Hacker News new | ask | show | jobs
by ghostoftiber 486 days ago
The providence of the SBOM is important. If you can't say "I made this" in reference to the SBOM then it's pretty much worthless.

Or, flip the script, if you're concerned enough about supply chain security to mandate an SBOM, you probably don't trust the supplier anyway.

There's the "but I signed it" crowd, but the wheels fall off when they've signed compromised artifacts too.

I just don't see a scenario where an SBOM that cannot be inspected and verified would be useful. If you have the infrastructure to do it, you're generating SBOMs anyway.
1 comments
martinsnow 486 days ago
It's not so much about who made what. It's about knowing what versions where used and which CVEs are attached.
link
troymc 486 days ago
CVEs are very important, of course, especially nowadays, but...

Many licenses, such as the MIT license, are very open. All you have to do is include the license text and the names of the software creators, because they want attribution. In other words, it really is about who made what, even with some of the most open licenses.

Licenses matter, a lot. After all, some licenses are share-alike/viral: if you "use" code with such a license, your code might inherit that license. (I put "use" in scare quotes because this is where the lawyers get involved. It depends how exactly you use the code.)

link