The reading list will take much more time to peruse, however. The link to the mailing list for the CPANSec group does not seem available and active.
The address works fine, but we didn't link to it (you know, email harvesters are still a thing).
Whatever the origins of the Cyber Security Act (CRA) in the EU etc, and other maneuvers elsewhere, the SBOM requirement does seem to have become a potential barrier against free and open source software which the various communities will have to learn to navigate, probably as communities rather than as individuals since the specification seems complicated for now.
The SBOM requirements are certainly a speed-bump and an annoyance – given the fact that most FOSS work is done on a volunteer basis. I wouldn't call it a blocker though. My hope is that the Roles and metadata in open source supply-chains document eventually can help these communities navigate this new landscape.
What means are there to generate an SBOM for a Perl module currently?
AFAIK, there are no options currently for doing this automatically. Furthermore, if this is going to work without too much hassle for the majority of maintainers, any proposed solutions will probably have to be able to be integrated into the current toolchain without much more effort than upgrading a bunch of it. This is still a bit in the future, given that so few are volunteering their time to make this happen (or not sharing any work with the community, fwiw).
To that end, what example SBOM files are available to test against Ovid's CycloneDX SBOM reader?
The CycloneDX spec repo has a test suite that could be integrated into Ovid's work, if someone wants to give it a try (I'll probably do it eventually, though)
In reply to Re^3: Software Bill of Materials (SBOM) in Perl and CPAN
by sjn
in thread Software Bill of Materials (SBOM) in Perl and CPAN
by mldvx4
| For: | Use: | ||
| & | & | ||
| < | < | ||
| > | > | ||
| [ | [ | ||
| ] | ] |