While the CRA mentions SBOM in the draft many times, it is not requiring that the vendor provides customers with an SBOM. It says that SBOM is a good tool for vulnerability tracking and opens up for the EU to decide on a recommendation on a particular SBOM format.
So yes, it’s mentioning SBOM but it’s not going all the way. /O > On 27 Jul 2023, at 16:52, Dick Brooks <[email protected]> > wrote: > > Today, all the risks and cost from a cyber attack fall on the consumer. > > IMO the EU CRA is designed to protect consumers by sharing responsibility for > cyber attack liabilities with software producers. > > The issue IMO is the open source model fails to properly compensate the > talented people behind open source projects > > Dick Brooks (REA) >> On Jul 26, 2023, at 4:24 PM, John Sullivan <[email protected]> wrote: >> >> On Wed, Jul 26, 2023 at 09:21:30AM -0400, Dick Brooks wrote: >>> Very encouraging language in the EU CRA for SBOM adoption and vulnerability >>> monitoring/reporting. >>> >> >> Small consolation given what a potential disaster the CRA is for open >> source / free software in general (see especially Problem 3): >> https://github.blog/2023-07-12-no-cyber-resilience-without-open-source-sustainability/ >> >> -john >> >> >> >> >> > > > > > > -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#1721): https://lists.spdx.org/g/spdx/message/1721 Mute This Topic: https://lists.spdx.org/mt/100370207/21656 Group Owner: [email protected] Unsubscribe: https://lists.spdx.org/g/spdx/leave/2655439/21656/1698928721/xyzzy [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
