But the ages old (unconpelling to me, personally speaking) arguments that producing CCS with build instructions is overly burdensome or impractical remain.
And of course proprietary software vendors would prefer SBOM over CCS with modification permissions in their license.
I've heard it from Compliance Industrial Complex folks many times. There are so many ppl seeking to monetize SBOMs; they were entrenched before CRA & hired lobbyists to confuse Brusselcrats into think SBOMs were the ultimate panacea.
It's a mess, but I have hope that
@lexelas can save us! Alex gets these issues & @fsfe is trying to undo the damage as part of the CRA regs (still being written). Europeans should volunteer to help #FSFE on this.
Even the industry players that are positioned to capitalize on growing regulatory requirements recognize that it is, (at best, IMO) only part of what you need to be thinking about.
https://csrc.nist.gov/csrc/media/Presentations/2023/managing-software-supply-chain-risk/images-media/TMackey-ssca-forum-053123.pdf#page=22
I agree completely, but sadly that's always been part of the plan. SBOMs are one of the most insidious proprietary software advoacy ideas ever invented, because they are specifically designed to convince customers that they do not need software freedom & rights in their supply chain
The industry is indeed being sold a “bill of goods” .
A space for Bonfire maintainers and contributors to communicate
