italvi
commented
4 months ago Your opinion @mmarseu, @CBeck-96?
Closed italvi closed 3 months ago
italvi
commented
4 months ago Your opinion @mmarseu, @CBeck-96?
mmarseu
commented
4 months ago I think I've already made my opinion of this particular operation clear 😬
Even for the metadata component, you cannot automatically deduce a correct copyright claim. Copyright is a complex legal issue. As for your question regarding the current year, the SBOM might be recreated or modified after the product is published.
IMO, we should throw out this operation and force people to use other alternatives to manually apply copyright claims. For example, if it's only for a single component, a simple cdx-ev set --name xyz --version 1.2.3 --key copyright --value "My company" could do it.
italvi
commented
3 months ago IMO, we should throw out this operation and force people to use other alternatives to manually apply copyright claims.
Agree, as we already provide this possibility via set and I'm also aware of persons using set rather than amend for this purpose. This manual approach also forces persons to really think about adding this kind of information.
mmarseu
commented
3 months ago This manual approach also forces persons to really think about adding this kind of information.
EXACTLY! ❤️
I'll get on it :)
Currently we change the
coyprightviaamendfor every component (if the flag is provided) and choose the current year for it. But is this really the right approach: We don't know in which year the component withincomponentswas created, so we should not assume there anything. However, we can do that for themetadata.componentas the SBOM is mainly created during the build process.