Where in the OSS Supply Chain do SBOM attributes come from?

2025 may become "the year of SBOM" in the EU. Businesses and other institutions are taking the first steps to explore the new demands of the Cyber Resilience act and the NIS2 directive – and soon they'll start asking some important questions:

• What are the sources of the required metadata?
• How do we ensure they are authoritative, up-to-date and correct?
• What can we do to help these sources help us?

Sadly, the answer isn't that simple – legislative demands for SBOM attributes are coming from many places, and the software ecosystems need to take all these demands into account. Is this a train-wreck in the making?

In this talk, Salve J. Nilsen will share some of his findings on this matter – The attributes, the volunteers and the regulations. After this talk we'll have an idea of what this landscape looks like, and how to improve it!