In the wake of the log4j CVEs [1], people are asking how to improve the security of open source projects, and one idea is to provide a SBOM (Software Bill of Materials) [2] along with each release.
I had not heard of SBOM until a couple of days ago. Is anyone on this list familiar with SBOMs and their use? Should Calcite be providing an SBOM? Are people aware of SBOM initiatives in other projects? What, in your opinion, is the priority of this issue? Julian [1] https://thehackernews.com/2021/12/second-log4j-vulnerability-cve-2021.html [2] https://en.wikipedia.org/wiki/Software_bill_of_materials
