Aras Pranckevičius @aras

**Syft** @syft@fosstodon.org · Jul 21

UV got you down? Not anymore! Syft now supports Python uv.lock files, thanks to awesome community work. Get your latest SBOMs! #Syft #SBOM #Python https://anchorecommunity.discourse.group/t/anchore-open-source-weekly-report-week-29-2025/503

Anchore Community · Jul 21Anchore Open Source Weekly Report - Week 29, 2025This report covers the community activity in Anchore Open Source Projects from July 14, 2025 to July 18, 2025. Executive Summary The Anchore Open Source ecosystem delivered strong progress this week with 22 issues and pull requests successfully resolved across the project portfolio. A standout achievement was the long-awaited integration of Python UV lock file support in Syft, fulfilling a community request that had been in development for several months. The team also prioritized security infr...

**SCA Tool** @goscatool@techhub.social · Jul 21 *

Jul 21 *

SCA Tool @goscatool@techhub.social

It's Monday! Instead of blue, let's make it all green with scatool.com. Try now for free to see all green today. #DevSecOps #DevOps #SupplyChainSecurity #SBOM #AppSec

**Patrick Masson** @massonpj@fosstodon.org · Jul 16

Jul 16

Patrick Masson @massonpj@fosstodon.org

Thank you to Mary Grush of Campus Technology magazine for her interest in @apereo and the resurgence of #OpenSource in #HigherEd.

While institutions of #HigherEducation are now more dependent on #OSS than ever, their engagement with and support of both the projects and communities may be at an all-time low.

Several factors should prompt greater participation from campus leadership and IT departments: #SBOM, #CRA, the rise of academic #OSPO, grant/funding requirements (#OpenScience), etc.

**Miro Hrončok** @hroncok@floss.social · Jul 15

Jul 15

Miro Hrončok @hroncok@floss.social

Tomorrow morning I'll go to #EuroPython. I need to wake up early but I cannot sleep due to the excitement. Thinking about #SBOM in #Fedora-built #Python wheels instead. Will really need a lot of coffee this week.

Replied in thread

**Bradley Kuhn** @bkuhn@copyleft.org · Jul 11

Jul 11

Bradley Kuhn @bkuhn@copyleft.org

@bagder wrote:
> I think of SBOMs as a way for us to charge

So does the Compliance Industrial Complex. They've been planning for this. 's on the table when make-work becomes mandatory regulation.

I doubt small FOSS business'll get a piece of that pie easily. #SBOM game is already rigged to favor Big Tech.

But, I hope I'm wrong & you make a living from it!

Let's reserve the right to “I told you so” each other when one of us turns out wrong in 5-10 years.

Cc: @msw @lexelas
@jeremiah_

Replied in thread

**Bradley Kuhn** @bkuhn@copyleft.org · Jul 11

Jul 11

Bradley Kuhn @bkuhn@copyleft.org

@bagder
Oh, I agree: confused users will request #SBOM's b/c they think they're useful (… even though they aren't).

My point is: we're still at a moment where we can influence actual implementation of CRA in practice (regulations are being written now).

The best approach? Convince regulators that complete, corresponding source &
@reproducible_builds are *actually* useful to customers for FOSS.

#SBOM's are only useful for proprietary software. SBOMs for FOSS is make-work.

Cc: @msw @lexelas

Replied in thread

**Bradley Kuhn** @bkuhn@copyleft.org · Jul 11 *

Jul 11 *

Bradley Kuhn @bkuhn@copyleft.org

@bagder Thanks for your post & your counter

I'm curious: you characterize the EU #CRA as requiring #SBOM's *specifically*. I know the License Compliance Industrial Complex wants it to be true, but I researched this issue for my #FOSDEM 2025 talk…
https://fosdem.org/2025/schedule/event/fosdem-2025-6155-is-there-really-an-sbom-mandate-/
… & IIUC CRA *doesn't* specify SBOMs specifically.
IMO, if the vendor gives the customer complete, Corresponding Source & a 100% @reproducible_builds they've complied with CRA. No one has shown me anything that disproves that.

fosdem.orgFOSDEM 2025 - Is There Really an SBOM Mandate?

**Otto** @ottok@mastodon.social · Jun 30

Jun 30

Otto @ottok@mastodon.social

Is your company planning to start contributing to open source? My new post shares best practices for corporate upstream contributions, spanning things from legal compliance (CRA is coming!) to building reputation & quality: https://optimizedbyotto.com/post/best-practices-corporate-open-source-contributions/
#OpenSource #SoftwareEngineering #CRA #SBOM

Optimized by Otto · Jun 30Corporate best practices for upstream open source contributions This post is based on presentation given at the Validos annual members’ meeting on June 25th, 2025.\n

**Josh Bressers** @joshbressers@infosec.exchange · Jun 23

Jun 23

Josh Bressers @joshbressers@infosec.exchange

I chatted with Philippe Ombredanne about Package URLs, or PURLs. He created them, so he knows a thing or two.

We do complain about CPE quite a bit :)

But it's a really hard problem. It feels like a package identifier should be easy, but it's way harder than you think it is. There's nobody better than Philippe to drop some knowledge.

https://opensourcesecurity.io/2025/2025-06-purl-philippe-ombredanne/

#PURL
#CVE
#SBOM

Open Source Security · Jun 23Package URLs with Philippe OmbredanneI’m joined by Philippe Ombredanne, creator of the Package URL (PURL), to discuss the surprisingly complex and messy problem of simply identifying open source software packages. We dive into how PURLs provide a universal, common-sense standard that is becoming essential for the future of SBOMs and securing the software supply chain. Episode Links Philippe AboutCode PURL AI-Generated Code Search This episode is also available as a podcast, search for “Open Source Security” on your favorite podcast player.

**Prof. Dr. Dennis-Kenji Kipker** @kenji@chaos.social · Jun 17

Jun 17

Prof. Dr. Dennis-Kenji Kipker @kenji@chaos.social

Wenn #Cybersecurity genauso wichtig ist wie die Außenpolitik: Cyberbedrohungen machen genauso wenig wie die globalen Datenströme an den Staatsgrenzen Halt - deshalb gehört die #Cybersicherheit beim #G7-Gipfel mittlerweile genauso dazu wie die Außen- und Wirtschaftspolitik.

Dies haben die Leiter der Cybersicherheitsbehörden der G7-Staaten nun zum Anlass genommen, ein gemeinsames Konzept für eine #SBOM (Software Bill of Materials) für #KI-Systeme zu veröffentlichen:

https://www.bsi.bund.de/DE/Service-Navi/Presse/Pressemitteilungen/Presse2025/250616_SBOM_for_AI.html

**OpenSSF** @openssf@social.lfx.dev · Jun 12

Jun 12

OpenSSF @openssf@social.lfx.dev

#GUAC 1.0 is here!

With 400+ contributors across 90+ orgs—GUAC helps teams tame the #SBOM monster by enriching and connecting metadata across your entire ecosystem.

Read the blog to learn how GUAC is evolving software supply chain security: https://openssf.org/blog/2025/06/12/guac-1-0-is-now-available/

**Benjamin Carr, Ph.D.** @BenjaminHCCarr@hachyderm.io · Jun 11

Jun 11

Benjamin Carr, Ph.D. @BenjaminHCCarr@hachyderm.io

Trump quietly throws out Biden-era #cyber #policies
Following Biden-era programs is now out or significantly rolled back:
- Requirement for federal #software vendors provide #SBOM gone
- Several #AI #cybersecurity research mandates, have been scrapped or deprioritized.
- Requirement that software contractors formally attest they followed secure development practices has been cut. Instead, #NIST will now coordinate a new industry consortium to review security guidelines.
https://www.axios.com/2025/06/10/trump-executive-order-cybersecurity-biden

Axios · Jun 10Trump quietly throws out Biden's cyber policiesBy Sam Sabin

**Finite State** @FiniteState@mastodon.social · Jun 4

Jun 4

Finite State @FiniteState@mastodon.social

Many organizations say they integrate security into CI/CD. But gaps remain:
No policy enforcement
#SBOM ignored
Vulnerabilities slip through

We're breaking down how product security leaders can scale #DevSecOps maturity. Take a look https://finitestate.io/blog/devsecops-ci-cd-maturity-guide

finitestate.ioCI/CD, DevSecOps, and the Road to Product Security MaturityBuild secure connected products faster. Learn how to avoid common DevSecOps pitfalls and mature your CI/CD security for embedded and IoT environments.

**poti** @poti@social.cologne · May 28

May 28

poti @poti@social.cologne

Back from a multi-day-long rabbit hole:
kasseapparat now builds multi-arch images using Docker Bake, with labels, annotations, and SBOMs – all signed and attested via Cosign in GitHub Actions.
Took way more test builds than expected . Now back to the fun part: building software.
#DevOps #Cosign #SBOM #MultiArch #GitHubActions

**securefirmware** @securefirmware@infosec.exchange · May 21

May 21

securefirmware @securefirmware@infosec.exchange

Currently there is so much stuff happening around EMBA ... today I can share that we got the chance to share the latest EMBA and #SBOM stuff at the #TROOPERS25 / @WEareTROOPERS security conference. Check it out here https://troopers.de/troopers25/agenda/

**Syft** @syft@fosstodon.org · May 18

May 18

Syft @syft@fosstodon.org

Syft users! We want to hear from YOU! Take our quick 5-question survey to help shape the future of Syft. Your feedback is invaluable! https://forms.gle/VJZ7idKZgchminYD7
#Syft #SBOM #OpenSource

Continued thread

**Marco "Ocramius" Pivetta** @ocramius@mastodon.social · May 16

May 16

Marco "Ocramius" Pivetta @ocramius@mastodon.social

Next: @theseer talking about #SBOM - very compliance-intensive talk. #phpday

**Franz** @zalintyre@chaos.social · May 14

May 14

Franz @zalintyre@chaos.social

Und jetzt hält der @flintflump wieder einen großartigen Talk über SBOMs auf unserem Engineering Camp

@lutrasecurity #EngineeringCamp #QAware #SBOM #infosec #security

**Mike Dolan** @mdolan@fosstodon.org · May 13

May 13

Mike Dolan @mdolan@fosstodon.org

"The Microsoft #opensource #SBOM Tool now supports hashtag #SPDX 3.0!"

https://www.linkedin.com/posts/adriandiglio_github-microsoftsbom-tool-the-sbom-tool-activity-7328078596596469760-za87 #cybersecurity

www.linkedin.comGitHub - microsoft/sbom-tool: The SBOM tool is a highly scalable and… | Adrian DiglioThe #Microsoft #opensource #SBOM Tool now supports #SPDX 3.0! Huge kudos to John Wade and team for the work they've done to make this possible. Today, the tool still produces SPDX 2.2 by default unless the user specifies the following flag: -mi SPDX:3.0 The SBOM Tool currently supports the SPDX 3.0 models for Core, Software, and Licensing. This is something my previous team was working on, and I was excited to see it get completed! https://lnkd.in/g3gjswxv #supplychainsecurity

**anchore** @anchore@mstdn.business · May 9

May 9

anchore @anchore@mstdn.business

SBOMs aren't just another security fad. Join #SBOMlearningWeek with our free eBook that shows how SBOMs revolutionize #software #security by bringing transparency to dependencies and vulnerabilities. Get practical implementation guides for SPDX, CycloneDX, and more: https://get.anchore.com/sbom101-guide-for-devsecops-community/ #AppSec #SBOM

Recent searches

Search options

Administered by:

Server stats:

#SBOM