finding #SBOM for projects sucks. Even if there is one chances are that you will not find them because they placed somewhere were you will not look.

finding #SBOM for projects sucks. Even if there is one chances are that you will not find them because they placed somewhere were you will not look.

I am currently working to improve the state of #SBOM (Software Bill of Materials) libraries and compliance in Ruby. SBOMs have been required by the US government since 2023, but #ruby has been slow to catch on.
https://github.com/CycloneDX/cyclonedx-ruby-gem/pull/38

This Thursday, October 30th 2025 in Bergen: Bergen Open Source 2025, https://boskonf.no.

Tietoevry is among the sponsors, and yours truly will be giving an approximately 20 minute version of EU CRA: It's Later Than You Think, Time to Engineer Up! https://nxdomain.no/~peter/eu_cra_its_later_than_you_think_time_to_engineer_up.html

See you there! #boskonf #opensource #cra #sbom #engineerup #development #freesoftware #libresoftware #tietoevry

This Thursday, October 30th 2025 in Bergen: Bergen Open Source 2025, https://boskonf.no.

Tietoevry is among the sponsors, and yours truly will be giving an approximately 20 minute version of EU CRA: It's Later Than You Think, Time to Engineer Up! https://nxdomain.no/~peter/eu_cra_its_later_than_you_think_time_to_engineer_up.html

See you there! #boskonf #opensource #cra #sbom #engineerup #development #freesoftware #libresoftware #tietoevry

Elixir 1.19 has been released 🚀 with substantial improvements to the type system, compile time performance, OpenChain compliance and signed SBoM to facilitate supply chain management and attestation.

And all this without breaking changes. In other words, code that worked yesterday will continue to work after updating 🤯

#ElixirLang #Elixir #IndieDev #SboM

https://elixir-lang.org/blog/2025/10/16/elixir-v1-19-0-released/

Elixir 1.19 has been released 🚀 with substantial improvements to the type system, compile time performance, OpenChain compliance and signed SBoM to facilitate supply chain management and attestation.

And all this without breaking changes. In other words, code that worked yesterday will continue to work after updating 🤯

#ElixirLang #Elixir #IndieDev #SboM

https://elixir-lang.org/blog/2025/10/16/elixir-v1-19-0-released/

EU CRA: It's Later Than You Think, Time to Engineer Up! https://nxdomain.no/~peter/eu_cra_its_later_than_you_think_time_to_engineer_up.html (or tracked https://bsdly.blogspot.com/2025/09/eu-cra-its-later-than-you-think-time-to.html) for your weekend #sbom #development #software #engineering reading #cra #resilience

@jacques @bagder @gregkh

ICYMI, here's a paper that was trying to answer this research question in the context of #OpenSource #Java projects on GitHub: "What do open-source maintainers think about integrating #VEX into their existing SBOMs?"

TL;DR: "In most cases, our augmented SBOMs were not directly accepted because developers required a continuous SBOM update."

https://dl.acm.org/doi/pdf/10.1145/3696630.3728513

#SBOM #CVE #InfoSec

EU CRA: It's Later Than You Think, Time to Engineer Up! https://nxdomain.no/~peter/eu_cra_its_later_than_you_think_time_to_engineer_up.html (or tracked https://bsdly.blogspot.com/2025/09/eu-cra-its-later-than-you-think-time-to.html) for your weekend #sbom #development #software #engineering reading #cra #resilience

@jacques @bagder @gregkh

ICYMI, here's a paper that was trying to answer this research question in the context of #OpenSource #Java projects on GitHub: "What do open-source maintainers think about integrating #VEX into their existing SBOMs?"

TL;DR: "In most cases, our augmented SBOMs were not directly accepted because developers required a continuous SBOM update."

https://dl.acm.org/doi/pdf/10.1145/3696630.3728513

#SBOM #CVE #InfoSec

Is it possible that #Log4j will be the most expensive global #InfoSec incident ever, not because of meaningful losses stemming from successful exploitation, but because it continues to be part of the continuous “ #SBOM and patch all the things will fix this!!” drumbeat?