On Wed, Jul 09, 2025 at 03:44:56PM +0200, Daniel Stenberg via curl-users wrote: > On Wed, 9 Jul 2025, Dick Brooks wrote: > > Congratulations. Any chance we will see an SBOM for curl in the future? > > The "normal" curl release does not need an SBOM. It is just one thing and > this one thing comes > only from us: the curl release. > > curl releases are done as source code tarballs with no third party code > included.
The curl source is fully marked up with SPDX license tags, so you can generate your own accurate source-level SBOM in SPDX format with license information using the "reuse" tool. Just run "reuse spdx". See https://reuse.readthedocs.io for more information. Dan -- Unsubscribe: https://lists.haxx.se/mailman/listinfo/curl-users Etiquette: https://curl.se/mail/etiquette.html
