The Software Package Data Exchange (SPDX) specification, designed to ease tracking, communication, and compliance of provenance, licence, security, and other supply chain matters, has been formally published by ISO/IEC JTC 1 as the ISO/IEC 5962:2021 standard.

“SPDX plays an important role in building more trust and transparency in how software is created, distributed, and consumed throughout supply chains,” says Jim Zemlin, executive director at the Linux Foundation. “The transition from a de-facto industry standard to a formal ISO/IEC JTC 1 standard positions SPDX for dramatically increased adoption in the global arena. SPDX is now perfectly positioned to support international requirements for software security and integrity across the supply chain.”

“As new use cases have emerged in the software supply chain over the last decade, the SPDX community has demonstrated its ability to evolve and extend the standard to meet the latest requirements,” adds Kate Stewart, SPDX tech team co-lead. “This really represents the power of collaboration on work that benefits all industries. SPDX will continue to evolve with open community input, and we invite everyone, including those with new use cases, to participate in SPDX’s evolution and securing the software supply chain.”

AB Open’s Andrew Back was one of the original contributors to SPDX 1.0, while representing then-employer British Telecom (BT) at the Linux Foundation. “It’s heartening to see SPDX adopted as an official, internationally-recognised open standard,” he says. “With open source increasingly recognised as a vital underpinning to modern society, as in the European Commission’s recent report, having the backing of ISO/IEC JTC 1 will help open source break down new barriers where proprietary lock-in has previously been the order of the day.”

The standard is available on the ISO website now, though at a charge of CHF198 (around £156); the latest version is also available for free on the project’s GitHub repository, where it is developed in the open under the permissive Creative Commons Attribution 3.0 Unported licence.