Tomalrich
Tomalrich
The best way to determine if there are barriers to adoption is to measure adoption. I don't think there's any dispute that SBOMs have been broadly adopted by the developer...
Tracy, the problem with the LF report is that it doesn't clearly distinguish software producers from software consumers. It certainly shows that producers are utilizing SBOMs; that isn't the question....
Thanks, Anthony. There are a number of things holding SBOM adoption back on the consumer side, although on the producer side, they're already being heavily used (which itself is good,...
Thanks, Anthony. Please send me your email address. You can send it to ***@***.*** Tom Alrich LLC 312-515-8996 ________________________________ From: anthonyharrison ***@***.***> Sent: Wednesday, October 26, 2022 4:26 AM To:...
Thanks, Greg. You're right that purl doesn't currently cover all use cases; the purl community is currently working on exactly these issues. You're welcome to join them in this effort....
One interesting fact about purl: Steve Springett's Dependency Track open source SCA tool is used well over 20 million times every day to look up an open source package -...
@Greg ***@***.***>, the CVE Program has decided to incorporate purl into the CVE Record Format. If you don't agree with this decision, you need to discuss it with them. Olle...
This can be closed as an Open SSF issue. However, there's a good possibility that OWASP will take it up. Purl will be implemented in the CVE Program, probably this...
Thanks for your email, Emily, and for all the perceptive comments you left on the document. I've just responded to (almost) every one of them! To summarize my responses: The...
Today, I revised the original Issue to reflect three important changes I've made: 1. I made it clearer in the "[Discussions regarding purl implementation in the CVE Program](https://docs.google.com/document/d/1VfxrTqGBHifFNRIw-tWpx-GeUcdcqYvVdU4dJz-veN4/edit?tab=t.0#heading=h.i4fk01kjs4pf)" plan that...