Brussels / 3 & 4 February 2024


SPDX in the Yocto Project

SPDX 2.2 has been implemented in the Yocto Project (YP) as the standard of SBoM of choice. From 2023 the YP's reference distribution, Poky, is generating it by default in each distribution build. With numerous questions posted about the feature, it seems that many people are using it.

The story does not end here, however. Joshua and Marta will explain the experience of SPDX 2.2, elements that worked and those that did not. The year 2023 has brought also the proof-of-concept implementation of the upcoming SPDX 3.0 addressing pain points of 2.2 and adding new features. This will be the other part of this talk: the proposed architecture, expected new features and decisions to be made on the actual data to output to make the SBoM the most useful for users.


Joshua Watt