SW Bill of Materials, SPDX
We need to support industry efforts to automate discovery of all the software contained in an open source project. The drivers include both compliance with open source licensing, and discovery of known vulnerable components.
SPDX is now the leading proposed solution, and was recently standardized by ISO. We are going to implement this using https://reuse.software (selected by sweng) to support initially, license discovery.
The process will require updating every file:
- either use reuse addheader (as briefly documented in doc/dev/copyright);
- or add record to .reuse/dep5. There are already entries for ISC MPL-2.0, ISC CC0-1.0 and FSF (libtool files) as well as many other licenses.