I think that's a great idea! Maybe in the beginning it could be restricted just to some pilot projects?
Thanks. Il giorno gio 21 set 2023 alle ore 14:30 Arnout Engelen <enge...@apache.org> ha scritto: > Hi Chris, > > Thanks for sharing! I think having more tools to get insights around > dependencies could be very helpful for projects, and SBOMs can definitely > help there. The tooling landscape for this is still very much in flux, but > setting up a Dependency-Track instance would be a worthwhile experiment. At > this point I think it would be reasonable to treat it as an 'experimental' > service, without strong long-term commitments to keeping particular APIs, > functionality or data. Aside from exposing them through the tool, perhaps > we should also use this opportunity to collect the raw SBOMs themselves, to > make it easy for us to also experiment with other tools (GUAC[0] comes to > mind). I'd be happy to help set up and manage this service. > > > Kind regards, > > Arnout > [0]: https://github.com/guacsec/guac > > On Fri, Sep 15, 2023 at 9:07 PM Chris Thistlethwaite <chr...@apache.org> > wrote: > > > Greetings! > > > > There is an INFRA > > ticket https://issues.apache.org/jira/browse/INFRA-24963 where someone > > is asking about using Dependency-Track. Wanted to bring this up on list > > so options and thoughts can be discussed. See ticket for more details. > > > > Thanks! > > Chris T. > > #asfinfra > > > > > -- > Arnout Engelen > ASF Security Response > Committer on Apache Pekko > Committer on NixOS > Independent Open Source consultant >
