On 2025-11-15, Gintautas Grigelionis wrote: > On Sat, 15 Nov 2025 at 19:53, Stefan Bodewig <[email protected]> wrote:
>> On 2025-11-15, Gintautas Grigelionis wrote: >>> So the whole idea is to produce SBOM manually based on Maven artifacts? >> This is one of the option that I came up with. Not the only option and I >> don't expect to have echausted the solution space :-) > Would you be willing to revisit the publishing by Ivy now that Ivy has the > capability to produce the necessary SHA hashes? I'm not sure how to answer that. We do publish Ant's "maven artifacts" via Ivy. https://github.com/apache/ant/blob/master/ReleaseInstructions#L186 - but that's not the point. AFAIK Ivy can not create an SBOM, so writing code that can do just that based on an Ivy model has been one of the options I came up with. If we wanted to do that we'd also need to use quite a bit more of Ivy than we do right now in Ant's release process. In particular the Ivy file would need to become aware of the dependencies as you can't create an SBOM without knowing the dependencies. Stefan --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
