Re: RFC: Adopting SPDX for SBOM generation
- In reply to: Ed Maste : "RFC: Adopting SPDX for SBOM generation"
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Wed, 06 Aug 2025 16:40:56 UTC
On Wed, Aug 6, 2025 at 4:54 AM Ed Maste <emaste@freebsdfoundation.org> wrote: > > Hello everyone, > > The Foundation is developing capabilities for automatically generating > Software Bill of Materials (SBOM) for FreeBSD as part of the work > commissioned by the Sovereign Tech Agency. SBOMs are often used by > organizations to manage their supply chain security and transparency > by providing comprehensive inventory of software components. > > To maximize utility for FreeBSD users, we need to choose an SBOM > standard that is broadly supported by security scanners, compliance > tools, and supply chain management systems. > > **Proposed Standard: SPDX** > > After evaluating available SBOM standards, we recommend adopting SPDX > for the following reasons: > - Wide adoption and momentum: SPDX is the most widely used SBOM standard > - ISO standardization: SPDX version 2.2.1 is published as ISO/IEC 5962:2021 > - Mature tooling > (..) +1 here! We did SPDX in Apache NuttX RTOS :-) Not having SBOM / SPDX is / will be blocker in some environments :-) -- CeDeROM, SQ7MHZ, http://www.tomek.cedro.info