spdx-3-model icon indicating copy to clipboard operation
spdx-3-model copied to clipboard
verified publisher icon spdx

Bridging Package Managers and SBOMs

Open sdavtaker opened this issue 5 months ago • 2 comments

Hello, I recently presented a talk at the Open Source Summit (OSPOcon track) about the need for tighter collaboration between package manager communities, SBOM generation tool developers, OSPOs, and standardization bodies to improve metadata consistency for SBOM creation.

The conversation that followed the talk highlighted strong interest across the ecosystem. We’re now continuing discussions with multiple stakeholders, including people in CHAOSS and TODO Group/OSPO, and we are beginning outreach to package manager maintainers.

The goal is to explore how we can work together more closely to ensure the metadata required for high-quality SBOMs is readily available and better aligned with existing SBOM standards like SPDX-3.

Looking forward to keeping this dialogue open and collaborative—please reach out if you’re interested in joining or contributing to the effort!

sdavtaker avatar Jul 17 '25 17:07 sdavtaker

Thanks @sdavtaker for posting - I'm a huge supporter of tighter integration between package managers and SPDX 3. Let me know how I can help. We have an SPDX channel on Slack (spdx.slack.com), the tech email list and you can also connect with me via my email gary at sourceauditor.com.

goneall avatar Jul 19 '25 18:07 goneall

Great, I joined mailing list and slack, I will take the conversation there.

sdavtaker avatar Jul 22 '25 13:07 sdavtaker