Please add FOSS Disclosure for your container release

mercedes-benz / garm-operator

a k8s operator to run garm

MIT License

20 stars 2 forks source link

Please add FOSS Disclosure for your container release #160

Closed schr3gl3j closed 1 month ago

schr3gl3j commented 2 months ago

please add foss disclosure for your container release.

^{Julian Schregle julian.schregle@mercedes-benz.com, Mercedes-Benz Tech Innovation GmbH, legal info/Impressum}

bavarianbidi commented 2 months ago

@schr3gl3j what does that exactly mean?

We already add a SBOM document to our release. Should we push that beside the container image into the registry and publish the container image with that reference?

do you have some documentation how to do that?

schr3gl3j commented 2 months ago

yes I have seen the SBOM, but there are copyright notices missing and we found additional components in the docker container that are not included in the SBOM. As of now there are no suitable guides/checklists for the distribution of binaries or containers and this should be tackled from our side too, together with the garm-operator maintainer team :)