dasharo-issues
dasharo-issues copied to clipboard
Dasharo
Improve SBOM in future releases for laptops
The problem you're addressing (if any)
The SBOM information is limited to coreobot / edk2 revisions
Describe the solution you'd like
For some platforms, the SBOM information we provide is more extensive Such as: https://docs.dasharo.com/variants/protectli_vp46xx/releases/#v120-2024-03-25
Where is the value to a user, and who might that user be?
No response
Describe alternatives you've considered
No response
Additional context
No response
@macpijan We are already addressing this as part of https://github.com/Dasharo/dasharo-issues/issues/955
Feature request: We provided links to all components' licenses at some point. I think that information should be included in SBOM's release notes. It has already happened a couple of times when someone asked about licenses for all components included. Maybe Opness Score should also account for that somehow.
We should publish SBOMs in the Dasharo SBOM release section; those SBOMs should comply with the state of the art in a given project. The key question is how hard it would be to introduce that:
Maybe we should have a label for SBOM since we have more issues directly or indirectly related:
- https://github.com/Dasharo/dasharo-issues/issues/129
- https://github.com/Dasharo/dasharo-issues/issues/568
- https://github.com/Dasharo/dasharo-issues/issues/955
Not limited to laptops, but otherwise fits this issue: AFAICT none of the SBOMs list edk2-platforms, even though it is used by most of the platforms supported by Dasharo.
New release notes are now live: https://docs.dasharo.com/variants/novacustom_v540tnx/releases/#v091-2024-11-07
FSP and GOP are missing because they're not public, this needs to be fixed by publishing the blobs, then we can link to them in SBoM.