And let me repeat what I wrote on slack today: For ASF the legal risk is huge. If someone gets billions of dollars in damage because they trusted we told them "we are not vulnerable to this 3rd-party vulnerability" - they might sue ASF and demand all our trademarks as compensation (not the money we have in the bank). This is is a HUGE risk for ASF and the whole open-source community if you ask me.
On Wed, Feb 5, 2025 at 1:45 PM Dirk-Willem van Gulik <di...@webweaving.org> wrote: > On 5 Feb 2025, at 13:22, Piotr P. Karwasz <pi...@mailing.copernik.eu> > wrote: > > On 5.02.2025 13:09, Gary Gregory wrote: > >> Why is this not done as an Apache project? > > > > It is an experiment. For now we will profit from the simplified release > procedure and low support expectations for this kind of projects. Rest > assured that if this becomes popular enough, we'll submit it to Apache or > OWASP CycloneDX. > > > > SBOMs is such a moving target that half of the projects that exist today > will reach EOL in one year. > > One thing that may help discriminate/affect staying power is to what > extend the SBOM is a win-win, rather than `make work'. Which means that > slightly richer SBOMs, which allow you to express things such as EOL state, > announced EOL dates, provenance/source/`vendor', source URLs, license-URLs, > ECCN Classifier numbers, and other `stuff' that can let you automate CI/CD, > compliance, governance reports and so on, help a lot. > > Dw > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: security-discuss-unsubscr...@community.apache.org > For additional commands, e-mail: > security-discuss-h...@community.apache.org > >
