This is the third article in a series about Software Hash ID (SWHID), the intrinsic software identifier. This article can be read on its own, but it is better if you read the series in order. The first article introduces SWHID, and the second explains its syntax and how to compare software with it.
SWHID is an open ISO standard with open governance and free access to its specification. It includes a reference implementation and several tools that developers can use or extend. The community is open, and anyone can join the discussion to help shape the next version of the standard.
Open Standard
SWHID became an ISO standard in 2025 ( ISO/IEC 18670:2005 ). It is an open standard, and its public specification is free to access. The specification is published under the Community Specification 1. 0 license. This license was created and is maintained by the Joint Development Foundation, an organization that supports open technology collaboration.
As an open standard, SWHID follows an open governance model. The governance rules and processes are public, just like the specification. They are available on the SWHID website. The main governance body is the SWHID Core Team, which is a small working group. There is also a group of Maintainers who help manage the specification.
The specification is developed in a Git repository. This allows anyone to follow the work and contribute. The governance model is simple today and will evolve as the standard grows.
Reference Implementation
Like any open standard, SWHID has a reference implementation, called swhid-rs. The project provides a test suite to check conformance with the standard.
The tool is written in Rust and released under the MIT license. This makes it easy for developers to use it as a reference or include it in their own tools. You can install it using pre-built packages or with Cargo:
cargo install swhid (add--features git for VCS commands)
I extracted this image from software Heritage images gallery. It summarises how you can use swhid-rs
There are also other open source implementations in different programming languages. These tools offer different features. You can even build your own implementation. If it is useful, you can add it to the official SWHID website through a simple process.
Join the Conversation
Work has already started on version 2 of the SWHID standard. The discussion takes place in the public mailing list. This is the main place where ideas are shared and decisions are discussed.
You can join the mailing list to stay informed and take part in the conversation. Before participating, it is a good idea to read the Code of Conduct. If you are new, the FAQ is also a good place to start.
What’s Next
The next articles in this series will focus on real use cases where SWHID plays an important role. Stay tuned!
- What is the Best Way to Identify Software? Introducing SWHID: Introduces SWHID and explains why precise identification of software is becoming essential in the context of software supply chains and emerging regulations.
- Description of SWHID: Syntax: Describes the syntax of SWHID and shows how it enables reliable comparison between software artifacts.
- SWHID Is An Open Standard, Governed Under Open Governance: Explains how SWHID is governed as an open standard and introduces swhid-rs, its reference implementation.
- SWHID and pURL: Explains the similarities and differences between SWHID and pURL, the most popular software identifier.
- SWHID in Practice: SBOM Verification, CRA Compliance, and Traceability Use Cases. Information about use cases.
toscalix 
4 thoughts on “SWHID is an open standard, governed under open governance”