Thanks for your post & your counter 😆
I'm curious: you characterize the EU #CRA as requiring #SBOM's *specifically*. I know the License Compliance Industrial Complex wants it to be true, but I researched this issue for my #FOSDEM 2025 talk…
https://fosdem.org/2025/schedule/event/fosdem-2025-6155-is-there-really-an-sbom-mandate-/
… & IIUC CRA *doesn't* specify SBOMs specifically.
IMO, if the vendor gives the customer complete, Corresponding Source & a 100% [@reproducible_builds](https://fosstodon.org/@reproducible_builds ) they've complied with CRA. No one has shown me anything that disproves that.
Bradley M. Kühn
npub1p8…etcuc
2025-07-11 20:33:05 UTC
in reply to nevent1q…8pmk
Author Public Key
npub1p8fw3gm5ejz5yzscznf7hlplclsmn3t9jnswqdvdytm88uutesnsvetcucSeen on
wss://relay.momostr.pinkPublished at
2025-07-11 20:33:05 UTCEvent JSON
{
"id": "79fadb450543ad94775848136e6dfdca2edd94b57ac8293227ed743b48bc9f87",
"pubkey": "09d2e8a374cc85420a1814d3ebfc3fc7e1b9c56594e0e0358d22f673f38bcc27",
"created_at": 1752265985,
"kind": 1,
"tags": [
[
"proxy",
"https://fedi.copyleft.org/@bkuhn/114836503599175854",
"web"
],
[
"e",
"bc383e28cb41546c7685135997cf8542c8440445ca60b29fa0f554cf4082859a",
"",
"root",
"c6ded81787e5543f1b20f09d744b089443524d9e6fe4a95aaeb4c07b42e012cb"
],
[
"p",
"b88e103d1d720ec2582b9641310fe09cf4ab7b1b1cb139fe6fc142e49275d5b2"
],
[
"t",
"fosdem"
],
[
"t",
"cra"
],
[
"p",
"c6ded81787e5543f1b20f09d744b089443524d9e6fe4a95aaeb4c07b42e012cb"
],
[
"t",
"sbom"
],
[
"proxy",
"https://fedi.copyleft.org/users/bkuhn/statuses/114836503599175854",
"activitypub"
],
[
"L",
"pink.momostr"
],
[
"l",
"pink.momostr.activitypub:https://fedi.copyleft.org/users/bkuhn/statuses/114836503599175854",
"pink.momostr"
],
[
"-"
]
],
"content": "Thanks for your post \u0026 your counter 😆\n\nI'm curious: you characterize the EU #CRA as requiring #SBOM's *specifically*. I know the License Compliance Industrial Complex wants it to be true, but I researched this issue for my #FOSDEM 2025 talk…\nhttps://fosdem.org/2025/schedule/event/fosdem-2025-6155-is-there-really-an-sbom-mandate-/\n… \u0026 IIUC CRA *doesn't* specify SBOMs specifically.\nIMO, if the vendor gives the customer complete, Corresponding Source \u0026 a 100% [@reproducible_builds](https://fosstodon.org/@reproducible_builds ) they've complied with CRA. No one has shown me anything that disproves that.",
"sig": "a7061b1eaa3ab496ea1907a856f2bf53c3b94f578ab1f935480c47af5720bd01d55792173fd5f2bed602e72f62a68f21834f3514cb3bb0532372e2978e17b440"
}