In this episode of Nerding Out with Viktor, host Viktor Petersson speaks with Joshua Watt of Garmin and Ross Burton of ARM to explore how the Yocto Project is evolving to meet the growing demands of software supply chain security, embedded Linux customization, and long-term product maintenance. As two long-time contributors to Yocto and OpenEmbedded, Joshua and Ross share hard-earned insights on how build-time Software Bill of Materials (SBOMs) offer deeper accuracy and compliance benefits compared to traditional post-build analysis. They dig into how the integration of SPDX 3.0 in Yocto enables better license tracking, reproducibility, and component transparency, critical features for developers building connected products in regulated industries like industrial IoT, telecom, and automotive. The conversation also covers how VEX metadata can be used to prioritize vulnerabilities in real-world environments, and why reproducible builds using BitBake's hashserver infrastructure are becoming a cornerstone of secure firmware development. As global regulatory frameworks like the EU Cyber Resilience Act (CRA) push for stricter transparency and vulnerability management, the Yocto Project's native SBOM tooling is helping teams future-proof their embedded Linux stacks. Joshua and Ross also discuss the challenges of managing multi-layer board support packages (BSPs), handling closed-source components responsibly, and navigating SBOM creation across vendors in complex system builds. This episode is a must-listen for embedded engineers, firmware architects, and product teams who want to build secure, scalable Linux-based devices while staying ahead of compliance and lifecycle management needs.

]]>