Re: End Of Life Tag in spdx #spdx
On Fri, May 20, 2022 at 2:32 AM Steve Kilbane <stephen.kilbane@...> wrote:
Sort of. Security information is even more likely to change after release, EOL for open source components supported by the community may, but much less frequently.
Thinking so far, is that this would start out as an optional field, so that those who do know the information
when assembling an SBOM can include it.
Example: you are using a product that contains the linux 4.9 kernel. You know from the community (https://kernel.org/category/releases.html) that it will go out of support Jan 2023 (as of today, but this may evolve),
so including this information, which could then be queried by a script around then, and then determine next steps,
is going to be much more efficient then expecting all consumers of your product to add it manually. Similarly
certain distros have expectations of EOL for support from the community (https://wiki.debian.org/LTS).
To your point, there may well be a contract with a supplier, with a date that extends this, and in that case there
are likely processes already in place to track/monitor/etc. in an organization. However those consuming open
source based products are not necessarily tracking the upstream components EOL, and probably should be.
Adding this field, as optional, enables more efficiency.