On 2025-11-16, Gintautas Grigelionis wrote: > Sorry for being unclear. I mean going back to PR 54 and taking another look > at it.
Right now I am really only concerned with creating SBOMs and the changes to ivy.xml made in your PR would help if Ivy could create SBOMs. As long as Ivy doesn't (and as long as we don't enable it to) the change doesn't help getting there. > Then, Ivy needs a task that uses cyclonedx-core-java and/or > spdx-java-library. Right. Personally I'm not sure I have the time to create that and I'm pretty sure I don't won't have the time maintaining it to keep up with changes to CycloneDX or SPDX. I'd be very happy to defer dealing with the latest CISA policy changes to the people who are actively involved in following the formats and evolving the libraries we'd use. > If that's too much of a hassle, Maven can easily provide another > cop-out. But I'd argue that dependency management ought to be done > properly in order to produce a proper SBOM. No argument with that, that's why all options I listed either dependend on our existing Maven POMs which provide that or state we need to extend the ivy.xml or come up with a one-off solution based on libraries.properties. That latter would be completely sufficient for our traditional tarball/zip releases as the artifact we'd be talking about is "all of Ant". The smaller things we push to the maven central are more complex IMHO. Stefan --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
