We (Raspberry Pi PLC Ltd, NOT the Foundation) don't believe that the EU CRA (still a couple of years away) requires a SBOM, however, Federal purchases of software in the US do. We are looking into providing one, but TBH, for Raspberry Pi OS, it's rather a moving target - for example, running apt to update might change the SBOM in subtle ways i.e. a library previously used may be replaced by a different one, changing the SBOM unexpectedly.
RPiOS is generated by pi-gen, https://github.com/RPi-Distro/pi-gen
Why do you need the SBOM, as I'd like to feedback to engineering in case we need to make roadmap changes?
RPiOS is generated by pi-gen, https://github.com/RPi-Distro/pi-gen
Why do you need the SBOM, as I'd like to feedback to engineering in case we need to make roadmap changes?
Statistics: Posted by jamesh — Thu Jul 04, 2024 1:15 pm