Not the cross-ecosystem format the name suggests.

The Go modules behind git-pkgs, rebuilt from my Ruby supply chain libraries.

SBOM 1.0: A specification for sandwich supply chain transparency.

Summary of package management talks from FOSDEM 2026, covering supply chain security, attestations, SBOMs, dependency resolution, and distribution packaging across multiple devrooms.

Lockfiles and SBOMs record the same information in different formats. What if package managers used SBOMs directly, instead of converting later?

Ruby implementations of PURL, VERS, SBOM, SWHID, and SARIF specs.