Hi Dick,
On 05.12.22 15:14, Dick Brooks wrote:
An SBOM is easy to produce using existing tooling, in many cases. I
don’t understand the resistance to providing consumers an SBOM so that
they can monitor for new risk/vulnerabilities.
I suspect we will get to the point where it is easy, but we
I think there is some confusion about that letter. Nowhere does it say
that "SBOM is bad". The concern is that Congress would specify one way
of doing things, the military another, and DISA yet a third. In fact
the article specifically says:
OMB’s approach reflects a comprehensive
Hi Rose:
Welcome back!
On Fri, Dec 2, 2022 at 10:55 PM Rose Judge via lists.spdx.org
wrote:
> Tern is a tool that can generate SPDX documents for containers.
> When we are collecting license information for Debian packages
> inside a container, we must scan the copyright files to gather any
>