Aleks, Thanks for sharing your insights.
I've created a "Build SBOM" based on the Windows distribution zip file contents, however it's incomplete because too much information is unknown that needs to go into the SBOM. For example, the final Build SBOM must contain SupplierName and Version for each component (file) in the zip file, but this information is not easy to determine from the data in the zip file. Ideally, the skeleton SBOM I've created would be updated with the correct information for each component in the "extrapolated" SBOM I created to make it an accurate SBOM and that information can only come for the software developers and build engineers that created the curl product distributed in the zip file. After all of the required data is contained in the SBOM it will be ready for distribution as the final "Build SBOM". I'll be happy to share the extrapolated SBOM to any that are interested to see what I'm referring to, but I won't send this large SBOM to the entire list. Thanks, Dick Brooks Active Member of the CISA Critical Manufacturing Sector, Sector Coordinating Council – A Public-Private Partnership Never trust software, always verify and report! ™ Risk always exists, but trust must be earned and awarded.™ https://businesscyberguardian.com/ Email: d...@businesscyberguardian.com Tel: +1 978-696-1788 -----Original Message----- From: Aleksandar Lazic <al-curlus...@none.at> Sent: Thursday, July 10, 2025 3:01 AM To: d...@businesscyberguardian.com Cc: curl-users - the curl tool <curl-users@lists.haxx.se>; 'Dan Fandrich' <d...@coneharvesters.com> Subject: Re: Release candidate 3: curl 8.15.0-rc3 Hi Dick. On 2025-07-09 (Mi.) 19:00, Dick Brooks via curl-users wrote: > Dan, > > Thanks for sharing your insights. > > My customers need the "Build SBOM", not a source SBOM. The SBOM must > contain details of the components in the Windows Zip file used by > consumers to install curl. > > Per Daniels recommendation I've entered an issue for this: > https://github.com/curl/curl-for-win/issues/81 It's open source :-). so you can create the SBOM or the scripts which creates the SBOM and contribute to the open source project which you use for your customers. > Thanks, > > Dick Brooks Best Regards Aleks > Active Member of the CISA Critical Manufacturing Sector, Sector > Coordinating Council - A Public-Private Partnership > > Never trust software, always verify and report! T Risk always exists, > but trust must be earned and awarded.T > https://businesscyberguardian.com/ > Email: d...@businesscyberguardian.com > Tel: +1 978-696-1788 > > > -----Original Message----- > From: Dan Fandrich <d...@coneharvesters.com> > Sent: Wednesday, July 9, 2025 12:42 PM > To: curl-users - the curl tool <curl-users@lists.haxx.se> > Cc: Dick Brooks <d...@businesscyberguardian.com> > Subject: Re: Release candidate 3: curl 8.15.0-rc3 > > On Wed, Jul 09, 2025 at 03:44:56PM +0200, Daniel Stenberg via > curl-users > wrote: >> On Wed, 9 Jul 2025, Dick Brooks wrote: >>> Congratulations. Any chance we will see an SBOM for curl in the future? >> >> The "normal" curl release does not need an SBOM. It is just one thing >> and this one thing comes only from us: the curl release. >> >> curl releases are done as source code tarballs with no third party >> code > included. > > The curl source is fully marked up with SPDX license tags, so you can > generate your own accurate source-level SBOM in SPDX format with > license information using the "reuse" tool. Just run "reuse spdx". See > https://reuse.readthedocs.io for more information. > > Dan > -- Unsubscribe: https://lists.haxx.se/mailman/listinfo/curl-users Etiquette: https://curl.se/mail/etiquette.html
