Hi Dick, On 05.12.22 15:14, Dick Brooks wrote:
An SBOM is easy to produce using existing tooling, in many cases. I don’t understand the resistance to providing consumers an SBOM so that they can monitor for new risk/vulnerabilities.
I suspect we will get to the point where it is easy, but we are nowhere near that today for any but the simplest of devices. For any system of any complexity it requires careful analysis, license identification and selection, third party integration, tooling integration to not only release but patch management. That will require time and experience to get right.
Eliot -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#4878): https://lists.spdx.org/g/Spdx-tech/message/4878 Mute This Topic: https://lists.spdx.org/mt/95469298/21656 Group Owner: [email protected] Unsubscribe: https://lists.spdx.org/g/Spdx-tech/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
OpenPGP_signature
Description: OpenPGP digital signature
