| Re: [open-regulatory-compliance] CRA Standardisation request |
On 2025-02-18 13:17:38 -0500 (-0500), Dick Brooks via open-regulatory-compliance wrote: [...] > IMO, A software producer should list all components contained in a > “distributed package” (application, container, etc) within the > SBOM that is used/installed by customers which could be listed in > a vulnerability repository, i.e. NIST NVD, as containing a > vulnerability. The PEP 770 precursor discussions in the Python packaging community came to rough consensus that packages should only contain an SBOM if they include other vendored projects or embedded libraries for compiled extensions, but that "pure-Python" packages which contain only their namesake project without incorporating anything else shouldn't need an SBOM at all under normal circumstances, because there would be nothing to list in it. https://discuss.python.org/t/sboms-for-python-packages-project/70261 -- Jeremy Stanley
Attachment:
signature.asc
Description: PGP signature