Hi Olle,
Surprisingly,
it seems the EU reserves some right to prescribe a format without
highlighting how that process could look like (rendering the outcome a
mystery, I think).
Viele Grüße,
Henk
On 28.07.23 19:32, Olle E. Johansson wrote:
While the CRA mentions SBOM in the draft many times, it is not requiring that
the vendor
provides customers with an SBOM. It says that SBOM is a good tool for
vulnerability
tracking and opens up for the EU to decide on a recommendation on a particular
SBOM format.
So yes, it’s mentioning SBOM but it’s not going all the way.
/O
On 27 Jul 2023, at 16:52, Dick Brooks <[email protected]> wrote:
Today, all the risks and cost from a cyber attack fall on the consumer.
IMO the EU CRA is designed to protect consumers by sharing responsibility for
cyber attack liabilities with software producers.
The issue IMO is the open source model fails to properly compensate the
talented people behind open source projects
Dick Brooks (REA)
On Jul 26, 2023, at 4:24 PM, John Sullivan <[email protected]> wrote:
On Wed, Jul 26, 2023 at 09:21:30AM -0400, Dick Brooks wrote:
Very encouraging language in the EU CRA for SBOM adoption and vulnerability
monitoring/reporting.
Small consolation given what a potential disaster the CRA is for open
source / free software in general (see especially Problem 3):
https://github.blog/2023-07-12-no-cyber-resilience-without-open-source-sustainability/
-john
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#1718): https://lists.spdx.org/g/spdx/message/1718
Mute This Topic: https://lists.spdx.org/mt/100415743/21656
Group Owner: [email protected]
Unsubscribe: https://lists.spdx.org/g/spdx/leave/2655439/21656/1698928721/xyzzy
[[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-
