Hi everyone,
I’d like to bring a bit more attention to an issue that will very soon affect all of us developing and distributing software in the EU.
With the Cyber Resilience Act (CRA), every software vendor in the EU will be required to provide a Software Bill of Materials (SBOM) for their products. This is not optional, and it’s not a distant future topic — it’s something we need to be prepared for.
That’s why I created a Feature Request asking Xojo to provide an official SBOM for each release:
https://tracker.xojo.com/xojoinc/xojo/-/issues/81203
The core idea:
We, as developers, are responsible for our own application SBOMs — but without a clear and transparent SBOM from Xojo itself, we’re effectively missing a critical part of the supply chain.
The request includes:
- SBOM per release version
- Platform-specific breakdowns for Desktop, Mobile, Web (Client & Server)
- OS-specific breakdowns for MacOS, Windows, Linux, iOS, Android
- Clear scope (only Xojo components, not project dependencies)
- Context on when components are actually included (e.g. only when using features like WebMapViewer)
Why this matters:
Right now, if you want to create a compliant SBOM, you either have to guess, reverse-engineer, or over-report dependencies — none of which is acceptable in a regulatory context.
This is not about adding “nice-to-have” features.
This is about basic transparency that will soon be legally expected from every software vendor operating in the EU and software developers developing for the own company.
If you think this is relevant (and realistically, it will be for most of us), I’d really appreciate your support and vote on the Feature Request.
The more visibility this gets, the higher the chance it will be prioritized.
Thanks for reading — and I’m curious to hear how others are currently dealing with this topic.
Daniel