Having also been in that call I would also like this clarification. The idea behind having this information available is for the recipient to make her or his own judgement on how accurate they expect such to be.
If this has been solved in the SPDX community that would be great. š Steveās comments on different āstagesā was not something I had considered, but it does potentially complicate things. BR J From: [email protected] <[email protected]> On Behalf Of Steve Kilbane via lists.spdx.org Sent: Thursday, 1 December 2022 12:20 To: [email protected] Subject: [spdx] SPDX creation phase Hi all, One of the suggestions in todayās call for the OpenChain Telco SIG, where weāre discussing proposals for an SBOM standard for the Telecommunications industry, was: > SBOMs conforming to the Telco SBOM Specification need to contain the > information when the SBOM was created in the āCreatedā SPDX field and at what > phase of the software build it was created (āpre-buildā, ābuild-timeā or > āpost-buildā) in the CreatorComment SPDX field. (See https://github.com/OpenChain-Project/Telco-WG/pull/15<https://protect2.fireeye.com/v1/url?k=31323334-501cfaf3-313273af-454445554331-94edd4e1e4b783d0&q=1&e=3be69868-fb8d-4303-a952-19542b1e85dc&u=https%3A%2F%2Fgithub.com%2FOpenChain-Project%2FTelco-WG%2Fpull%2F15>) I raised a concern about ambiguity here, in that your application may be built from libraries that are built at an earlier stage, so the SBOM information may be created after some components are built, but before others. A recipient of the SBOM might also interpret each of these three phrases differently from the creator of the SBOM. I recall hearing that there have been conversations about many different SBOMs according to phase (source SBOM, build SBOM, deploy SBOM, cloud SBOM, etc.), so I wondered whether there was advice that the Telco SIG could lean upon, rather than trying to formulate a solution when itās already a solved problem. Apologies if this isnāt the right group. steve -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#1605): https://lists.spdx.org/g/spdx/message/1605 Mute This Topic: https://lists.spdx.org/mt/95379372/21656 Group Owner: [email protected] Unsubscribe: https://lists.spdx.org/g/spdx/leave/2655439/21656/1698928721/xyzzy [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
