Our sister conference, SBOM FOCUS, is looking for speakers and sponsors. Registration will open soon!
#SPDX
Back from #FOSDEM and working on the new European SBOM conference in Stockholm April 10th. Send me your ideas for talks!
The slides for my presentation "Please sign your artefacts. WITH WHAT?" at #FOSDEM in the Security devroom are now available for viewing. A video will be coming soon.
https://fosdem.org/2026/schedule/event/RFFD3M-sign-your-artefacts/
At the #AboutCode SBOM tools workshop we talked about creating a way of continuing the discussions. I've just created a #SBOM-tools slack channel in the @orcwg space. Join us to discuss #SBOM tools and interoperability!
Finally, complete the v1 of spdxconv.
spdxconv is a program to convert existing licenses and copyrights into #SPDX identifiers or insert new ones. This program works in tandem with #reuse software.
Features:
* REUSE Integration: Detects annotations from REUSE.toml.
* Customizable Defaults: Set default license identifiers and copyright holders.
* Smart Comments: Customizable patterns to set comment syntax ...
See https://git.sr.ht/~shulhan/spdxconv/ for more information.
PEP 770 was accepted in April of this year, what has happened since then?
* Published a white paper on PEP 770 and phantom dependencies
* Auditwheel, manylinux, and cibuildwheel adoption
* Over 300 projects already ship with PEP 770 SBOM data
* Fedora and Red Hat adopted PEP 770 for Python packages
Read more: https://sethmlarson.dev/pep-770-sbom-data-from-pypi-fedora-and-redhat
@herrfrankmann #SPDX #cybersecurity #csa #enisa #programming
https://spdx.github.io/spdx-spec/v3.0.1/serializations/#overview
"The data may be serialized in a variety of formats for storage and transmission."
"Canonical serialization is in JSON format"+ extra conditions.
Is it just me or is that really, really stupid.
How hard do you have to miss the point of defining a standard, when the output data needs further specification.
Needlessly too.
"No line breaks"
Your (standard) parser can't handle line breaks or what?!?
Naslednje #Kiberpipa srečanje bo
v četrtek, 11.12. ob 17h
v @muzej|u in sicer:
• najprej bo @hook vodil delavnico o #REUSE dobrih praksah za označevanje svoje programske kode z #SPDX standardnimi oznakami za avtorstvo in licence. (bring your own code)
• nato bosta @franga2000 in anze@treehouse.systems predstavila kako deluje Zakon o dostopu do javnih informacij (#ZDIJZ) v praksi.
https://dogodki.kompot.si/events/ee116191-fe3f-4b1f-89bd-3b0ff8d1f46e
več info in pofočkaj se ☝️
The SPDX community is now creating a new list — similar to the SPDX License List — but focused on cryptographic algorithms. This post shares how this effort started, its current status, the next steps, and a final call for participation.
http://toscalix.com/2025/10/14/introducing-the-spdx-cryptographic-algorithm-list-a-personal-view/
#spdx #sbom #cyclonedx #cryptography #algorithm #linuxfoundation
We have now updated our packaging tutorial to include PEP 639, which enables SPDX-compliant licensing: https://python-basics-tutorial.readthedocs.io/en/latest/packs/distribution.html#license-expression
#Python #Packaging #SPDX #Licensing
One Open-source Project Daily
CLI tool and library for generating a Software Bill of Materials from container images and filesystems
https://github.com/anchore/syft
#1ospd #opensource #containers #cyclonedx #docker #go #golang #hacktoberfest #oci #sbom #spdx #staticanalysis #tool
The future of the software supply chain is transparent, standardised, and automated.
✅ SBOM: Lists what’s in your software
✅ SPDX: Structures it for instant clarity
✅ SCA Tool: Keeps it up-to-date without the headaches
Learn why modern suppliers can’t afford to skip either:
https://scatool.com/resources/sbom-management-explained/sbom-spdx-why-suppliers-need-both/
New #SPDX license list has been released https://github.com/spdx/license-list-XML/releases/tag/v3.27.0 As usual, many of them were added thanks to the #Fedora license review process — many thanks to all participants.
"It's more than just software now, it really is a system"—the insight driving the biggest evolution in supply chain security since SBOMs were invented.
Why SPDX 3.0 redesigned everything around system-level thinking:
🔗 https://anchore.com/blog/spdx-3-0-from-software-inventory-to-system-risk-orchestration/
You can't secure what you can't see—and traditional SBOMs can't see the connections where tomorrow's vulnerabilities hide.
How SPDX 3.0 transforms software inventory into system risk orchestration 👇
🔗 https://anchore.com/blog/spdx-3-0-from-software-inventory-to-system-risk-orchestration/
Today I found a tool for checking open source licenses 🔥
📜 **feluda** — Detect license usage restrictions in your project.
💯 Supports Rust, TS, JS, Go, Python & more!
🦀 Written in Rust & built with @ratatui_rs
⭐ GitHub: https://github.com/anistark/feluda
#rustlang #ratatui #tui #license #spdx #opensource #checking #terminal #commandline
It was a busy week in the Syft ecosystem! We merged fixes for #SPDX package filtering, resolved some tricky upstream package issues, and improved how we handle database errors. All to give you a more reliable SBOM. 💪 https://anchorecommunity.discourse.group/t/anchore-open-source-weekly-report-week-24-2025/457
#SBOM #OpenSource #BugFix
The most successful standards start by doing almost nothing.
HTTP in 1991: Just GET requests
HTTP today: Powers the entire internet
SBOMs in 2024: "Barely valid"
SBOMs in 2030: ?
Sometimes "useless" is a strategy.
https://anchore.com/blog/the-sbom-paradox-why-useless-today-means-essential-tomorrow/
"The Microsoft #opensource #SBOM Tool now supports hashtag #SPDX 3.0!"
https://www.linkedin.com/posts/adriandiglio_github-microsoftsbom-tool-the-sbom-tool-activity-7328078596596469760-za87 #cybersecurity
The #LinuxFoundation will mentor 21 contributors in the Google Summer of Code 2025!! #GSoC
Despite having lined up many more proposals than last year we got the same amount of slots.
11 for #OpenPrinting, 3 for #AGL (Automotive Grade Linux, 2 for each of #SPDX and #IIO (Industrial I/O), and 1 for each of #SOF (Sound Open Firmware), #Zephyr, and #KWorkflow.
See Google's announcements of the projects:
https://summerofcode.withgoogle.com/programs/2025/organizations/the-linux-foundation
Client Info
Server: https://mastodon.social
Version: 2025.07
Repository: https://github.com/cyevgeniy/lmst