I’ve been thinking about continuous SBOM diffing for a while, but the subject appears to be even more important than I initially thought. Yesterday (November 11, 2025) I attended SBOMit workshop which was a part of KubeCon NA 2025. SBOMit is an OpenSSF project which deals with SBOM correctness, validity and verification. Specifically, the demo… Continue reading SBOM Diffing: Next Frontier for Supply Chain Security
Author: taleodor
AI Proof Businesses
Here is my honest take on AI resilient businesses as a startup founder: AI being a sophisticated statistics machine is unbeatable in quickly analyzing vast amounts of human knowledge, establishing patterns and finding solutions or bugs based on these data. But what AI cannot do is predict human decisions. So as long as we do… Continue reading AI Proof Businesses
My Talk on TEA at BSides Toronto
Below is YouTube recording of my talk “Transparency Exchange API: How We Will Share xBOMs” given on October 4th at BSides Toronto. Slides are available here.
npm Has Become a Russian Roulette
npmjs.org is arguably the world’s largest package repository. In 2022 it was estimated to serve over 43 billion downloads every week. I found no recent estimates, but the number should be much higher today. In the past several weeks, there have been 3 identified large-scale phishing-malware attacks on the npmjs.org: Playing Russian Roulette The common… Continue reading npm Has Become a Russian Roulette
SBOM Developments for July 2025
This post is mostly for myself just so I don’t have to keep a lot of browser tabs open. There are many projects aimed at developing SBOM ecosystem, but no aggregation of those – as the field is being actively developed. So here is a list of active links in the field:
Combinatorial Explosion of Versions 5 Years Later
Five years ago, I started working on the problem of combinatorial explosion of versions described in my earlier blog post. Today I would like to summarize the journey of these five years and where we are headed next in this research. I Scope of Versioning Problem Five years ago, I was very invested in the… Continue reading Combinatorial Explosion of Versions 5 Years Later
ReARM Updates
We’ve been quite busy with the ReARM project. Here are notable updates for the past couple of weeks: Several new exciting features will be released soon. Get in contact with me on LinkedIn or via other means if you would like to learn more.
Why “Dynamic SBOM” is a Misconception
This follows my recent posts on SBOM tooling and SBOM updates. I keep reading that publishers should strive for something called “Dynamic SBOM” where a tool continuously updates an SBOM per Product or Component that they produce. However, that is not how the transparency system should work. SBOMs should be scoped to a specific release… Continue reading Why “Dynamic SBOM” is a Misconception
ReARM Now Supports Transparency Exchange API
Reliza just announced ReARM support for Transparency Exchange API (TEA) Beta 1. Read details here. I believe this is world first implementation. This is a big milestone for me as I was involved in TEA creation for the past year almost since its inception. The TEA is an effort to create common approach of how… Continue reading ReARM Now Supports Transparency Exchange API
Why New Generation of SBOM Tools Matters
As a preface for what I mean by old generation tooling, here is a screenshot from Semgrep documentation: Essentially, this asks developers to centre their SBOM generation efforts around the main branch of a repository. To expand on this, legacy generation of tooling simply slaps an SBOM to a security scan, resulting in a single… Continue reading Why New Generation of SBOM Tools Matters