JinwooHwang commented on PR #7933: URL: https://github.com/apache/geode/pull/7933#issuecomment-3342158970
Hi @sboorlagadda . Just a quick thought as we look ahead: ASF seems to be exploring additional metadata formats for public distribution, including SBOMs. To stay ahead, it might be worth considering the following draft position: - SBOMs needs to be automatically generated for builds at build time - SBOMs need to be signed with the same keys used for releases, in the same way (detached signature, detached hash) - SBOMs are expected to be static to the given release, must never be changed after release - SBOMs need to be useful (i.e. can be parsed, machine readable by current/future tools) Everything looks good to me. Thank you for your attention to these details-looking forward to your successful implementation. **Reference** https://cwiki.apache.org/confluence/display/COMDEV/SBOM https://whimsy.apache.org/board/minutes/Tooling.html -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
