On 25.05.21 15:51, Patrick Dwyer wrote:
Hi Eliot,A well-known URI is just one way of enabling delivery of an SBOM.
YYyyyes... but did you mean CSAF above?
That would tightly bind the CSAF to the SBOM, and I don't think they are tightly bound. That is, one could release a CSAF without an SBOM (as is pretty much done today).Because of this, I think suppliers will need to include the CSAF location in the SBOM itself.
I also think this is one of those things that crosses a logical boundary that is no longer about discovering and accessing an SBOM.
That is true. But not a huge stretch. Eliot
OpenPGP_signature
Description: OpenPGP digital signature
_______________________________________________ OPSAWG mailing list [email protected] https://www.ietf.org/mailman/listinfo/opsawg
