SPDX SBOM Format Deep Dive: Compliance, Security & the Future of Software Metadata скачать в хорошем качестве

SPDX SBOM Format Deep Dive: Compliance, Security & the Future of Software Metadata

What makes the SPDX SBOM format a cornerstone of modern software transparency? In this episode of Nerding Out with Viktor, host Viktor Petersson is joined by Kate Stewart (Linux Foundation) and Gary O’Neall (SPDX contributor) to explore how SPDX evolved from a license compliance tool into a critical standard for security, supply chain management, and regulatory readiness. They discuss real-world use cases from Zephyr, Yocto, and the Linux kernel, explain the challenges of circular dependencies and incomplete metadata, and walk through how SPDX is adapting to safety-critical systems and CI/CD pipelines. You'll also hear how global regulation from NIST to the EU CRA is pushing SBOM adoption forward. Whether you're an open source maintainer, security engineer, or developer navigating compliance, this episode unpacks the complexity of SBOMs in a practical, accessible way. You’ll learn about: *How SPDX started and why it matters today *SPDX’s shift from licensing to full software transparency *Build-time SBOM generation in embedded systems *How graph-based modeling helps map software relationships *Challenges with circular dependencies & CI/CD pipelines *SPDX’s role in meeting global regulatory requirements Timestamps: 00:00 - Intro & guest welcome 03:00 - The origin of SPDX in licensing & M&A 08:00 - SPDX use cases beyond license compliance 12:00 - Build-time SBOMs: Zephyr, Yocto & embedded use 18:00 - Graph modeling, circular dependencies & known unknowns 25:00 - SBOM completeness, CI/CD integration & SPDX 3.0 32:00 - SPDX license list, tooling gaps & cleanup efforts 38:00 - Kernel SBOMs & working with the Linux Foundation 44:00 - Regulatory push: CRA, NIST, PCI DSS & more 48:00 - Community-driven development & contributing to SPDX