[
Date Prev][
Date Next][
Thread Prev][
Thread Next][
Date Index][
Thread Index]
[
List Home]
Re: [open-regulatory-compliance] CRA Standardisation request
|
On 2025-02-18 13:17:38 -0500 (-0500), Dick Brooks via open-regulatory-compliance wrote:
[...]
> IMO, A software producer should list all components contained in a
> “distributed package” (application, container, etc) within the
> SBOM that is used/installed by customers which could be listed in
> a vulnerability repository, i.e. NIST NVD, as containing a
> vulnerability.
The PEP 770 precursor discussions in the Python packaging community
came to rough consensus that packages should only contain an SBOM if
they include other vendored projects or embedded libraries for
compiled extensions, but that "pure-Python" packages which contain
only their namesake project without incorporating anything else
shouldn't need an SBOM at all under normal circumstances, because
there would be nothing to list in it.
https://discuss.python.org/t/sboms-for-python-packages-project/70261
--
Jeremy Stanley
Attachment:
signature.asc
Description: PGP signature