Cybersecurity & Open Source Software

In the context of a Linux software factory dedicated to building embedded software, we will discuss the choices and challenges we encountered in integrating SBOM file generation into a software supply chain involving many packages.

The talk will begin with a brief overview of the various formats (SPDX, CycloneDX, ...), tools and ecosystems surrounding SBOM, highlighting the essential knowledge required to integrate these features into a supply chain. Then, this presentation will address the challenges we faced in retrieving accurate and reliable information to generate various BOMs: How do we ensure the data is correct and up-to-date? What are the common pitfalls in data collection? Which format best suits your needs, and what are the trade-offs between different solutions? Finally, we will explore the importance of having SBOMs and the necessity of tracing and signing each element in the supply chain to ensure integrity (focusing here on SLSA).

• Watch talk's video
• SBOM-SebD-Fosdem-02-2025.pdf
• FOSDEM 2025 schedule event