iemejia commented on PR #2046: URL: https://github.com/apache/avro/pull/2046#issuecomment-1372914189
One question @dongjoon-hyun I am kind of new in the SBOM world but looking around it seems like there are like 3 big standards, any reason to choose the Cyclone one over SPDX (which seems to be the one being pushed by the Linux Foundation)? I am ok with merging this as it is, just curious. Better to have one that none :) I am also wondering what other Apache projects use. Just from a quick look it seems not even Log4j with all the mess of the last year is publishing their SBOM and there are not recommendations yet from the security group at the ASF -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
