GRASS should publish a Software Bill of Materials (SBOM) as part of its release process so users, distributors, and security tooling can inspect the project’s software composition more easily.
Suggested approach:
- Generate the SBOM automatically in CI for release builds
- Publish it alongside release tarballs and binaries
- Prefer SPDX as the default format for broad compatibility
- Keep the workflow in the repo so the SBOM can be regenerated consistently for each release
- Optionally expose the current repository SBOM through GitHub’s dependency graph export as a secondary, GitHub-native source
This would improve transparency, supply-chain visibility, and downstream compliance for GRASS users and packagers.
Suggested tasks:
- Add a GitHub Actions workflow to generate SBOMs on tags/releases (see e.g. here)
- Choose an SBOM format, preferably SPDX
Acceptance criteria:
- Every official GRASS release includes an SBOM artifact
- The SBOM is generated automatically and reproducibly
- The format and location of the SBOM are documented in the repository
GRASS should publish a Software Bill of Materials (SBOM) as part of its release process so users, distributors, and security tooling can inspect the project’s software composition more easily.
Suggested approach:
This would improve transparency, supply-chain visibility, and downstream compliance for GRASS users and packagers.
Suggested tasks:
Acceptance criteria: