[FOSDEM] CfP for SBOMs and Supply Chains devroom in FOSDEM 2026

[Alexios Zavras]

[An online copy of this text is at https://hackmd.io/@spdx/FOSDEM-2026-CfP]

# FOSDEM 2026 - SBOM and Supply Chain devroom info and CfP

FOSDEM is one of the world's premier meetings of free software developers, with thousands of people attending each year. FOSDEM 2026 will take place on the weekend of 31 January and 1 February 2026 in Brussels.

This is the Call for Participation (CfP) in the Software/System Bill of Materials (SBOM) and Supply Chain Devroom at FOSDEM 2026.

## Overview

The SBOM and Supply Chain Devroom will be an in-person event in a room and time slot to be announced later.

The SBOM and Supply Chain Devroom at FOSDEM is an informal, technical event oriented to authors, users, and enthusiasts of FOSS programs that produce, consume, or transform SBOM, and help the supply chain.

The goal of the devroom is for interested people to get in touch with each other, exchange ideas and opinions, have interesting and hopefully productive discussions, and finally what is most important: have fun.

**We are looking for presenters!**

## Devroom info

The FOSS community has always been about collaboration and sharing, but we're facing serious challenges with software supply chain security. Recent attacks like the XZ Utils backdoor and the chalk npm package hack show that nobody's safe. 

The technical landscape is getting more complex too. AI and ML components are everywhere now, and they bring entirely new headaches, including training data provenance, model versioning, and AI-specific vulnerabilities. Additionaly, regulations like the EU Cyber Resilience Act are turning what used to be "nice to have" into actual legal requirements with real deadlines and penalties. 

SBOM are now absolutely critical. They're at the center of meeting compliance requirements, tracking vulnerabilities, and understanding what's actually in any packaged software. But creating and maintaining SBOM shouldn't be another burden on already-stretched maintainers, especially those running small projects solo or with tiny teams. These projects are often the building blocks that everything else depends on, but they simply don't have resources for comprehensive security audits or complex SBOM tooling.

We can't just leave them to figure this out alone. Let's help every project together.

This devroom is about tackling these shared problems together, as a community. We're not just talking about SBOM as compliance checkboxes. We're focused on defining SBOM, building FOSS tools, sharing data, and figuring out practical approaches that actually work. By collaborating, we can:

- stop reinventing the wheel across different projects
- build better, more interoperable solutions
- make it easier for smaller projects to participate
- keep compliance tools free and accessible
- actually strengthen the security of the software we all depend on

We're bringing together maintainers, developers, contributors, policy makers, and enterprise folks — basically everyone dealing with these challenges. FOSDEM is the perfect place to have these conversations because we're all in the same room, sharing ideas, and working on real solutions. Let's work together to meet regulatory requirements, improve security, and keep open source thriving throughout the entire software supply chain.


## Call for participation

We are interested in presentations on any novel topic related to SBOM and the Supply Chain: usage, content, definitions, standardization efforts, etc.

An indicative, non-exclusive, list of topics is:

- Use of different types of SBOM in Supply Chain
- Evolving areas of SBOM content: AI, Functional Safety, etc.
- Supply Chain topics like verification, trust, and linking of various relevant artifacts
- Case studies and lessons learned from real-life use
- Special areas of interest not covered by current efforts

### First-time speakers

FOSDEM devrooms are a welcoming environment for people who have never given a talk before. Please feel free to contact the devroom administrators personally if you would like to ask any questions about it.

### Submission guidelines

Please submit your proposals via [FOSDEM Pretalx], FOSDEM's submissions tool, selecting the **"SBOMs and Supply Chains"** as the track.

The deadline for submissions is **30 November 2025** in Brussels timezone (`2025-11-30T2300Z`). 

We will be looking for relevance to the conference and devroom themes, but essentially any novel on-topic presentation would qualify. Please note the emphasis on _novel_ and do not submit work that is already known to a large number of people. Also note that the audience is expected to be _developers_ of Free and Open Source Software and will most probably be knowledgeable in at least some aspects of SBOM and Supply Chain. Therefore aim your presentation accordingly; no need to introduce what SBOMs are, for example.

Feel free to indicate in the "Submission Notes" area your preferred duration for your presentation between 5 and 30 minutes, but please note that the final decision on duration will be made by the devroom organizers based on the number of accepted proposals. As the overall duration of the devroom is fixed, the only way to accommodate more speakers is by limiting the length of each talk. Keep in mind that, as the event will be in-person, we also need to account for switching between speakers. Shorter presentations are **strongly** encouraged!

Please note that FOSDEM aims to live-stream and record all presentations. The CC-BY license is used for the recordings.

## Volunteers needed

To make the devroom run successfully, we are always looking for volunteers. If you will be attending the devroom and would like to help run it better, please reach out to the organizers!

## Spread the word and discuss

If you know of any mailing lists or other online venues where this info and CfP would be relevant, please feel free to forward this document.

## Contact

The organizers of the devroom can be reached by sending email to <sboms-and-supply-chains-devroom-manager at fosdem.org>. Please do not hesitate to contact us if you have any inquiry or suggestion for the devroom.

For any private queries, you may also contact the organizers directly:
- Alexios Zavras <fosdem at zvr.gr>
- Kate Stewart <stewart at linux.com>
- Adolfo García Veytia <adolfo.garcia at uservers.net>
- Thomas Steenbergen <thomas at aboutcode.org>

[FOSDEM]: https://fosdem.org
[FOSDEM Pretalx]: https://pretalx.fosdem.org/fosdem-2026/cfp

-- zvr -