Skip to main content

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [open-regulatory-compliance] CRA Standardisation request

<stuff deleted>
I haven't spent much time in Java-focused projects, but if I
understand what you're saying I think we're in agreement. From a
concrete proposal perspective, what upstream open source projects
can do *now* is start making sure they're implementing standard
descriptive metadata which current and future build tools can use to
generate SBOMs for inclusion in distributed artifacts. There are
likely plenty of other good reasons to be doing that anyway, and
"free SBOMs down the road" is just another perk.

I agree that 'implementing standard descriptive metadata' is generally a good thing...worth doing for a lot of reasons...but practically speaking I don't think there's yet clear and complete 'standards' (osgi..for example..is specified, but is a subset of Java-based libs).


For example, Python packaging community discussions are leaning
toward doing SBOM generation in the cibuildwheel/auditwheel tools,
and using modern Python packaging metadata standards in projects
makes that possible (or at least more accurate).
Progress...sure.  But agreeing is just a prerequisite for implementing.  I maintain a public python project myself and although the meta-data and supporting tooling has been/is improving, it's got a ways to go IMHO as my project's dependencies update frequently...requiring maintenance on my part.

Telling open source communities that they should "start including
SBOMs in their projects," on the other hand, simply doesn't make
sense. An SBOM is part of a built artifact (and even then, only in
artifacts where there's a need to indicate the presence of
non-obvious included software), not something you expect to stick in
your Git repo next to your deps list or lockfile.

I agree with you that telling open source communities that they should 'start including SBOMs in their projects' doesn't make sense.  My point, however, is that if manufacturers are going to build/package/deploy/manage/secure products with tooling based upon open source library dependencies, then those OS lib authors will likely have to add and certainly have to maintain dependency meta-data.


Back to the top