SBOM Naming - SBOMs required for all ecosystems?

[idunbarh]

Question that came up around adding SBOM checks to Scorecard.

How do we determine if the project should create an SBOM or not, depending on the type of release (application, library, ?) - see https://blog.deps.dev/zillions-of-sboms/. Is there a document describing when an SBOM makes sense in each ecosystem?

While this might lead to a larger discussion, I think its a question that will repeatedly come up.

[idunbarh]

Thoughts @joshbressers if there is value in this being a future SBOM Everywhere SIG discussion topic?

[joshbressers]

I totally missed this, apologies (it's been a wild couple of weeks).

We did discuss this a bit today in our call. I think fundamentally this is a question that needs to be answered as part of the strike team effort

https://docs.google.com/document/d/15_FKO8D03VSYDTNsMQZtn1aRfgVmModF-NM6VBnlrZA/edit#heading=h.1jccoh7pyeo0

I don't think they are necessarily tied together, as this could be written at anytime. Anyone is welcome to start drafting this document (put it in the reference folder, or a google doc is fine)