SPDX SBOM Format Deep Dive: Compliance, Security & the Future of Software Metadata

Описание: What makes the SPDX SBOM format a cornerstone of modern software transparency? In this episode of Nerding Out with Viktor, host Viktor Petersson is joined by Kate Stewart (Linux Foundation) and Gary O’Neall (SPDX contributor) to explore how SPDX evolved from a license compliance tool into a critical standard for security, supply chain management, and regulatory readiness.

They discuss real-world use cases from Zephyr, Yocto, and the Linux kernel, explain the challenges of circular dependencies and incomplete metadata, and walk through how SPDX is adapting to safety-critical systems and CI/CD pipelines. You'll also hear how global regulation from NIST to the EU CRA is pushing SBOM adoption forward.

Whether you're an open source maintainer, security engineer, or developer navigating compliance, this episode unpacks the complexity of SBOMs in a practical, accessible way.

You’ll learn about:
*How SPDX started and why it matters today
*SPDX’s shift from licensing to full software transparency
*Build-time SBOM generation in embedded systems
*How graph-based modeling helps map software relationships
*Challenges with circular dependencies & CI/CD pipelines
*SPDX’s role in meeting global regulatory requirements

Timestamps:
00:00 - Intro & guest welcome
03:00 - The origin of SPDX in licensing & M&A
08:00 - SPDX use cases beyond license compliance
12:00 - Build-time SBOMs: Zephyr, Yocto & embedded use
18:00 - Graph modeling, circular dependencies & known unknowns
25:00 - SBOM completeness, CI/CD integration & SPDX 3.0
32:00 - SPDX license list, tooling gaps & cleanup efforts
38:00 - Kernel SBOMs & working with the Linux Foundation
44:00 - Regulatory push: CRA, NIST, PCI DSS & more
48:00 - Community-driven development & contributing to SPDX