The System Package Data Exchange (SPDX), previously known as the Software Package Data Exchange, has evolved with its latest release, SPDX 3.0. Announced at the Open Source Summit North America in Seattle, this update marks a significant enhancement in standardizing metadata in software bills of materials (SBOMs).
SPDX 3.0 extends its scope beyond software, now encompassing all system components including hardware and AI, reflecting its new name: System Package Data Exchange. This broadened application aims to simplify and standardize the identification of components across various platforms.
A core innovation in SPDX 3.0 is the introduction of “SPDX profiles”. These profiles cater to specific needs such as security, licensing, and build information, enabling tailored metadata management for different applications—from AI models to cloud services.
Recognizing the crucial role of developers in the adoption of SPDX, platforms like GitHub have integrated SPDX export capabilities into their services. This integration facilitates compliance with regulatory requirements, promoting broader adoption of SPDX.
In the U.S., Executive Order 14028 mandates a formal record similar to an SBOM for software component transparency, positioning SPDX 3.0 as a potential standard for compliance. With its ISO standard status and versatile profiles, SPDX 3.0 is poised to become a leading format in SBOM practices.
SPDX 3.0 represents a major stride in enhancing transparency and standardization in the software supply chain. With robust industry support and regulatory alignment, it is set to shape the future of system component documentation and security practices.