Hi!
SBOM - Software Bill of Materials - often comes up in discussions in my projects. There’s a new working group in the IETF working on it and several other standardization bodies.
A starting point is identification of the license in each source code file with a parseable SPDX identifier.
- Is anyone against adding that to our source code? - Would it be beneficial for packaging in any way?
I think at some point in the future, a SBOM list in <pick format> will be included in packages, in order to be able to produce a SBOM for the container or the machine.
As we have multiple licenses in the source code it’s important to mark every file correctly.
I can start experimenting with http_client, then work myself around, if the dev community doesn’t scream and argue that it’s a bad thing (TM).
Read more here - SPDX - a linux foundation project ans ISO standard - https://spdx.dev - Tags in source code - https://spdx.dev/ids/
Cheers, /O