I realize there is now a software bill of materials both in JSON format as SBOM.txt and a more human readable version as Notice.txt but we have some Ts&Cs that came across a project requiring that a list of all OSS be listed along with the licenses with certain restrictions of what they would allow.
Since I had just looked at the nightly changelogs, I saw Milo was updated, and so I went over to the Notice.txt file and searched for Milo but nothing was found (This was on v8.1.41). I was able to find references to it in the JSON version though, but was expecting to see it in both. Plus submitting the human readable version to the customer would be much easier than the JSON version.
these appear in the Notice file based on the artifact name of the dependency usually, which means the milo stuff won't be extremely visible, it will be under something like stack-*, sdk-*, bsd-* and others.
This is actually the reason the SBOM is included now. the Notice file is just for general license attribution for dependencies. the SBOM is a well formatted JSON which provides more details about those dependencies, versions, and their origination.
These files serve two distinct purposes, it sounds like you would need to provide the SBOM if you are looking for a Bill of Materials for what is included in Ignition.
1 Like
Ok, thank you! I guess I was just expecting to see it as I don't think those reviewing the information are technical people (lawyers), but that also means they probably won't read it besides looking at what OSS licenses are used in the software.