Arnout Engelen
Arnout Engelen
There is work ongoing on the CycloneDX spec to be able to mark dependencies as 'extraneous' (https://github.com/CycloneDX/specification/pull/586), which all of our dependencies are (except 'embedded'/shaded resources). Let's track that work...
When generating SBOMs on Windows, it looks like Windows line endings are used. We probably want to be deterministic and generate exactly the same SBOM whether running on Windows or...
It would be good to provide projects with a way to make project-specific customizations to the `Bom` object, so we allow them to express facts about the software that are...
Currently, we run the scripted tests with sbt 1.5.2. The first version of sbt that works with JDK 21 out-of-the box is sbt 1.9.0 (released in June 2023). We should...
Should we also support publishing the SBOM in SPDX format?
This makes the project-specific information more prominent, so that people will first see the project-specific information before perhaps continuing to the generic information on https://apache.org/security/
ran in https://github.com/apache/pekko-samples/actions/runs/14287032925/job/40043305984 no longer runs in https://github.com/apache/pekko-samples/actions/runs/14424530513 not obvious what changed
let's see if installcheck still fails on CI
Our rust utilities currently rely on a libnixstore from harmonia, which links against `nix_2_19`. This means the lila utilities work on nixos 24.05 but no longer on nixos-unstable, which since...
* Add enough parameters to report definitions so that independent rebuilders can add all build definitions to their store * Add a feature to #44 to fetches build definitions and...