Hi Arnout,
On 6.02.2025 11:39, Arnout Engelen wrote:
On Thu, Feb 6, 2025 at 10:53 AM Jarek Potiuk <[email protected]> wrote:
We could even - in this case make a dependabot-style automated and
proactive work, whenever a vulnerabilty is detected in a library, we could
see if it is already updated in the "in-progress" version and act
accordingly and automatically publish state in the last VEX "in_triage" for
example, and maybe have a way to manually review and update those (but only
for last released version in the maintained line).
I'm not sure that would be useful - users are going to be asking us about
those versions anyway, whether we set those or not. I could see us
publishing SBOMs for the main branch, so we can easily answer the question
of "will this be updated in the next version?", though.
Nice idea!
For eco-systems with snapshots that is probably already the case: you
can publish your SBOM with the snapshot.
For projects that publish a binary distribution only to
`downloads.apache.org`, we would need a way to regularly upload and
update the SBOM of the next release. Maybe this is something we could
add to the ATR requirements after the first few versions have been shipped.
Piotr
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
