=== FreeBSD Software Bill of Materials

Links: +
link:https://github.com/pkgconf/pkgconf/pull/484[spdxtool: Add parameter for using URI as SPDX id] URL: link:https://github.com/pkgconf/pkgconf/pull/484[] +
link:https://github.com/pkgconf/pkgconf/pull/483[spdxtool: Add cli parameter for changing SPDX id] URL: link:https://github.com/pkgconf/pkgconf/pull/483[] +
link:https://github.com/pkgconf/pkgconf/pull/475[spdxtool: spdxtool: Add homepage handling] URL: link:https://github.com/pkgconf/pkgconf/pull/475[] +
link:https://github.com/pkgconf/pkgconf/pull/474[spdxtool: Add source handling to SBOM] URL: link:https://github.com/pkgconf/pkgconf/pull/474[] +
link:https://github.com/pkgconf/pkgconf/pull/473[spdxtool: Add support for copyright text] URL: link:https://github.com/pkgconf/pkgconf/pull/473[] +
link:https://github.com/pkgconf/pkgconf/pull/461[spdxtool: Rework of License-tag SDPX expression evaluation] URL: link:https://github.com/pkgconf/pkgconf/pull/461[] +
link:https://github.com/pkgconf/pkgconf/pull/450[Add some stricter compiler warnings and overcome new warnings ] URL: link:https://github.com/pkgconf/pkgconf/pull/450[] +
link:https://github.com/pkgconf/pkgconf/pull/447[libpkgconf/libpkgconf.h: Add printf-like attributes to functions] URL: link:https://github.com/pkgconf/pkgconf/pull/447[] +
link:https://github.com/pkgconf/pkgconf/pull/446[spdxtool: Update variables that are const to const] URL: link:https://github.com/pkgconf/pkgconf/pull/446[] +
link:https://github.com/pkgconf/pkgconf/pull/445[man/spdxtool.1: Add man page for spdxtool] URL: link:https://github.com/pkgconf/pkgconf/pull/445[] +
link:https://cgit.freebsd.org/src/log/?qt=author&q=Tuukka+Pasanen[Added SPDX-License-Identifiers] URL: link:https://cgit.freebsd.org/src/log/?qt=author&q=Tuukka+Pasanen[] +
link:https://github.com/freebsd/freebsd-src/compare/main...illuusio:freebsd-src:update-spdx-licenses[SPDX-License-Identifiers up-to review and waiting for upstreaming] URL: link:https://github.com/freebsd/freebsd-src/compare/main...illuusio:freebsd-src:update-spdx-licenses[] +
link:https://reviews.freebsd.org/D55461[Issue open for commenting and review: caesar: Add SPDX-License-Identifier tags] URL: https://reviews.freebsd.org/D55461[] +
link:https://github.com/illuusio/freebsd-src/tree/sbom-pkgconfig/release/sbom[.pc file for SBOM metadata (WIP)] URL: https://github.com/illuusio/freebsd-src/tree/sbom-pkgconfig/release/sbom

Contact: Tuukka Pasanen <tuukka.pasanen@ilmi.fi>

The FreeBSD Software Bill of Materials (SBOM) project started in 2025 and continued in 2026.
Work in 2026 has focused more on the EU Cyber Resilience Act (CRA), and the effort has shifted toward delivering a framework for FreeBSD source.

In the first quarter of 2026, SBOM work was delivered in three categories:

* Pkgconf upstream work, especially with spdxtool-tool, which is used for creating SPDX Lite 3.0.1 JSON-LD SBOMs from [.filename]#.pc#-files. +
Several missing features have been added and are under active development by pkgconf contributors. +
The tool is now nearly compatible with SPDX Lite 3.0.1 requirements and is ready for general use. +
Additionally, there is an effort to import pkgconf as part of the FreeBSD source, led by Pierre Pronchery.
* Adding missing SPDX-License-Identifier to files under the FreeBSD source in the [.filename]#bin#, [.filename]#sbin#, [.filename]#usr.bin#, and [.filename]#usr.sbin# directories.
* Creating [.filename]#.pc#-files for SBOM.
The first patch is expected to land in 2026Q2, starting with files from [.filename]#bin#.

If you want to help with this effort:

* Verify that SPDX-License-Identifier licenses are correct and assist with upstreaming files.
* Verify that [.filename]#.pc# files contain accurate information and help upstreaming them to git.
* Assist in reviewing the pkgconf import to the FreeBSD source.

Sponsor: The FreeBSD Foundation