On 2025-02-18 12:00:53 -0800 (-0800), Scott Lewis via open-regulatory-compliance wrote:
[...]
Admittedly it's valuable...but it's also *static*. Just the fact that in
osgi/p2 acceptable version *ranges* constraints are given for dependencies
means that the target environment (i.e. what else is present at install time
as well as what repos are know/available) will determine the dependency
resolution....i.e. what version of a dependency is resolved dynamically at
install time.
[...]
Are these dependencies effectively invisible when installed? It
seems like if the installer records what versions of which packages
it installed, then you don't have a need to ship an SBOM which tries
to predict things that will be installed. Shouldn't an SBOM be for
when you have versions of other projects embedded inside what's
directly shipped/packaged?
This is where I think different ecosystems are getting confused on
the point of SBOMs. Some seem to think an SBOM is for recording
non-obvious things that are being shipped inside an otherwise opaque
blob like a packaged application download or a container image,
others seem to think an SBOM is for recording all your dependencies
even if you're not distributing those and the end user is going to
install them from somewhere else.