sboorlagadda commented on PR #7933: URL: https://github.com/apache/geode/pull/7933#issuecomment-3342298705
@JinwooHwang Thank you both for the positive feedback and the excellent forward-looking guidance! **ASF SBOM Standards Alignment:** The draft position you've outlined aligns perfectly with the proposal's architecture. Let me confirm how we're already positioned: ✅ **Automatic generation at build time**: Phase 2-3 implementation covers this ✅ **Signed artifacts**: Can integrate with existing Apache release signing process ✅ **Static/immutable**: SBOMs generated deterministically from dependency lock state ✅ **Machine readable**: CycloneDX JSON format with SPDX export capability **Enhanced Implementation Plan:** Based on the ASF guidance, I'll add these elements to Phase 3 (Release Integration): - **Signing integration**: Extend existing GPG signing to include SBOM artifacts - **Deterministic generation**: Ensure SBOMs are reproducible across builds - **Format validation**: Add compliance checks against both CycloneDX and SPDX specs - **ASF tooling compatibility**: Validate with Apache Whimsy and other ASF tools The modular approach in the proposal makes these additions straightforward without disrupting the core implementation. **Next Steps:** I'll proceed with Phase 1 implementation and incorporate the ASF requirements into the release workflow. The compatibility assessment during implementation approach works well - I'll flag any Gradle 8.5 issues early if they arise. Thanks for the ASF context - this positions Geode to be ahead of the curve on supply chain security standards! -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
