Hi Dick
thank you for your comments. Please see my thoughts inline
On 2023-01-14 13:12, Dick Brooks wrote:
There is no escaping manual input from the process that leads to an
SBOM,
SPDX or CycloneDX. Someone has to input the data somewhere in order for
it
to be available at SBOM creation time.
True, but my interest relates to
- repeatable construction of evolving software at scale (where
automation provides significant benefits)
- safety-critical and security-critical systems
Broadly this leads me towards solutions where, once the manual input has
occurred, we can aim to enforce rules and/or automation to mitigate
against errors being introduced.
If you are concerned that manual entry occurs somewhere in the process
that ultimately results in an SBOM then I don't think this concern will
ever
go away.
Manual effort is an inherent part of software creation, and yes, human
error
can, and does occasionally occur.
You're correct - I expect to remain concerned about human errors, at
least until the AI community comes up with tools to generate the
software without human intervention, at which point we'll have no clue
about whether the metadata is truthful or not :-)
However, for the versioning example I mentioned, we have techniques that
mitigate very effectively against the problem. A common approach is for
software versioning to be heavily controlled or even generated by
tooling. For example, if we use git, we can ensure that only one version
of software has a given tag.
With regard to licencing, the base premise that a human asserts licence
in metadata, without qualification, seems risky to me. Is there any
traceability for who makes the assertion in the first place, and on what
basis? And when the software changes, is there any way to force
reassessment (or at least reassertion) by someone competent?
br
Paul
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#4921): https://lists.spdx.org/g/Spdx-tech/message/4921
Mute This Topic: https://lists.spdx.org/mt/96263894/21656
Group Owner: [email protected]
Unsubscribe: https://lists.spdx.org/g/Spdx-tech/unsub [[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-
