Other best practices - Linux Foundation

[mgifford]

It would be interesting to align with other best practices, such as the ones that the Linux Foundation is building. Software Bill of Materials (SBOM) come mind https://openssf.org/technical-initiatives/sbom-tools/

Understanding the packages which make up a Certified DPG is a good practice. Use of this scorecard could be useful too:
https://openssf.org/projects/scorecard/

[AmreenTaneja]

Thank you for sharing this @mgifford We are currently working on fine-tuning Indicator 8- Adherence to Standards and best practices and will consider these, especially for software DPGs- @ricardomiron

[kjetilk]

A Software Bill of Materials is very important to ensure that communities are able to follow up on security problems in upstream components. In the European context, it has become absolutely crucial due to the Cyber Resilience Act, which is legislation that does place a poorly understood risk on volunteer software developers. An SBOM could help alleviate some of these concerns.

It is also very relevant to the information security of developing nations, as they may not be resourced to follow up on this themselves.

[AmreenTaneja]

Following this GitHub issue and our discussions at the DPG Standard Council meetings, we’re proposing that Open Software DPG applicants be required to submit a Software Bill of Materials (SBOM) as part of their documentation under Indicator 4: Platform Independence, of the DPG Standard.

The goal is to strengthen transparency, security, and reusability by ensuring that all software dependencies and components are clearly listed and traceable. This would help align with global best practices for open software assurance, supply chain risk management, and long-term sustainability.

We would like to get the community's feedback on:

- Do you already track the SBOM for your solution (either manually or automatically)?
- Are there preferred formats or tools for SBOM submission we should recommend?
- Are there any potential challenges or considerations we should keep in mind?

Thank you in advance for your inputs!