davsclaus opened a new issue, #1678: URL: https://github.com/apache/camel-website/issues/1678
Apache Camel has shipped PGP-signed CycloneDX SBOMs (JSON + XML) with every release since 4.0.3, and Camel JBang provides a built-in `sbom` command for generating application-level SBOMs. However, this capability is not prominently surfaced on the website. With the EU Cyber Resilience Act (CRA) requiring SBOM delivery for software sold in the EU, and US Executive Order 14028 making SBOMs a federal procurement expectation, enterprise teams increasingly treat "does it ship with an SBOM?" as a hard requirement. Camel already does the work — we should make it visible. **Suggested changes:** 1. **Trust page** (`/trust/`): Add a new section (after "500+ dependencies kept current") highlighting that every Camel release ships with signed SBOMs and that Camel JBang can generate SBOMs for user applications. 2. **Download pages**: Consider making the SBOM artifacts more prominent or adding a brief explanation of what they are (the files are already listed but easy to overlook). 3. **Security page**: Consider a brief mention that SBOMs are available for supply chain risk analysis alongside the existing CVE advisories. Currently SBOM is only mentioned in two blog posts from 2023 (Camel 4.1 and 4.3 "what's new"). -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
