[
Date Prev][
Date Next][
Thread Prev][
Thread Next][
Date Index][
Thread Index]
[
List Home]
Re: [open-regulatory-compliance] CRA Standardisation request
|
On 2025-02-17 14:22:38 +0100 (+0100), Lars Francke via open-regulatory-compliance wrote:
[...]
> And for companies who do NOT provide an SBOM it might be nice to issue
> not-affected VEX for everything they become aware of because I have no
> insight as a user what might be hiding in their software.
[...]
When coupled with other suggestions that the expectations should be
the same for upstream open source projects, this becomes
exceptionally problematic.
The projects I'm involved in expressly avoid distributing
compiled/binary artifacts or production-ready container images in
order to not be liable for tracking and reporting on vulnerabilities
in dependencies we don't produce, because (among other reasons) we
lack the people and time to do a proper job of it. Instead we leave
that to downstream organizations interested in commercially
productizing the software our communities collaborate on creating.
My understanding was that projects who don't produce products
containing other projects wouldn't need an SBOM, but the only way I
can see to satisfy your expectation here is for such projects to all
produce empty SBOMs (or an SBOM that states that the project
contains only itself).
How do you personally see rectifying the need for a nak about
vulnerabilities in projects which don't distribute other projects'
software? Do you consider that to be a "special case" (from where I
sit, it doesn't seem that uncommon at all)?
--
Jeremy Stanley
Attachment:
signature.asc
Description: PGP signature