| Re: [open-regulatory-compliance] CRA Standardisation request |
On 2025-02-17 14:22:38 +0100 (+0100), Lars Francke via open-regulatory-compliance wrote: [...] > And for companies who do NOT provide an SBOM it might be nice to issue > not-affected VEX for everything they become aware of because I have no > insight as a user what might be hiding in their software. [...] When coupled with other suggestions that the expectations should be the same for upstream open source projects, this becomes exceptionally problematic. The projects I'm involved in expressly avoid distributing compiled/binary artifacts or production-ready container images in order to not be liable for tracking and reporting on vulnerabilities in dependencies we don't produce, because (among other reasons) we lack the people and time to do a proper job of it. Instead we leave that to downstream organizations interested in commercially productizing the software our communities collaborate on creating. My understanding was that projects who don't produce products containing other projects wouldn't need an SBOM, but the only way I can see to satisfy your expectation here is for such projects to all produce empty SBOMs (or an SBOM that states that the project contains only itself). How do you personally see rectifying the need for a nak about vulnerabilities in projects which don't distribute other projects' software? Do you consider that to be a "special case" (from where I sit, it doesn't seem that uncommon at all)? -- Jeremy Stanley
Attachment:
signature.asc
Description: PGP signature