Dick, I applaud you for raising awareness about this. But we also need to recognize that while SBOM tooling is getting better, we still need to improve a lot. Take the SBOM you sent as an example, it seems to have a number of problems, it doesn't have any relationships, versions don't seem to match ( PackageName: apache-log4j-2.15.0-bin.zip vs PackageVersion: 2.19.0), the URL is wrong.. etc.
We haven't yet gotten generation 100% right, and we have a ton of work to do on the consumption side. We need to fight the sentiment of the letter, but we need to do so by taking criticism and responding to the problems with faster, better improvements. Adolfo García Veytia Chainguard -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#4885): https://lists.spdx.org/g/Spdx-tech/message/4885 Mute This Topic: https://lists.spdx.org/mt/95469298/21656 Group Owner: [email protected] Unsubscribe: https://lists.spdx.org/g/Spdx-tech/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
