want to start to
create tools that will help developers that create or use OSS to better
generate SPDX files.

Their are several commercial tools that do this, but we also feel that open
source tools will be critical. Today there are a couple of OSS tools that
can help find and identify open source licenses. One is FOSSology (created
and maintained by HP) which is available at They are also
hosting it at OSU's Open Source Lab. Another is ninka ( which was created by Daniel German. I've
cc'd Daniel -- since you may want to talk to him about some of his
experience doing this. I don't believe FOSSology or Ninka will generate an
SPDX file (yet). We also have some free OSS tools on the site that
can help you convert a software bill of materials from spreadsheet form into
SPDX format. However that assumes you already have the info about what open
source licenses are included.

We are also looking to create additional tools/toolkits that can be used,
and would love help in that process.

If you are interested in participating, we have three workstreams --
technical, legal and business. Each group holds regular open calls to
discuss issues. You can find more details on the participate section of

Also, you can sign up for the mailing lists and participate that way as


On Fri 8/26/11 3:57 PM, "Karim Ratib" <karim.ratib@...> wrote:


I just discovered SPDX and after watching the 3-minute video and
reading through the Web site, I am eager to understand more - and
possibly to participate in the effort, in my capacity as a software

I develop web applications using the open source Drupal CMS, and each
implementation typically uses tens, if not hundreds, of contributed
modules. Each module as well as the core system are GPL licensed. I
would like to generate a bill of material for the whole application,
and eventually for the server that hosts the application.

My initial thought is to write a software tool that generates a single
SPDX file based on the Drupal installation's metadata - core version,
installed modules, additional libraries, etc.

Is this what would be expected to comply with the SPDX vision?

As follow-up questions:
- Is there a convention to query Web applications for their SPDX (e.g.
a well-known URI) ?
Nope. Interesting idea thought
- Are there existing tools within Linux distributions to generate SPDX
for installed packages ?
Nope. We want to create some tools though.
- Is there a recommended workflow for generating a comprehensive SPDX
document for a given computer (desktop/server) ?

Sorry of these are naive questions - thanks in advance for taking the
time to enlighten me.

Spdx mailing list

Kim Weins | Senior Vice President, Marketing
Follow me on Twitter @KimAtOpenLogic

650 279 0410 | cell
Follow OpenLogic on Twitter @openlogic

Join to automatically receive all group messages.