The Sched app allows you to build your schedule but is not a substitute for your event registration. You must be registered for Open Source Summit North America 2025 to participate in the sessions. If you have not registered but would like to join us, please go to the event registration page to purchase a registration.
This schedule is automatically displayed in Central DaylightTime (UTC -5). To see the schedule in your preferred timezone, please select from the drop-down menu to the right, above "Filter by Date."
IMPORTANT NOTE: Timing of sessions and room locations are subject to change.
Sign up or log in to add sessions to your schedule and sync them to your phone or calendar.
SBOMs tell you what's in your software. They don't tell you what you're allowed to do with it. License and attribution data is often missing or ambiguous -- a LICENSE file says MIT, but source files have Apache-2.0 headers. SBOM or not, you still don't know what to put in your notice file.
ClearlyDefined, an Open Source Initiative project, fills in that missing data. It runs automated license scans, then lets the community curate the results -- fixing misidentified licenses, adding missing attributions, and resolving conflicts between what a package claims and what its source files say.
In this session, I'll cover:
- Why SBOMs fall short on licensing: what's typically missing and where the gaps are worst - How ClearlyDefined's harvest-curate pipeline works, with a walkthrough of tracing a component from ambiguous scan to curated definition - How curations get contributed back upstream and why it matters for projects themselves, not just consumers
This talk is for anyone who's tried to build a license compliance workflow and found that the data isn't there yet.
Jamie Magee is a principal software engineer on Microsoft's supply chain security team. He focuses on dependency management and Software Bill of Materials (SBOM).
