Hi Team, i would like to unsubscribe from the discussions.
On Tue, Jan 27, 2026 at 4:54 PM Dirk-Willem van Gulik <[email protected]> wrote: > On 23 Jan 2026, at 19:13, Kanchana Welagedara <[email protected]> > wrote: > > > Hi Dirk, thanks for sharing. I was wondering whether the CRA considers > the > > European Union Agency for Cybersecurity (ENISA) as one of ASF’s > > stakeholders when it comes to SBOM analysis requirements. > > I'd say that they are an agency - with a range of roles defined by statue > - and while they coordinate; most regulatory action comes from country > level regulators. > > > Since the ATR tooling team follows the CycloneDX format, for SBOM what > should be > > considered our source of truth or what is the balance ? > > This is by and large going to depend on what the standards do - and how > normative they are. That is still work in progress - and I am > relying/hoping on ASF folks to be sufficiently involved to keep the delta > small. Depending on the outcome - it may either be another format that > gives you a defacto presumption of conformity or a list of requirements > that one needs to meed; and can meet with CycloneDX with the right fields > present. > > So by and large (and somewhat in theory) - it is up to us how much we > involve ourselves in the run up to this being defined and how much we get > surprised/confronted at the end. That said - given the low > quality/problematic and almost complete lack of (our software) industry > involvement at CENELEC - the bar may be very very low. > > With kind regards, > > Dw > > > On Fri, Jan 23, 2026 at 10:34 AM Dirk-Willem van Gulik < > [email protected]> > > wrote: > > > >> Begin forwarded message: > >>>> It's a busy month for policy and open tech, but I would like to > >> encourage you to contribute to the open consultation on ENISA’s draft > SBOM > >> Implementation Guide. The consultation seeks practical input to inform > >> guidance on the adoption of structured and scalable SBOM practices. > >>>> > >>>> The survey is open until 23 January, and contributions from across the > >> open technologies and policy community would be particularly valuable. > >>>> > >>>> You can participate here: > >> https://ec.europa.eu/eusurvey/runner/SBOM_Analysis_Implementation_Guide > >>>> > >>>> They really need your feedback here. The document is messy, it feels > >> like a product of students granted the right to cut and paste from > various > >> sources without any experience in the field. I expected a higher level > of > >> quality from Enisa. > >>>> > >>>> We need Enisa to get SBOMs right, the current state and where we are > >> going. > >>>> > >>>> Please spend some time here. > >> > >> I completely missed this call for input -- and I am guessing it is too > >> late now - but do jump on it if you have the time, knowledge or energy > (or > >> tell me that I am silly - and we've long answered this already). > >> > >> With kind regards, > >> > >> Dw > >> > >> > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] > For additional commands, e-mail: > [email protected] > > -- Thanks and regards, srivatsava sarva
