EPIC: Re-architecture Temurin SBOM format

[andrew-m-leonard]

The Temurin SBOM has grown organically over time with various enhancements. It has got to a point where we need to carefully consider the current and future use cases, and possibly develop an updated architecture/layout of the SBOM

[SXA: Added issues arising from the secure dev call on 30/Sep/2024]

• [ ] https://github.com/adoptium/temurin-build/issues/3013
• [x] https://github.com/adoptium/temurin-build/issues/3960
• [ ] https://github.com/adoptium/temurin-build/issues/3961
• [ ] https://github.com/adoptium/temurin-build/issues/3962
• [ ] https://github.com/adoptium/temurin-build/issues/3963

[jiekang]

@andrew-m-leonard @sxa I see this got moved to in progress but without an assignee; is there someone leading this that we should assign this issue to?

[sxa]

@andrew-m-leonard @sxa I see this got moved to in progress but without an assignee; is there someone leading this that we should assign this issue to?

That's a good question and one which we hadn't previously explicitly discussed so it makes sense to have clarity on it. We thrashed this around a little in our product owners call today and decided that since there is no explicit work in the epic and the subtasks all have separate owners the epic does not require an owner, but it is reasonably to have it in in-progress as opposed to todo to indicate that it is an epic which we are actively working on the tasks for. We will also add a "paused/blocked" status (I believe we had this in some earlier plans) so we can make it clearer if work has been actively paused on it.

I've updated our guidelines at the top level adoptium wiki in accordance with this policy.