Hi Dick.
On 2025-07-09 (Mi.) 19:00, Dick Brooks via curl-users wrote:
Dan,
Thanks for sharing your insights.
My customers need the "Build SBOM", not a source SBOM. The SBOM must contain
details of the components in the Windows Zip file used by consumers to
install curl.
Per Daniels recommendation I've entered an issue for this:
https://github.com/curl/curl-for-win/issues/81
It's open source :-). so you can create the SBOM or the scripts which creates
the SBOM and contribute to the open source project which you use for your customers.
Thanks,
Dick Brooks
Best Regards
Aleks
Active Member of the CISA Critical Manufacturing Sector,
Sector Coordinating Council - A Public-Private Partnership
Never trust software, always verify and report! T
Risk always exists, but trust must be earned and awarded.T
https://businesscyberguardian.com/
Email: d...@businesscyberguardian.com
Tel: +1 978-696-1788
-----Original Message-----
From: Dan Fandrich <d...@coneharvesters.com>
Sent: Wednesday, July 9, 2025 12:42 PM
To: curl-users - the curl tool <curl-users@lists.haxx.se>
Cc: Dick Brooks <d...@businesscyberguardian.com>
Subject: Re: Release candidate 3: curl 8.15.0-rc3
On Wed, Jul 09, 2025 at 03:44:56PM +0200, Daniel Stenberg via curl-users
wrote:
On Wed, 9 Jul 2025, Dick Brooks wrote:
Congratulations. Any chance we will see an SBOM for curl in the future?
The "normal" curl release does not need an SBOM. It is just one thing
and this one thing comes only from us: the curl release.
curl releases are done as source code tarballs with no third party code
included.
The curl source is fully marked up with SPDX license tags, so you can
generate your own accurate source-level SBOM in SPDX format with license
information using the "reuse" tool. Just run "reuse spdx". See
https://reuse.readthedocs.io for more information.
Dan
--
Unsubscribe: https://lists.haxx.se/mailman/listinfo/curl-users
Etiquette: https://curl.se/mail/etiquette.html
