> The only thing I can think of is if there should be
> separate VEX documents for each release.
Could you elaborate on this Brian? Our expectation was to have a single
VDR, that is
1. manually updated by the PMC
2. disclosing affected versions (either explicitly or by a version
range, e
On Fri, Oct 27, 2023 at 7:22 AM Gary Gregory wrote:
>
> FYI to Logging and Brian,
>
> Over at Apache Commons, I added generating of CycloneDX and SPDX SBOMs
> that we publish along with our artifacts. So I'd be curious if "we're
> doing it wrong" ;-)
>
> My take is that it is still early in the SB
FYI to Logging and Brian,
Over at Apache Commons, I added generating of CycloneDX and SPDX SBOMs
that we publish along with our artifacts. So I'd be curious if "we're
doing it wrong" ;-)
My take is that it is still early in the SBOM game and that we're
getting ahead of the game but just producing
Hi all,
On Thu, 19 Oct 2023 at 15:08, Volkan Yazıcı wrote:
> > We probably also need to fill in other keys in the SBOM:
>
> As far as I can read from sources, custom "keys" (i.e., "external
> references") are not supported by `cyclonedx-maven-plugin`. I am
> double-checking this with Hervé Boutem
It took me a while to do the research.
But I have some answers!
[See my comments below.]
> {
> "type" : "distribution",
> "url" : "
https://repository.apache.org/service/local/staging/deploy/maven2";
> },
>
> This is a private URL for staging a release.
Below is the relevant excerpt from `c
Hi Volkan,
On Thu, 19 Oct 2023 at 11:42, Volkan Yazıcı wrote:
> Some of the settings you shared can be fixed for all projects, hence
> in `logging-parent` configuration. This will necessitate either a
> `10.2.0` RC2 or `10.2.1`.
I would prefer `10.2.1`. Let us publish `logging-parent`, find out
Those are all good points Piotr. Thanks for raising them.
Some of the settings you shared can be fixed for all projects, hence
in `logging-parent` configuration. This will necessitate either a
`10.2.0` RC2 or `10.2.1`.
The others need to be addressed per project, which I will implement
once we ha
