Brussels / 3 & 4 February 2024


How to make SPDX industry standard for AI/ML

With SBOMs being required and SPDX meeting ISO/IEC 5962:202. It is beneficial for developers to adopt SPDX to generate the SBOM for their software. However, with AL and ML taking more and more centre stage in modern applications, how can we make sure SPDX can be useful to AI/ML applications?


Recently since the bill from the US government has made SBOM the standard in software distributions, all developers have started to think about how they can automate and generate SBOM with all the components stated as required. SPDX is one of the obvious choices for all as its specification is recognized as the international open standard for security.

The stable release of SPDX 2.3 is good enough for most applications. Looking forward, as modern software applications are getting more and more complicated and there are more and more components involved - with the popularity of big data and AI/ML, many applications will involve data and data pipelines. These would need to be considered when generating SBOM in the future.

In this talk, we will look into what has SPDX 2.3 achieved, what is added in SPDX 3.0 for data and AI, and how we can encourage the AI/Ml community to consider SPDX in their applications.


Bring awareness of SBOM and SPDX to the developers and data community. Suggest some strategies in getting more adoption, especially the adoption of SPDX 3.0 to AI/ML communities.

Target Audiences

Developers and engineers who work with data. Community leaders who are interested in encouraging the community to build safer software.


  • Introduction of SBOM and SPDX
  • What SPDX 2.3 has achieved and why it is a good tool
  • What is new in SPDX 3.0 and why they are needed
  • How to get the AI/ML and data community to adopt SPDX 3.0
  • Conclusion and Q&A


Photo of Cheuk Ting Ho Cheuk Ting Ho