On 5 Feb 2025, at 13:22, Piotr P. Karwasz <pi...@mailing.copernik.eu> wrote: > On 5.02.2025 13:09, Gary Gregory wrote: >> Why is this not done as an Apache project? > > It is an experiment. For now we will profit from the simplified release > procedure and low support expectations for this kind of projects. Rest > assured that if this becomes popular enough, we'll submit it to Apache or > OWASP CycloneDX. > > SBOMs is such a moving target that half of the projects that exist today will > reach EOL in one year.
One thing that may help discriminate/affect staying power is to what extend the SBOM is a win-win, rather than `make work'. Which means that slightly richer SBOMs, which allow you to express things such as EOL state, announced EOL dates, provenance/source/`vendor', source URLs, license-URLs, ECCN Classifier numbers, and other `stuff' that can let you automate CI/CD, compliance, governance reports and so on, help a lot. Dw --------------------------------------------------------------------- To unsubscribe, e-mail: security-discuss-unsubscr...@community.apache.org For additional commands, e-mail: security-discuss-h...@community.apache.org
