On 2026-05-25, Stefan Bodewig wrote: > On 2026-05-24, Stefan Bodewig wrote:
>> Right now I'm trying to find people I can talk to WRT SBOMs for >> tarballs. I'm pretty certain the SBOMs I've been creating for the Antlib >> itself and Ant's jars are pretty fine. > I've used parts of todays holiday in Germany to read up on SBOM > requirements. Both the EU CRA as well as the US NTIA requirements > require supplier information which I considered to be secondary with > manufacturer being more important. I'll change that. Hmm, the NTIA[1] wants supplier and is happy without manufacturer while the German BSI which defines the technical details for CRA compliance[2] uses the manufacturer throughout their example. Maybe we should just keep them both. (could be a German trait to consider the manufacturer more important than the supplier, as I did as well :-). > Also I believe the ASF is the supplier and not the Ant project. The CRA is less clear here. I'll see whether I can get input from other people at the ASF. Stefan [1] https://www.ntia.gov/files/ntia/publications/sbom_minimum_elements_report.pdf section IV [2] https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Publications/TechGuidelines/TR03183/BSI-TR-03183-2_v2_1_0.pdf section 8.2 --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
