#spdx — Public Fediverse posts
Live and recent posts from across the Fediverse tagged #spdx, aggregated by home.social.
-
SPDX gets more interesting when the SBOM is not only for scanners.
I wrote a hands-on Quarkus walkthrough around `quarkus-spdx`: generate an SPDX 3.0.1 SBOM, inspect the JSON-LD graph, follow declared license relationships, and check why NTIA/CISA minimums still fail out of the box.
https://www.the-main-thread.com/p/quarkus-spdx-sbom-json-ld-license-compliance
-
SPDX gets more interesting when the SBOM is not only for scanners.
I wrote a hands-on Quarkus walkthrough around `quarkus-spdx`: generate an SPDX 3.0.1 SBOM, inspect the JSON-LD graph, follow declared license relationships, and check why NTIA/CISA minimums still fail out of the box.
https://www.the-main-thread.com/p/quarkus-spdx-sbom-json-ld-license-compliance
-
SPDX gets more interesting when the SBOM is not only for scanners.
I wrote a hands-on Quarkus walkthrough around `quarkus-spdx`: generate an SPDX 3.0.1 SBOM, inspect the JSON-LD graph, follow declared license relationships, and check why NTIA/CISA minimums still fail out of the box.
https://www.the-main-thread.com/p/quarkus-spdx-sbom-json-ld-license-compliance
-
SPDX gets more interesting when the SBOM is not only for scanners.
I wrote a hands-on Quarkus walkthrough around `quarkus-spdx`: generate an SPDX 3.0.1 SBOM, inspect the JSON-LD graph, follow declared license relationships, and check why NTIA/CISA minimums still fail out of the box.
https://www.the-main-thread.com/p/quarkus-spdx-sbom-json-ld-license-compliance
-
SPDX gets more interesting when the SBOM is not only for scanners.
I wrote a hands-on Quarkus walkthrough around `quarkus-spdx`: generate an SPDX 3.0.1 SBOM, inspect the JSON-LD graph, follow declared license relationships, and check why NTIA/CISA minimums still fail out of the box.
https://www.the-main-thread.com/p/quarkus-spdx-sbom-json-ld-license-compliance
-
Yesterday at the European SBOM user group we discussed the ENISA report on SBOM adoption. It was a very open discussion, inspired by this report and we found issues that we want to come back to, issues we did not really agree with the report on. This is the type of discussions we want to enable by inviting to the user group meetings.
Join us by registering at https://sbomeurope.eu/community/
-
Yesterday at the European SBOM user group we discussed the ENISA report on SBOM adoption. It was a very open discussion, inspired by this report and we found issues that we want to come back to, issues we did not really agree with the report on. This is the type of discussions we want to enable by inviting to the user group meetings.
Join us by registering at https://sbomeurope.eu/community/
-
Yesterday at the European SBOM user group we discussed the ENISA report on SBOM adoption. It was a very open discussion, inspired by this report and we found issues that we want to come back to, issues we did not really agree with the report on. This is the type of discussions we want to enable by inviting to the user group meetings.
Join us by registering at https://sbomeurope.eu/community/
-
Yesterday at the European SBOM user group we discussed the ENISA report on SBOM adoption. It was a very open discussion, inspired by this report and we found issues that we want to come back to, issues we did not really agree with the report on. This is the type of discussions we want to enable by inviting to the user group meetings.
Join us by registering at https://sbomeurope.eu/community/
-
Yesterday at the European SBOM user group we discussed the ENISA report on SBOM adoption. It was a very open discussion, inspired by this report and we found issues that we want to come back to, issues we did not really agree with the report on. This is the type of discussions we want to enable by inviting to the user group meetings.
Join us by registering at https://sbomeurope.eu/community/
-
[Перевод] Автоматизация SBOM в большом legacy-проекте: опыт LibreOffice и Collabora Online
Вот уже более 20 лет проходит масштабная конференция разработчиков свободного и открытого ПО – FOSDEM. Для CodeScoring она примечательна тем, что с 2021 года на ней регулярно представлен тематический деврум "SBOMS and supply chains" посвященный составу программного обеспечения и цепочкам поставок. Эта статья – адаптация доклада "LibreOffice and Collabora Online – how we managed to automate SBOM generation for a large legacy project", с которым Торстен Беренц выступил на конференции в 2026 году. Специально для вас мы перевели выступление и превратили его в статью, оригинал доклада на английском языке – по ссылке .
https://habr.com/ru/companies/codescoring/articles/1045570/
#sbom #fosdem #libreoffice #collabora_online #open_source #композиционный_анализ #spdx #c #c++ #sca
-
[Перевод] Автоматизация SBOM в большом legacy-проекте: опыт LibreOffice и Collabora Online
Вот уже более 20 лет проходит масштабная конференция разработчиков свободного и открытого ПО – FOSDEM. Для CodeScoring она примечательна тем, что с 2021 года на ней регулярно представлен тематический деврум "SBOMS and supply chains" посвященный составу программного обеспечения и цепочкам поставок. Эта статья – адаптация доклада "LibreOffice and Collabora Online – how we managed to automate SBOM generation for a large legacy project", с которым Торстен Беренц выступил на конференции в 2026 году. Специально для вас мы перевели выступление и превратили его в статью, оригинал доклада на английском языке – по ссылке .
https://habr.com/ru/companies/codescoring/articles/1045570/
#sbom #fosdem #libreoffice #collabora_online #open_source #композиционный_анализ #spdx #c #c++ #sca
-
[Перевод] Автоматизация SBOM в большом legacy-проекте: опыт LibreOffice и Collabora Online
Вот уже более 20 лет проходит масштабная конференция разработчиков свободного и открытого ПО – FOSDEM. Для CodeScoring она примечательна тем, что с 2021 года на ней регулярно представлен тематический деврум "SBOMS and supply chains" посвященный составу программного обеспечения и цепочкам поставок. Эта статья – адаптация доклада "LibreOffice and Collabora Online – how we managed to automate SBOM generation for a large legacy project", с которым Торстен Беренц выступил на конференции в 2026 году. Специально для вас мы перевели выступление и превратили его в статью, оригинал доклада на английском языке – по ссылке .
https://habr.com/ru/companies/codescoring/articles/1045570/
#sbom #fosdem #libreoffice #collabora_online #open_source #композиционный_анализ #spdx #c #c++ #sca
-
Moet de overheid SBOM-standaarden (CycloneDX & SPDX) verplicht toepassen?
Forum Standaardisatie onderzoekt dit en zoekt experts uit publieke en private sector om mee te denken. Uw kennis over softwarebeveiliging helpt ons bij de toetsing voor de ‘Pas toe of leg uit’-lijst.
📆 25 juni 2026, 10:00-14:00 (midden-Nederland)
Lunch is inbegrepen.📧 Interesse? Mail ons: [email protected]
-
Moet de overheid SBOM-standaarden (CycloneDX & SPDX) verplicht toepassen?
Forum Standaardisatie onderzoekt dit en zoekt experts uit publieke en private sector om mee te denken. Uw kennis over softwarebeveiliging helpt ons bij de toetsing voor de ‘Pas toe of leg uit’-lijst.
📆 25 juni 2026, 10:00-14:00 (midden-Nederland)
Lunch is inbegrepen.📧 Interesse? Mail ons: [email protected]
-
Moet de overheid SBOM-standaarden (CycloneDX & SPDX) verplicht toepassen?
Forum Standaardisatie onderzoekt dit en zoekt experts uit publieke en private sector om mee te denken. Uw kennis over softwarebeveiliging helpt ons bij de toetsing voor de ‘Pas toe of leg uit’-lijst.
📆 25 juni 2026, 10:00-14:00 (midden-Nederland)
Lunch is inbegrepen.📧 Interesse? Mail ons: [email protected]
-
Moet de overheid SBOM-standaarden (CycloneDX & SPDX) verplicht toepassen?
Forum Standaardisatie onderzoekt dit en zoekt experts uit publieke en private sector om mee te denken. Uw kennis over softwarebeveiliging helpt ons bij de toetsing voor de ‘Pas toe of leg uit’-lijst.
📆 25 juni 2026, 10:00-14:00 (midden-Nederland)
Lunch is inbegrepen.📧 Interesse? Mail ons: [email protected]
-
Moet de overheid SBOM-standaarden (CycloneDX & SPDX) verplicht toepassen?
Forum Standaardisatie onderzoekt dit en zoekt experts uit publieke en private sector om mee te denken. Uw kennis over softwarebeveiliging helpt ons bij de toetsing voor de ‘Pas toe of leg uit’-lijst.
📆 25 juni 2026, 10:00-14:00 (midden-Nederland)
Lunch is inbegrepen.📧 Interesse? Mail ons: [email protected]
-
Goed nieuws voor de digitale weerbaarheid van de overheid: @forumstandaardisatie zal de intake van #SBOM-standaarden (#CycloneDX en #SPDX) hervatten.
Een SBOM is als een ingrediëntenlijst voor software: essentieel voor inzicht in de keten en veiligheidsbeheer.
Waarom nu?
De onzekerheid over Europese regelgeving is weggenomen:
👉 NEN-conceptnormen sluiten aan bij de praktijk.
👉 CycloneDX en SPDX worden erkend.
👉 Geen normconflicten met de EU.Lees meer: https://www.forumstandaardisatie.nl/nieuws/toetsingsprocedure-sbom-wordt-hervat
-
Goed nieuws voor de digitale weerbaarheid van de overheid: @forumstandaardisatie zal de intake van #SBOM-standaarden (#CycloneDX en #SPDX) hervatten.
Een SBOM is als een ingrediëntenlijst voor software: essentieel voor inzicht in de keten en veiligheidsbeheer.
Waarom nu?
De onzekerheid over Europese regelgeving is weggenomen:
👉 NEN-conceptnormen sluiten aan bij de praktijk.
👉 CycloneDX en SPDX worden erkend.
👉 Geen normconflicten met de EU.Lees meer: https://www.forumstandaardisatie.nl/nieuws/toetsingsprocedure-sbom-wordt-hervat
-
Goed nieuws voor de digitale weerbaarheid van de overheid: @forumstandaardisatie zal de intake van #SBOM-standaarden (#CycloneDX en #SPDX) hervatten.
Een SBOM is als een ingrediëntenlijst voor software: essentieel voor inzicht in de keten en veiligheidsbeheer.
Waarom nu?
De onzekerheid over Europese regelgeving is weggenomen:
👉 NEN-conceptnormen sluiten aan bij de praktijk.
👉 CycloneDX en SPDX worden erkend.
👉 Geen normconflicten met de EU.Lees meer: https://www.forumstandaardisatie.nl/nieuws/toetsingsprocedure-sbom-wordt-hervat
-
Goed nieuws voor de digitale weerbaarheid van de overheid: @forumstandaardisatie zal de intake van #SBOM-standaarden (#CycloneDX en #SPDX) hervatten.
Een SBOM is als een ingrediëntenlijst voor software: essentieel voor inzicht in de keten en veiligheidsbeheer.
Waarom nu?
De onzekerheid over Europese regelgeving is weggenomen:
👉 NEN-conceptnormen sluiten aan bij de praktijk.
👉 CycloneDX en SPDX worden erkend.
👉 Geen normconflicten met de EU.Lees meer: https://www.forumstandaardisatie.nl/nieuws/toetsingsprocedure-sbom-wordt-hervat
-
Goed nieuws voor de digitale weerbaarheid van de overheid: @forumstandaardisatie zal de intake van #SBOM-standaarden (#CycloneDX en #SPDX) hervatten.
Een SBOM is als een ingrediëntenlijst voor software: essentieel voor inzicht in de keten en veiligheidsbeheer.
Waarom nu?
De onzekerheid over Europese regelgeving is weggenomen:
👉 NEN-conceptnormen sluiten aan bij de praktijk.
👉 CycloneDX en SPDX worden erkend.
👉 Geen normconflicten met de EU.Lees meer: https://www.forumstandaardisatie.nl/nieuws/toetsingsprocedure-sbom-wordt-hervat
-
New #SPDX License List has been published https://github.com/spdx/license-list-XML/releases/tag/v3.28.0
It includes 33 new licenses and many markup changes to existing licenses. Many of them were added via #Fedora contributors and fedora-license-data. -
New #SPDX License List has been published https://github.com/spdx/license-list-XML/releases/tag/v3.28.0
It includes 33 new licenses and many markup changes to existing licenses. Many of them were added via #Fedora contributors and fedora-license-data. -
New #SPDX License List has been published https://github.com/spdx/license-list-XML/releases/tag/v3.28.0
It includes 33 new licenses and many markup changes to existing licenses. Many of them were added via #Fedora contributors and fedora-license-data. -
New #SPDX License List has been published https://github.com/spdx/license-list-XML/releases/tag/v3.28.0
It includes 33 new licenses and many markup changes to existing licenses. Many of them were added via #Fedora contributors and fedora-license-data. -
New #SPDX License List has been published https://github.com/spdx/license-list-XML/releases/tag/v3.28.0
It includes 33 new licenses and many markup changes to existing licenses. Many of them were added via #Fedora contributors and fedora-license-data. -
Back from #FOSDEM and working on the new European SBOM conference in Stockholm April 10th. Send me your ideas for talks!
-
Back from #FOSDEM and working on the new European SBOM conference in Stockholm April 10th. Send me your ideas for talks!
-
Back from #FOSDEM and working on the new European SBOM conference in Stockholm April 10th. Send me your ideas for talks!
-
Back from #FOSDEM and working on the new European SBOM conference in Stockholm April 10th. Send me your ideas for talks!
-
Back from #FOSDEM and working on the new European SBOM conference in Stockholm April 10th. Send me your ideas for talks!
-
The slides for my presentation "Please sign your artefacts. WITH WHAT?" at #FOSDEM in the Security devroom are now available for viewing. A video will be coming soon.
https://fosdem.org/2026/schedule/event/RFFD3M-sign-your-artefacts/
-
The slides for my presentation "Please sign your artefacts. WITH WHAT?" at #FOSDEM in the Security devroom are now available for viewing. A video will be coming soon.
https://fosdem.org/2026/schedule/event/RFFD3M-sign-your-artefacts/
-
The slides for my presentation "Please sign your artefacts. WITH WHAT?" at #FOSDEM in the Security devroom are now available for viewing. A video will be coming soon.
https://fosdem.org/2026/schedule/event/RFFD3M-sign-your-artefacts/
-
The slides for my presentation "Please sign your artefacts. WITH WHAT?" at #FOSDEM in the Security devroom are now available for viewing. A video will be coming soon.
https://fosdem.org/2026/schedule/event/RFFD3M-sign-your-artefacts/
-
The slides for my presentation "Please sign your artefacts. WITH WHAT?" at #FOSDEM in the Security devroom are now available for viewing. A video will be coming soon.
https://fosdem.org/2026/schedule/event/RFFD3M-sign-your-artefacts/
-
At the #AboutCode SBOM tools workshop we talked about creating a way of continuing the discussions. I've just created a #SBOM-tools slack channel in the @orcwg space. Join us to discuss #SBOM tools and interoperability!
-
At the #AboutCode SBOM tools workshop we talked about creating a way of continuing the discussions. I've just created a #SBOM-tools slack channel in the @orcwg space. Join us to discuss #SBOM tools and interoperability!
-
At the #AboutCode SBOM tools workshop we talked about creating a way of continuing the discussions. I've just created a #SBOM-tools slack channel in the @orcwg space. Join us to discuss #SBOM tools and interoperability!
-
At the #AboutCode SBOM tools workshop we talked about creating a way of continuing the discussions. I've just created a #SBOM-tools slack channel in the @orcwg space. Join us to discuss #SBOM tools and interoperability!
-
At the #AboutCode SBOM tools workshop we talked about creating a way of continuing the discussions. I've just created a #SBOM-tools slack channel in the @orcwg space. Join us to discuss #SBOM tools and interoperability!
-
Finally, complete the v1 of spdxconv.
spdxconv is a program to convert existing licenses and copyrights into #SPDX identifiers or insert new ones. This program works in tandem with #reuse software.
Features:
* REUSE Integration: Detects annotations from REUSE.toml.
* Customizable Defaults: Set default license identifiers and copyright holders.
* Smart Comments: Customizable patterns to set comment syntax ...See https://git.sr.ht/~shulhan/spdxconv/ for more information.
-
Finally, complete the v1 of spdxconv.
spdxconv is a program to convert existing licenses and copyrights into #SPDX identifiers or insert new ones. This program works in tandem with #reuse software.
Features:
* REUSE Integration: Detects annotations from REUSE.toml.
* Customizable Defaults: Set default license identifiers and copyright holders.
* Smart Comments: Customizable patterns to set comment syntax ...See https://git.sr.ht/~shulhan/spdxconv/ for more information.
-
PEP 770 was accepted in April of this year, what has happened since then?
* Published a white paper on PEP 770 and phantom dependencies
* Auditwheel, manylinux, and cibuildwheel adoption
* Over 300 projects already ship with PEP 770 SBOM data
* Fedora and Red Hat adopted PEP 770 for Python packagesRead more: https://sethmlarson.dev/pep-770-sbom-data-from-pypi-fedora-and-redhat
-
PEP 770 was accepted in April of this year, what has happened since then?
* Published a white paper on PEP 770 and phantom dependencies
* Auditwheel, manylinux, and cibuildwheel adoption
* Over 300 projects already ship with PEP 770 SBOM data
* Fedora and Red Hat adopted PEP 770 for Python packagesRead more: https://sethmlarson.dev/pep-770-sbom-data-from-pypi-fedora-and-redhat
-
PEP 770 was accepted in April of this year, what has happened since then?
* Published a white paper on PEP 770 and phantom dependencies
* Auditwheel, manylinux, and cibuildwheel adoption
* Over 300 projects already ship with PEP 770 SBOM data
* Fedora and Red Hat adopted PEP 770 for Python packagesRead more: https://sethmlarson.dev/pep-770-sbom-data-from-pypi-fedora-and-redhat
-
PEP 770 was accepted in April of this year, what has happened since then?
* Published a white paper on PEP 770 and phantom dependencies
* Auditwheel, manylinux, and cibuildwheel adoption
* Over 300 projects already ship with PEP 770 SBOM data
* Fedora and Red Hat adopted PEP 770 for Python packagesRead more: https://sethmlarson.dev/pep-770-sbom-data-from-pypi-fedora-and-redhat
-
PEP 770 was accepted in April of this year, what has happened since then?
* Published a white paper on PEP 770 and phantom dependencies
* Auditwheel, manylinux, and cibuildwheel adoption
* Over 300 projects already ship with PEP 770 SBOM data
* Fedora and Red Hat adopted PEP 770 for Python packagesRead more: https://sethmlarson.dev/pep-770-sbom-data-from-pypi-fedora-and-redhat
-
@herrfrankmann #SPDX #cybersecurity #csa #enisa #programming
https://spdx.github.io/spdx-spec/v3.0.1/serializations/#overview
"The data may be serialized in a variety of formats for storage and transmission."
"Canonical serialization is in JSON format"+ extra conditions.
Is it just me or is that really, really stupid.
How hard do you have to miss the point of defining a standard, when the output data needs further specification.
Needlessly too.
"No line breaks"
Your (standard) parser can't handle line breaks or what?!?
-
@herrfrankmann #SPDX #cybersecurity #csa #enisa #programming
https://spdx.github.io/spdx-spec/v3.0.1/serializations/#overview
"The data may be serialized in a variety of formats for storage and transmission."
"Canonical serialization is in JSON format"+ extra conditions.
Is it just me or is that really, really stupid.
How hard do you have to miss the point of defining a standard, when the output data needs further specification.
Needlessly too.
"No line breaks"
Your (standard) parser can't handle line breaks or what?!?
-
@herrfrankmann #SPDX #cybersecurity #csa #enisa #programming
https://spdx.github.io/spdx-spec/v3.0.1/serializations/#overview
"The data may be serialized in a variety of formats for storage and transmission."
"Canonical serialization is in JSON format"+ extra conditions.
Is it just me or is that really, really stupid.
How hard do you have to miss the point of defining a standard, when the output data needs further specification.
Needlessly too.
"No line breaks"
Your (standard) parser can't handle line breaks or what?!?
-
@herrfrankmann #SPDX #cybersecurity #csa #enisa #programming
https://spdx.github.io/spdx-spec/v3.0.1/serializations/#overview
"The data may be serialized in a variety of formats for storage and transmission."
"Canonical serialization is in JSON format"+ extra conditions.
Is it just me or is that really, really stupid.
How hard do you have to miss the point of defining a standard, when the output data needs further specification.
Needlessly too.
"No line breaks"
Your (standard) parser can't handle line breaks or what?!?
-
@herrfrankmann #SPDX #cybersecurity #csa #enisa #programming
https://spdx.github.io/spdx-spec/v3.0.1/serializations/#overview
"The data may be serialized in a variety of formats for storage and transmission."
"Canonical serialization is in JSON format"+ extra conditions.
Is it just me or is that really, really stupid.
How hard do you have to miss the point of defining a standard, when the output data needs further specification.
Needlessly too.
"No line breaks"
Your (standard) parser can't handle line breaks or what?!?