SPDX

SPDX 3.1 Ontology and Schema Available for Review

podence — Mon, 26 Jan 2026 14:36:38 +0000

The first release candidate for SPDX specification version 3.1 is now available.

The SPDX 3.1 model expands beyond software to include safety, service, hardware, supply chain, and operations.

Please note that this release candidate is intended for testing and validation.

Some features may be modified or reverted before the final stable release.

SPDX specification v3.1-RC1

https://spdx.github.io/spdx-spec/v3.1-RC1/

Model changelog & deprecation info

https://github.com/spdx/spdx-3-model/blob/develop/CHANGELOG.md

Note that the official URLs for the ontology and the schema at

https://spdx.org are not available yet for SPDX 3.1-RC1.

In the meantime, for testing and validation purposes, these resources

can be used instead:

OWL ontology

https://spdx.github.io/spdx-spec/3.1-RC1/rdf/spdx-model.ttl

JSON-LD context file

https://spdx.github.io/spdx-spec/3.1-RC1/rdf/spdx-context.jsonld

JSON Schema

https://spdx.github.io/spdx-spec/3.1-RC1/rdf/schema.json

We would like to thank all the contributors who made this 3.1-RC1 possible.

Detailed changes, including the list of contributors, can be found in the respective release notes here:

SPDX spec repository:

https://github.com/spdx/spdx-spec/releases/tag/v3.1-RC1

SPDX 3 model repository:

https://github.com/spdx/spdx-3-model/releases/tag/3.1-rc1

If you encounter any issues or have questions, please submit an issue to the relevant GitHub repository.

Python Foundation Adopts SPDX for Software Bill of Materials

podence — Thu, 30 Oct 2025 16:40:58 +0000

The Python Software Foundation has taken a significant step forward in software supply chain transparency by including SPDX-format Software Bills of Materials (SBOMs) with their official Python releases.

Starting with 3.14 released earlier this week, all distribution packages available on the official download page now include accompanying SPDX SBOMs. These machine-readable documents provide detailed inventory information about the software components, including cryptographic checksums for verification purposes.

While the current implementation uses SPDX v2.3 format and focuses primarily on component identification and integrity verification through checksums, this represents an important milestone for both the Python ecosystem and the broader adoption of SPDX standards.

“This is a huge win for supply chain security and transparency,” said SPDX Steering Committee Chair Rose Judge. “By providing standardized SBOMs in SPDX format, Python is making it easier for organizations to understand and verify what’s included in their software dependencies.”

The inclusion of SPDX SBOMs with one of the world’s most popular programming languages demonstrates the growing industry recognition of SPDX as the standard format for software bill of materials. This move will likely encourage other major open source projects to follow suit.

The SPDX SBOMs are available alongside software distribution formats, including source archives (.tar.gz and .tar.xz) and platform-specific installers for Windows, macOS, and Android systems.

SPDX Responds to CISA Minimum Elements RFC

podence — Fri, 03 Oct 2025 11:37:05 +0000

About a month ago, CISA requested industry/community comment on a proposed new minimum set of SBOM elements to replace the original NTIA list. Few people on the planet have thought as much about what belongs in an SBOM than the SPDX tech team which took up the discussion. With input from the team and others, Kate Stewart, Rose Judge, Gary O’Neall, Steve Winslow and Arthit Suriyawongkul did the heavy lifting of authoring the SPDX response.

SPDX Project Feedback for CISA SBOM Minimum Elements RFC

CISA Considering New Set of Minimum Elements

podence — Fri, 19 Sep 2025 19:37:27 +0000

CISA has requested comment on a new set of minimum elements for SBOMs (on top of the original NTiA set). This short announcement describes the process:

https://www.cisa.gov/news-events/alerts/2025/08/22/cisa-requests-public-comment-updated-guidance-software-bill-materials

The SPDX Tech Team will be responding to the request for comments and will report back to the SPDX community.

SBOM Vision

podence — Wed, 17 Sep 2025 12:00:54 +0000

In collaboration with NSA and a number of foreign cybersecurity agencies, CISA just just published this easily consumable SBOM vision document.

https://www.cisa.gov/sites/default/files/2025-09/joint-guidance-a-shared-vision-of-software-bill-of-materials-for-cybersecurity_508c.pdf

A Guide to the GitHub SPDX Repo

podence — Tue, 29 Jul 2025 11:54:22 +0000

We just published a readme file at the top level of the repository that provides a great overview of the contents and where to find what.

https://github.com/spdx

Kudos for Yocto support of SPDX SBOMs

podence — Wed, 05 Mar 2025 12:46:55 +0000

Check out this posting and the accompanying article that give a shout out to the Yocto SBOM work that Joshua Watt briefed us on at the last General Meeting.

https://www.linkedin.com/posts/vpetersson_im-excited-by-yoctos-sbom-capabilities-activity-7298791001526063106-qqsc/#?lipi=urn%3Ali%3Apage%3Ad_flagship3_detail_base%3Brv%2FCdMTgS36PFZd4RZTQPg%3D%3D

https://sbomify.com/2025/02/21/mastering-sbom-generation-with-yocto/

SPDX Podcast

podence — Mon, 27 Jan 2025 19:19:47 +0000

New podcast episode of Nerding Out with Viktor is now live! In Viktor’s words:

I spoke with Kate Stewart from the The Linux Foundation and Gary ONeall about the evolution of SPDX and its role in software transparency. We covered how SPDX grew from a license compliance tool into a framework for addressing SBOMs, security, and regulatory needs.
This episode dives into real-world challenges like circular dependencies, integrating SBOMs into build systems, and meeting safety-critical system requirements with SPDX 3.0.
If you’re tackling compliance, security, or supply chain transparency, don’t miss this.

Implementing an AI BOM

podence — Wed, 13 Nov 2024 19:13:06 +0000

As global regulations on AI software tighten, developers face a complex set of new, ambiguous rules. The AI Software Bill of Materials (AI BOM), especially the new SPDX 3.0 with AI and dataset profiles, offers a promising solution for compliance, providing detailed, machine-readable documentation of AI systems. Despite its benefits, AI BOM adoption has been slow, hindered by gaps in devoloper knowledge and the complex nature of AI systems. Many AI BOMs are incomplete or inaccurate, limiting their utility for compliance. A new Linux FoundationResearch White Paper discusses these issues, drawing on industry experts’ experience with SPDX 3.0 and AI BOM implementation.

The paper shares best practices and strategies to improve AI BOM accuracy and utility, equipping professionals with the insights to ensure their AI applications are compliant and prepared for future regulations. Anyone interested in creating a comprehensive AI and Dataset Bill of Materials can learn more by reading “Implementing AI Bill of Materials (AI BOM) with SPDX 3.0“

SBOM Adoption Paper

podence — Wed, 04 Sep 2024 11:00:45 +0000

Check out this great new Linux Foundation paper on implementing SBOMs and how it helps with license compliance and application security. Author Ibrahim Haddid provides great insights into this important topic. SPDX is prominently featured.