On Sat, 30 Mar 2024, Dan Fandrich via curl-library wrote:
SPDX seems to be the standard SBOM format for this that tools are starting
to expect. The format is able to handle complex situations, but given the
very limited scope needed in curl and for source releases only, once you get
a template file set up the first time filling in the details for every
release should be simple.
I can't but to feel that this is aiming (much) higher than what I want to do.
If someone truly thinks SPDX is a better way to provide this information then
I hope someone will step up and convert the scripts to instead use this
format.
This is a SBOM for the tarball creation, not for curl.
I rather start with something basic and simple, as we don't even know if
anyone cares or wants this information.
Even running "reuse spdx" in the curl tree (the same tool that's keeping
curl in REUSE compliance in that CI build) will output a SPDX file for curl.
I tried it just now. It produces 86,000 lines of output! And yet I can't find
a lot of helpful content within the output for our purpose here.
It does not seem like a suitable tool for this.
--
/ daniel.haxx.se
| Commercial curl support up to 24x7 is available!
| Private help, bug fixes, support, ports, new features
| https://curl.se/support.html
--
Unsubscribe: https://lists.haxx.se/mailman/listinfo/curl-library
Etiquette: https://curl.se/mail/etiquette.html
