The dependencies of the output of Royale are a concern, for licensing
and security reasons. Angular automatically produces
3rdpartylicenses.txt to list dependencies, which is helpful.
On 8/2/2022 11:50 AM, Tom DuBuisson wrote:
> Andrew,
>
> You're right, SBOMs have gotten a lot of attention [1]. While it appears
> vendors are going to be most on the hook to provide SBOMs, having the
> insights available at project and library level will be impacting library
> selection more and more.
...
>
>
> On Tue, Aug 2, 2022 at 6:26 AM Andrew Wetmore wrote:
>
>> Hi, all.
>>
>> I was reading today about SBOM [1] ('a kind of nutrition label to reduce
>> software supply chain risk') and wondered whether it would be very
>> difficult to add such a document to the Royale release assets. It seems to
>> be an impending requirement (or 'desirement') for released software, and I
>> can't imagine it would be too hard to put one together for our product.
>>
>> If this seems like a good idea, I would be happy to create a draft and get
>> others to improve it.
>>
>> [1]
>>
>> https://develop.secure.software/sbom-facts-know-whats-in-software-fend-off-supply-chain-attacks
>>
>> --
>> Andrew Wetmore
>>
>> Editor, Moose House Publications
>> Editor-Writer, The Apache Software Foundation
>>
