Open Source Summit North America 2017

Having open source tooling that can generate SPDX documents is an important first step in automating detection and summarizing of the license compliance information found in source or binary code. However, how can you tell which tools are able to accurately detect what is actually in the source code? Due to the imprecise nature of the way developers express licenses, there can be a lot of variance. To build up trust in the heuristics used by tools, a curated set of common packages and associated reference set of SPDX documents have been created to provide a starting point for tools to self certify against. This talk will go through the criteria use to select the packages, and provide some preliminary results.