Collaborative Standardization: How communities built PURL and CycloneDX

Описание: Standards emerge from real problems, community collaboration, and years of iteration. In the software compliance world, fragmented tooling and inconsistent data formats created chaos that individual organizations couldn't solve alone. The industry needed common ground, and that's where Package-URL (PURL) and CycloneDX come in.

PURL started as a simple idea: create one universal way to identify software packages across all ecosystems. Through community input, real-world testing, and adoption by major projects, it evolved from a proposal into the de facto standard for package identification. CycloneDX followed a similar path, emerging from security practitioners' need for a lightweight, practical SBOM format that could actually support their workflows, not just check regulatory boxes.

The standardization process for both involved open development, industry collaboration, and countless refinements based on implementation experience. Security tools, package managers, and compliance platforms gradually adopted these standards, creating network effects that accelerated their spread. Today, they're baked into major vulnerability databases, SBOM generators, and regulatory guidance documents.

In this talk, Philippe Ombredanne, creator of PURL, and Steve Springett, chair of CycloneDX SBOM Standard, trace the evolution of PURL and CycloneDX from initial concepts to widely-adopted industry standards. You'll learn how open standardization processes work, what made these particular standards successful, and how community participation drives their ongoing development. The session explores the challenges of gaining adoption, the role of early implementers, and why some standards succeed while others fade away.

Understanding how standards emerge helps you participate in shaping them and recognize which ones are worth betting your compliance infrastructure on.

___

This session was recorded during Code & Compliance - FOSDEM Edition, held on 29 January 2026 in Brussels.

For more information about the Open Regulatory Compliance (ORC) Working Group and details on upcoming events, visit orcwg.org