Uploaded image for project: 'Qt'
  1. Qt
  2. QTBUG-129916

Consider hosting prebuilt Qt SBOMs as plain text files on a well-defined location on the web

    XMLWordPrintable

Details

    Description

      Currently the SBOM files for Qt 6.8.0 are shipped as part of the Qt binary packages, and can only be viewed after installing Qt locally via the online installer.

      It could be beneficial to also host the SBOM files as plain text (non-archived) files in some well-defined location on the web, so that other projects that consume a specific version of prebuilt Qt, can link to the corresponding SBOMs.

      It will likely also make it easier for any SBOM compliance tooling to automatically download and process the SBOM files based on knowing the Qt version and platform.

      It also makes it easy to quickly look up information like dependency versions used for a specific Qt, urls to the dependencies, etc.

      The location on the web should likely be behind a CDN, to protect against traffic that might come from automated tooling like CI, scanners, etc.

      Attachments

        Issue Links

          resulted from

          User Story - Created by Jira Software - do not edit or delete. Issue type for a user story. QTBUG-122899 Generate SBOM from Qt build system

          • P2: Important - Urgent, should be fixed, but will not stop the release.
          • In Progress
          No reviews matched the request. Check your Options in the drop-down menu of this sections header.

          Activity

            People

              releaseteam Qt Release Team
              alexandru.croitor Alexandru Croitor
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

                Created:
                Updated:

                Gerrit Reviews

                  There are no open Gerrit changes