Bug#1122577: ITP: debsbom -- Software Bill of Materials generator for distributions based on Debian

Holger Levsen holger at layer-acht.org
Thu Dec 11 15:32:34 GMT 2025 

----- Forwarded message from Felix Moessbauer <felix.moessbauer at siemens.com> -----

Date: Thu, 11 Dec 2025 15:32:26 +0100
From: Felix Moessbauer <felix.moessbauer at siemens.com>
To: Debian Bug Tracking System <submit at bugs.debian.org>
Cc: Felix Moessbauer <felix.moessbauer at siemens.com>
Subject: Bug#1122577: ITP: debsbom -- Software Bill of Materials generator for distributions based on Debian
Reply-To: Felix Moessbauer <felix.moessbauer at siemens.com>, 1122577 at bugs.debian.org
Message-ID: <20251211143246.676938-1-felix.moessbauer at siemens.com>
X-Mailer: git-send-email 2.51.0
X-Mailer: reportbug 13.2.0
List-Id: <debian-devel.lists.debian.org>

Package: wnpp
Severity: wishlist
Owner: Felix Moessbauer <felix.moessbauer at siemens.com>
X-Debbugs-Cc: debian-devel at lists.debian.org

* Package name    : debsbom
  Version         : 0.5.1
  Upstream Contact: Felix Moessbauer <felix.moessbauer at siemens.com>
* URL             : https://github.com/siemens/debsbom
* License         : MIT
  Programming Lang: Python
  Description     : Software Bill of Materials generator for distributions based on Debian

debsbom generates SBOMs (Software Bill of Materials) for distributions based on Debian in the two standard formats SPDX and CycloneDX.
The generated SBOM includes all installed binary packages and also contains Debian Source packages.

While the package is still quite young, it already has some known
adoption within the Debian community. It also is the first SBOM
generator (we know of) that fully integrates with the Debian tooling
(dpkg and apt) and that is packagable in Debian.
All needed dependencies are already in sid.

The package further has extensive documentation and clearly documents
design decisions regarding HOW to fill in the various format fields.
This can further be used to work on remaining gaps in Debian to generate
"perfect" SBOMs from the list of installed packages.

I plan to maintain it under the Debian Python Team.

Best regards,
Felix Moessbauer
Siemens AG


----- End forwarded message -----

-- 
cheers,
	Holger

 ⢀⣴⠾⠻⢶⣦⠀
 ⣾⠁⢠⠒⠀⣿⡁  holger@(debian|reproducible-builds|layer-acht).org
 ⢿⡄⠘⠷⠚⠋⠀  OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C
 ⠈⠳⣄

“Bitcoin was supposed to demonstrate the power of a true free market. Instead
 it's full of scams, rent-seekers, theft, useless for real purchases and
 accelerates climate change. Mission accomplished.” Adam Chalmers (@adam_chal)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/reproducible-builds/attachments/20251211/99792fd5/attachment.sig>

More information about the Reproducible-builds mailing list