SBOMs for Debian
With the EU Cyber Resilience Act (CRA) looming on the not-so-distant horizon SBOMs have emerged as the primary standard for describing the contents of your products. As none of the tools available produced adequate SBOMs for Debian-based systems we decided to roll our own: debsbom, which is already available for Debian and has a backport for Debian trixie.
In this talk I will talk about what SBOMs are, what makes them actually useful and what this specifically means for Debian SBOMs. I will take a dive into Debian packages and their relationships and how all of that can be modeled in an SBOM. To bring it all together I will go through common workflows and how they can now be automated with the help of debsbom.
I would also like to use this talk to open a discussion about some areas of improvement for Debian packages.