| 🌍 Website | https://mehl.mx |
| 📨 Contact | https://mehl.mx/contact |
| 🎤 Opinions | My own, not my affiliations' |
| ⚧️ Pronouns | he/him |
Open Source Foundations Consortium Announces Seven New Working Groups
https://nesbitt.io/2026/03/07/announcing-new-working-groups.html
The second presentation overlapped slightly with the first, but emphasized the tooling aspect:
• #SBOM lifecycle and blueprint
• Our modular SBOM toolchain for generation, refinement, analysis and storage
• Integration into DevOps workflows
• Our central compliance portal for teams and governance owners
• And how we delight our various users.
This is all heavily based on many great #OpenSource projects, such as those by @anchore and @homebrew.
https://mehl.mx/blog/2026/deutsche-bahns-approach-to-large-scale-sbom-collection-and-use/
[🧵 3/3]
Actually, there were two presentations at #FOSDEM. In the first, I focused on the strategic aspects and context of the Cyber Resilience Act (#CRA).
Why does DB need transparency of its software supply chains? Why is it damn hard to achieve this? How did we come from idea to strategy to implementation? And why do we need less a technological and rather an organizational and cultural shift to succeed?
Answers to these questions in the recording and slides.
https://mehl.mx/blog/2026/software-supply-chain-strategy-at-deutsche-bahn/
[🧵 2/3]
I recently presented Deutsche Bahn's ongoing efforts to make its software supply chains more transparent. For the first time, we publicly shared how we set up the internal program, the principles we follow, the overarching architectural blueprint, and the tools we use to create, store, and analyze 80,000+ SBOMs. All of this is to find out, in real time, which of the over 100,000 software components we are using are where and how. [🧵 1/3]
RE: https://eupolicy.social/@finnmyrstad/116141082378515849
This video is pure gold just because it makes you laugh about something that is depressingly true.
The big FOSS vendors don't eat their own dogfood – they pay for proprietary groupware
https://www.theregister.com/2026/02/12/suse_runs_ms/
That's… *not* a good idea
<- by me on @theregister
At #FOSDEM and want to learn how a large organization such as #DeutscheBahn is getting ready for the #CRA by making its software supply chain transparent with #SBOM?
Join my talk today (15:05) on the strategy we've set up: https://fosdem.org/2026/schedule/event/ZSWH3N-deutsche-bahn-supply-chain-cra-strategy/
...and tomorrow (12:00) with an emphasis on the tooling we're using: https://fosdem.org/2026/schedule/event/7EYTRJ-deutsche-bahn-large-scale-sbom-approach/
I offer facts and diagrams. I seek questions and feedback.
Andrew Nesbitt
Liam Proven