Loading…
June 23 - 25, 2025
Denver, Colorado
View More Details & Registration
Note: The schedule is subject to change.

The Sched app allows you to build your schedule but is not a substitute for your event registration. You must be registered for Open Source Summit North America 2025 to participate in the sessions. If you have not registered but would like to join us, please go to the event registration page to purchase a registration.

This schedule is automatically displayed in Mountain Daylight Time (UTC/GMT -6). To see the schedule in your preferred timezone, please select from the drop-down menu to the right, above "Filter by Date."

IMPORTANT NOTE: Timing of sessions and room locations are subject to change.
← Back to schedule
Panel Discussion: Strengthening Software Supply Chains: Harmonizing SLSA Provenance and SPDX SBOM for Better Adoption - Gopi Krishnan Rajbahadur & Elyas Rashno, Queen's University; Mihai Maruseac, Google; Karen Bennet, Responsible AI Solutions
Wednesday June 25, 2025 3:05pm - 3:45pm MDT
Bluebird Ballroom 2F
The Software Bill of Materials (SBOM) and Supply-chain Levels for Software Artifacts (SLSA) are key frameworks for securing modern software supply chains. SPDX SBOM provides a detailed inventory of software components, dependencies, and metadata, while SLSA ensures these components are built through verifiable, tamper-resistant processes with clear provenance.

This talk will examine the synergies and differences between SLSA and SPDX SBOM, focusing on how SLSA’s provenance and authentication mechanisms can enhance the trustworthiness of SBOMs. We will explore overlapping fields captured by both standards, emphasizing the importance of interoperability and a shared roadmap to reduce duplication while leveraging their respective strengths.

A clear separation of concerns, with SLSA handling provenance and verification, and SPDX SBOM capturing comprehensive component metadata, can reduce redundancy and promote more efficient adoption. This session will outline how aligning these standards can improve software supply chain security and reliability, while fostering collaboration for cohesive evolution within the open-source community.
Speakers
avatar for Gopi Krishnan Rajbahadur

Gopi Krishnan Rajbahadur

Research Fellow, Queen's University
Gopi Krishnan Rajbahadur is a Research Fellow at Queen's University, Canada. He is currently working on SE for Large Language Models and the governance of AI datasets. He is the co-lead for the AI and datasets profile in the ISO/IEC 5692 SPDX standard and co-founder of the open-source... Read More →
avatar for Mihai Maruseac

Mihai Maruseac

Staff SWE, Google
Mihai Maruseac is a member of Google Open Source Security team (GOSST), working on Supply Chain Security, specifically for ML, but also a GUAC maintainer. Before joining GOSST, Mihai created the TensorFlow Security team after joining Google, moving from a startup to incorporate Differential... Read More →
avatar for Elyas Rashno

Elyas Rashno

Research Assistant, Queen’s University
I am a PhD student at Queen’s University with a background in Artificial Intelligence, specializing in transformer-based models and multimodal data fusion. My current work focuses on software engineering and the governance of dataset profiles. Additionally, I contribute to the development... Read More →
avatar for Karen Bennet

Karen Bennet

Executive Director, AI Expert for ISO and IEEE, Responsible AI Solutions
Executive Director, Responsible AI Solutions, former executive of IBM, Yahoo, Red Hat and multiple AI startups, Co-Chair of Linux Foundation SPDX AI and Dataset Groups, IEEE Vice Chair Technology Society Impact Committee, Canadian expert of ISO/IEC JTC 1/SC 42 Participant in US CISA... Read More →
Wednesday June 25, 2025 3:05pm - 3:45pm MDT
Bluebird Ballroom 2F
  Standards + Specifications

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

Tweet Share
Share Modal

Share this link via

Or copy link