On 2025-04-05 09:35, Brian Inglis wrote:
On 2025-04-05 02:43, Paul Eggert via tz wrote:
On 2025-04-04 16:50, Guy Harris via tz wrote:
The software bills of materials for tzdata2025b and tzcode2025b would be the
result of running "tar tf" on the corresponding tarballs (possibly after
decompressing if the version of the tar command on your platform doesn't
handle gzipped files).
Software Bills of Material (SBOMs) are more complicated than that these days,
unfortunately. They come in multiple flavors (CycloneDX, SPDX, SWID) with
different audiences, and they are associated with other standards (ISO 27001,
NIST, CIS Controls) that are rarely heard of outside of the relevant specialties.
...
I think that should be solely a downstream concern of project users that have
SBOM requirements and funding to cover that.
Perhaps we should add something about SBOMs to theory.html, if only to say
something along the lines of the above.
[1]: https://lists.iana.org/hyperkitty/list/tz-annou...@iana.org/latest
It would be kind to point out or reference your documentation of generation,
build, and execution library and utility dependencies, which is more than most
upstream source projects provide, as those are dependent on the platform,
environment, and its releases.
I just ran across this book title which seemed relevant to some queries and
requests:
How About Never - Is Never Good for You?
-- Bob Mankoff
;^>
--
Take care. Thanks, Brian Inglis Calgary, Alberta, Canada
La perfection est atteinte Perfection is achieved
non pas lorsqu'il n'y a plus rien à ajouter not when there is no more to add
mais lorsqu'il n'y a plus rien à retrancher but when there is no more to cut
-- Antoine de Saint-Exupéry
