Dan, Thanks for sharing your insights.
My customers need the "Build SBOM", not a source SBOM. The SBOM must contain details of the components in the Windows Zip file used by consumers to install curl. Per Daniels recommendation I've entered an issue for this: https://github.com/curl/curl-for-win/issues/81 Thanks, Dick Brooks Active Member of the CISA Critical Manufacturing Sector, Sector Coordinating Council - A Public-Private Partnership Never trust software, always verify and report! T Risk always exists, but trust must be earned and awarded.T https://businesscyberguardian.com/ Email: d...@businesscyberguardian.com Tel: +1 978-696-1788 -----Original Message----- From: Dan Fandrich <d...@coneharvesters.com> Sent: Wednesday, July 9, 2025 12:42 PM To: curl-users - the curl tool <curl-users@lists.haxx.se> Cc: Dick Brooks <d...@businesscyberguardian.com> Subject: Re: Release candidate 3: curl 8.15.0-rc3 On Wed, Jul 09, 2025 at 03:44:56PM +0200, Daniel Stenberg via curl-users wrote: > On Wed, 9 Jul 2025, Dick Brooks wrote: > > Congratulations. Any chance we will see an SBOM for curl in the future? > > The "normal" curl release does not need an SBOM. It is just one thing > and this one thing comes only from us: the curl release. > > curl releases are done as source code tarballs with no third party code included. The curl source is fully marked up with SPDX license tags, so you can generate your own accurate source-level SBOM in SPDX format with license information using the "reuse" tool. Just run "reuse spdx". See https://reuse.readthedocs.io for more information. Dan -- Unsubscribe: https://lists.haxx.se/mailman/listinfo/curl-users Etiquette: https://curl.se/mail/etiquette.html
