dave2wave opened a new issue, #938: URL: https://github.com/apache/tooling-trusted-releases/issues/938
From [email protected] Hi Dave, Thanks, this is really useful context. On the Erlang/Elixir side, we already have a few things that should fit in pretty well with what you’re building: ## SBOM generation We maintain rebar3_sbom and mix_sbom, which generate CycloneDX SBOMs directly from builds: https://github.com/erlef/rebar3_sbom https://github.com/erlef/mix_sbom I saw CouchDB has both a mix.exs and a rebar.config.script, so one of those should work without much trouble. Happy to sanity check the output against what you expect in the catalog. ## Source SBOM / analysis We’re also using ORT: https://oss-review-toolkit.org/ort/ That gives us a source-level view, which might or might not be useful depending on how far you want to go beyond release artifacts. ## Trusted publishing Not there yet for Hex.pm, but it’s something we’re working towards: https://github.com/hexpm/hexpm/issues/1193 ## Vulnerability handling (CNA) The EEF runs a CNA covering Erlang, Elixir, and Hex: https://cna.erlef.org/ We’re currently looking into a pre-disclosure / heads-up list for downstream users of Erlang. Since CouchDB ships Erlang, that might also be relevant on your side: https://github.com/erlef-cna/website/pull/61 ## EEF working groups We also have a few active working groups in the EEF. One that might be particularly relevant here is the OpenRiak group. They are dealing with many of the same kinds of issues you will see in CouchDB as another Erlang-based database. It would be great to share some of that experience, and more generally I would be very happy if we could bring the ASF and Erlang communities closer. I think there’s a pretty natural overlap here, especially around SBOM generation and how artifacts are exposed. Let me know where it would make sense to align or collaborate. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
