> On 8 Dec 2022, at 15:41, Dick Brooks <[email protected]> wrote: > > Eliot, > > Would you be convinced that SBOM creation is easy if I showed you that I can > create an SPDX SBOM from an apache distribution, downloaded from the > Internet, all in less than 2 minutes? >
No. The problem isn’t generating an SBOM for a single package. The problem is establishing processes and policies to not only generate SBOMs for which I have source, but receiving and incorporating SBOMs for which I do not. In complex systems this also means establishing appropriate container hierarchies, managing through patches, optional software add-ons, dealing with potential name conflicts and ambiguities, and more. All of this can get worked out, but in tens of months not minutes. Multiply that number by 3 for properly linked VEX information. Eliot -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#4883): https://lists.spdx.org/g/Spdx-tech/message/4883 Mute This Topic: https://lists.spdx.org/mt/95469298/21656 Group Owner: [email protected] Unsubscribe: https://lists.spdx.org/g/Spdx-tech/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
