git: 4f9d23a304 - main - Status/2026Q1/sbom.adoc: Add report

Go to: [ bottom of page ] [ top of archives ] [ this month ]
From: Lorenzo Salvadore <salvadore_at_FreeBSD.org>
Date: Thu, 16 Apr 2026 16:33:12 UTC
The branch main has been updated by salvadore:

URL: https://cgit.FreeBSD.org/doc/commit/?id=4f9d23a304ceb9e718a44d32e47688c9ccf2eaf2

commit 4f9d23a304ceb9e718a44d32e47688c9ccf2eaf2
Author:     Tuukka Pasanen <tuukka.pasanen@ilmi.fi>
AuthorDate: 2026-04-16 16:25:17 +0000
Commit:     Lorenzo Salvadore <salvadore@FreeBSD.org>
CommitDate: 2026-04-16 16:25:17 +0000

    Status/2026Q1/sbom.adoc: Add report
    
    Reviewed by:    status (Graham Percival <gperciva@tarsnap.com>)
    Differential Revision:  https://reviews.freebsd.org/D56299
---
 .../en/status/report-2026-01-2026-03/sbom.adoc     | 37 ++++++++++++++++++++++
 1 file changed, 37 insertions(+)

diff --git a/website/content/en/status/report-2026-01-2026-03/sbom.adoc b/website/content/en/status/report-2026-01-2026-03/sbom.adoc
new file mode 100644
index 0000000000..5226014c67
--- /dev/null
+++ b/website/content/en/status/report-2026-01-2026-03/sbom.adoc
@@ -0,0 +1,37 @@
+=== FreeBSD Software Bill of Materials
+
+Links: +
+link:https://github.com/pkgconf/pkgconf/pull/484[spdxtool: Add parameter for using URI as SPDX id] URL: link:https://github.com/pkgconf/pkgconf/pull/484[] +
+link:https://github.com/pkgconf/pkgconf/pull/483[spdxtool: Add cli parameter for changing SPDX id] URL: link:https://github.com/pkgconf/pkgconf/pull/483[] +
+link:https://github.com/pkgconf/pkgconf/pull/475[spdxtool: spdxtool: Add homepage handling] URL: link:https://github.com/pkgconf/pkgconf/pull/475[] +
+link:https://github.com/pkgconf/pkgconf/pull/474[spdxtool: Add source handling to SBOM] URL: link:https://github.com/pkgconf/pkgconf/pull/474[] +
+link:https://github.com/pkgconf/pkgconf/pull/473[spdxtool: Add support for copyright text] URL: link:https://github.com/pkgconf/pkgconf/pull/473[] +
+link:https://github.com/pkgconf/pkgconf/pull/461[spdxtool: Rework of License-tag SDPX expression evaluation] URL: link:https://github.com/pkgconf/pkgconf/pull/461[] +
+link:https://github.com/pkgconf/pkgconf/pull/450[Add some stricter compiler warnings and overcome new warnings ] URL: link:https://github.com/pkgconf/pkgconf/pull/450[] +
+link:https://github.com/pkgconf/pkgconf/pull/447[libpkgconf/libpkgconf.h: Add printf-like attributes to functions] URL: link:https://github.com/pkgconf/pkgconf/pull/447[] +
+link:https://github.com/pkgconf/pkgconf/pull/446[spdxtool: Update variables that are const to const] URL: link:https://github.com/pkgconf/pkgconf/pull/446[] +
+link:https://github.com/pkgconf/pkgconf/pull/445[man/spdxtool.1: Add man page for spdxtool] URL: link:https://github.com/pkgconf/pkgconf/pull/445[] +
+link:https://cgit.freebsd.org/src/log/?qt=author&q=Tuukka+Pasanen[Added SPDX-License-Identifiers] URL: link:https://cgit.freebsd.org/src/log/?qt=author&q=Tuukka+Pasanen[] +
+link:https://github.com/freebsd/freebsd-src/compare/main...illuusio:freebsd-src:update-spdx-licenses[SPDX-License-Identifiers up-to review and waiting for upstreaming] URL: link:https://github.com/freebsd/freebsd-src/compare/main...illuusio:freebsd-src:update-spdx-licenses[] +
+link:https://reviews.freebsd.org/D55461[Issue open for commenting and review: caesar: Add SPDX-License-Identifier tags] URL: https://reviews.freebsd.org/D55461[] +
+link:https://github.com/illuusio/freebsd-src/tree/sbom-pkgconfig/release/sbom[.pc file for SBOM metadata (WIP)] URL: https://github.com/illuusio/freebsd-src/tree/sbom-pkgconfig/release/sbom
+
+Contact: Tuukka Pasanen <tuukka.pasanen@ilmi.fi>
+
+The FreeBSD Software Bill of Materials (SBOM) project started in 2025 and continued in 2026.
+Work in 2026 has focused more on the EU Cyber Resilience Act (CRA), and the effort has shifted toward delivering a framework for FreeBSD source.
+
+In the first quarter of 2026, SBOM work was delivered in three categories:
+* Pkgconf upstream work, especially with spdxtool-tool, which is used for creating SPDX Lite 3.0.1 JSON-LD SBOMs from [.filename]#.pc#-files. +
+Several missing features have been added and are under active development by pkgconf contributors. +
+The tool is now nearly compatible with SPDX Lite 3.0.1 requirements and is ready for general use. +
+Additionally, there is an effort to import pkgconf as part of the FreeBSD source, led by Pierre Pronchery.
+* Adding missing SPDX-License-Identifier to files under the FreeBSD source in the [.filename]#bin#, [.filename]#sbin#, [.filename]#usr.bin#, and [.filename]#usr.sbin# directories.
+* Creating [.filename]#.pc#-files for SBOM. The first patch is expected to land in 2026Q2, starting with files from [.filename]#bin#.
+
+If you want to help with this effort:
+* Verify that SPDX-License-Identifier licenses are correct and assist with upstreaming files.
+* Verify that [.filename]#.pc# files contain accurate information and help upstreaming them to git.
+* Assist in reviewing the pkgconf import to the FreeBSD source.
+
+Sponsor: The FreeBSD Foundation