On Thu, 2025-12-11 at 15:32 +0000, Holger Levsen wrote: > On Thu, Dec 11, 2025 at 03:32:26PM +0100, Felix Moessbauer wrote: > > * Package name : debsbom > > * License : MIT > > debsbom generates SBOMs (Software Bill of Materials) for distributions > > based on Debian in the two standard formats SPDX and CycloneDX. > > The generated SBOM includes all installed binary packages and also contains > > Debian Source packages. > > awesome! kudos & thank you! <3
I'm happy to hear that! > > Disclaimer: I haven't looked at it yet and *I* don't need it but we have > discussed > this for many years already so I'm glad someone/you finally wrote this! Please have a look at our documentation, where we describe how we map the package metadata onto the field of the SBOM [1]. [1] https://siemens.github.io/debsbom/design-decisions.html > > Does it download/include .buildinfo files into the SBOMs? debsbom has a multi-stage approach, where the first stage is generating the SBOM with all the data we have (dpkg-status, apt cache for checksums).The output is the SBOM (either CycloneDX or SPDX). The "debsbom download" reads such an SBOM and the takes care of looking up the binary and source packages on snapshot.d.o (or others), based on <name> <version> <arch> and the checksum. Currently we don't download the .buildinfo files, but this can easily be extended. For details, please have a look at our examples in [2]. [2] https://siemens.github.io/debsbom/examples.html Christoph and me just gave a presentation about the tool which also provides a brief overview of where we are coming from and what the tool is capable of [3]. [3] https://opensource.siemens.com/meetups/2025isar/slides/08_Generating-SBOMs-With-isar_Steiger_Moessbauer.pdf Best regards, Felix -- Siemens AG Linux Expert Center Friedrich-Ludwig-Bauer-Str. 3 85748 Garching, Germany
