Oej21h ago

The slides for my presentation "Please sign your artefacts. WITH WHAT?" at #FOSDEM in the Security devroom are now available for viewing. A video will be coming soon.

https://fosdem.org/2026/schedule/event/RFFD3M-sign-your-artefacts/

#SBOM #SPDX #CYCLONEDX #OWASP #CYBERSECURITY #PKILOVE #pki

Oej21h ago

At the #AboutCode SBOM tools workshop we talked about creating a way of continuing the discussions. I've just created a #SBOM-tools slack channel in the @orcwg space. Join us to discuss #SBOM tools and interoperability!

https://orcwg.org/participate/

#SBOM #CYCLONEDX #SPDX #PURL

Get Involved in the Open Regulatory Compliance Working Group | Open Regulatory Compliance Working Group

The open source community is collaborating to establish common specifications for secure software development based on open source best practices.

Open Regulatory Compliance Working Group
shulhanJan 15

Finally, complete the v1 of spdxconv.

spdxconv is a program to convert existing licenses and copyrights into #SPDX identifiers or insert new ones. This program works in tandem with #reuse software.

Features:

* REUSE Integration: Detects annotations from REUSE.toml.
* Customizable Defaults: Set default license identifiers and copyright holders.
* Smart Comments: Customizable patterns to set comment syntax ...

See https://git.sr.ht/~shulhan/spdxconv/ for more information.

#openSource #golang

Seth LarsonDec 23

PEP 770 was accepted in April of this year, what has happened since then?

* Published a white paper on PEP 770 and phantom dependencies
* Auditwheel, manylinux, and cibuildwheel adoption
* Over 300 projects already ship with PEP 770 SBOM data
* Fedora and Red Hat adopted PEP 770 for Python packages

Read more: https://sethmlarson.dev/pep-770-sbom-data-from-pypi-fedora-and-redhat

#Python #SBOM #CycloneDX #SPDX #auditwheel #cibuildwheel

PEP 770 Software Bill‑of‑Materials (SBOM) data from PyPI, Fedora, and Red Hat

This year I authored PEP 770 which proposed a new standardized location for Software Bill-of-Materials (SBOM) data within Python wheel archives. SBOM data can now be stored in (package)-(version).d...

sethmlarson.dev
Show threadbmaxvDec 19

@herrfrankmann #SPDX #cybersecurity #csa #enisa #programming

https://spdx.github.io/spdx-spec/v3.0.1/serializations/#overview

"The data may be serialized in a variety of formats for storage and transmission."

"Canonical serialization is in JSON format"+ extra conditions.

Is it just me or is that really, really stupid.

How hard do you have to miss the point of defining a standard, when the output data needs further specification.

Needlessly too.

"No line breaks"

Your (standard) parser can't handle line breaks or what?!?

6. Model and serializations - SPDX Specification 3.0.1

Matija ŠukljeDec 3

Naslednje #Kiberpipa srečanje bo

v četrtek, 11.12. ob 17h
v @muzej|u in sicer:

• najprej bo @hook vodil delavnico o #REUSE dobrih praksah za označevanje svoje programske kode z #SPDX standardnimi oznakami za avtorstvo in licence. (bring your own code)

• nato bosta @franga2000 in anze@treehouse.systems predstavila kako deluje Zakon o dostopu do javnih informacij (#ZDIJZ) v praksi.

https://dogodki.kompot.si/events/ee116191-fe3f-4b1f-89bd-3b0ff8d1f46e
več info in pofočkaj se ☝️

#OprtaKoda #FOSS #JavniPodatki

c| srečanje № 30: REUSE.software delavnica & ZDIJZ v praksi

Dec 11, 2025, 5:00:00 PM - GMT+1 - Computer Museum, 1000, Ljubljana, Slovenia - Najprej bo Matija Šuklje (hook) vodil delavnico o REUSE.software dobrih praksah za označevanje svoje programske kode. Cilj je, da bo na koncu vsak znal svojo kodo označiti z SPDX (ISO/IEC 5962:2021…

toscalixOct 14

The SPDX community is now creating a new list — similar to the SPDX License List — but focused on cryptographic algorithms. This post shares how this effort started, its current status, the next steps, and a final call for participation.

http://toscalix.com/2025/10/14/introducing-the-spdx-cryptographic-algorithm-list-a-personal-view/

#spdx #sbom #cyclonedx #cryptography #algorithm #linuxfoundation

Introducing the SPDX Cryptographic Algorithm List: a Personal View

The SPDX community is now creating a new list — similar to the SPDX License List — but focused on cryptographic algorithms. This post shares how this effort started, its current status, the next st…

toscalix
Python for Data ScienceAug 22
We have now updated our packaging tutorial to include PEP 639, which enables SPDX-compliant licensing: https://python-basics-tutorial.readthedocs.io/en/latest/packs/distribution.html#license-expression
#Python #Packaging #SPDX #Licensing
Creating a distribution package

Distribution Packages are archives that can be uploaded to a package index such as pypi.org and installed with pip. Structure: A minimal distribution package can look like this, for example: pyproj...

Python Basics
Patrick Aug 16
One Open-source Project Daily

CLI tool and library for generating a Software Bill of Materials from container images and filesystems

https://github.com/anchore/syft

#1ospd #opensource #containers #cyclonedx #docker #go #golang #hacktoberfest #oci #sbom #spdx #staticanalysis #tool
GitHub - anchore/syft: CLI tool and library for generating a Software Bill of Materials from container images and filesystems

CLI tool and library for generating a Software Bill of Materials from container images and filesystems - anchore/syft

GitHub
SCA ToolAug 13

The future of the software supply chain is transparent, standardised, and automated.
✅ SBOM: Lists what’s in your software
✅ SPDX: Structures it for instant clarity
✅ SCA Tool: Keeps it up-to-date without the headaches

Learn why modern suppliers can’t afford to skip either:
https://scatool.com/resources/sbom-management-explained/sbom-spdx-why-suppliers-need-both/

#SBOM #SPDX #OpenSource #CyberSecurity #DevSecOps