Linux Foundation’s newly released SPDX 3.0 aims to expand the Software Bill of Materials (SBOMs) to provide a more comprehensive standard to address the increasing complexity and security challenges within modern software supply chains. In this episode, Kate Stewart, Vice President of Dependable Embedded Systems at the Linux Foundation, talks about the latest release of Software Package Data Exchange (SPDX), its key features, and how it is helping to address some of the key challenges in the industry. She says, “The challenge we were seeing with the supply chain is  that it isn’t just software and hardware anymore, it’s now realistically data.”

SPDX and the challenges it addresses

• Stewart explains what SPDX is and why it goes beyond an SBOM. She discusses the major challenges the industry is facing and how SPDX is addressing some of these problems.
• Traditionally SPDX has been used to handle software and hardware information, but it is now expanding to include data and AI models. Stewart highlights how this is helping in risk analysis.
• Stewart talks about how SPDX now includes security information and can generate security statements and the benefits of this addition.
• SPDX has been extended to include hardware and functional safety profiles which helps to provide comprehensive metadata for the supply chain.

SPDX 3.0 version and its features

• Stewart discusses the recent release of SPDX 3.0, which took a couple of years to develop due to rearchitecting the underlying model to accommodate scalability and time-based querying.
• Stewart explains the plan to maintain SPDX as an international standard while welcoming contributions from the community. The new features like AI and data profiles were based on industry needs and standards.
• Current efforts are underway to formalize the hardware bill of materials and address export control concerns. Stewart stresses that the goal is to make SPDX adaptable to various supply chain components, not just software.
• Stewart discusses the ongoing efforts to enhance security in build infrastructure by monitoring and recording vulnerabilities.

SPDX 3.0 version and its roadmap

• Stewart shares the plans for SPDX including adding discrete features in subsequent versions for a year-release cadence. There is a focus on advancing towards safety standards, with prototypes for safety-related tools in progress.
• Profiles within SPDX such as licensing and SPDX Light will continue to evolve to meet emerging needs.
• Stewart explains that there is guidance on using SPDX for security purposes within the specification itself to help streamline the adoption process for users.

SPDX profiles and how they help accommodate different use cases

• Stewart describes how the SPDX profiles work to cater to the different needs within organizations. By enabling different profiles, SPDX can accommodate a range of use cases across the supply chain industry.
• Stewart explains that the modular approach ensures scalability and helps facilitate the connection of SPDX documents to enhance efficiency and enable better management of dependencies and configurations.

SPDX target audience, use cases, industries, and ecosystem 

• Stewart discusses the target audience for SPDX. Although the focus is on providing tools for technical users, the goal is to facilitate risk analysis for all stakeholders.
• Risk analysis encompasses assessing software safety, detecting security vulnerabilities, and managing licensing risks. Stewart discusses how SPDX aims to enhance efficiency in responding to these diverse needs.
• Stewart highlights the different use cases which span across various industries and sectors.
• Stewart talks about the growing trend of using SPDX for tracking building provenance information and how open-source projects, distros, and package managers are adopting it as the need for safety and transparency grows.
• Stewart discusses the diverse ecosystem of support for SPDX and the efforts to expand community support for SPDX.

Guest: Kate Stewart (LinkedIn)
Organization: Linux Foundation (Twitter)
Show: Newsroom