Comments below. >>
Does Microsoft have any publicly accessible information that describes the objectives, testing methodology, and success metrics for the POC?
>> Not yet - we are still early in our POC thinking. We are planning to be as transparent as possible, however, and share our plans, progress and results with this forum.
I’m specifically interested in knowing more about the 2 BOM approach as that differs from other supply chain formats such as ePedigree. Some of the good ideas from ePedigree were used as inspiration in the development of CycloneDX, possibly others.
>> I was not previously aware of ePedigree. Is this it? https://www.xymogen.com/about-us/epedigree/
I’m also be interested in knowing how the success metrics will be compared to what other organizations are achieving with policy-based SBOM build pipelines. Is Microsoft aiming to achieve more than what’s currently possible or to simply validate the OMG format is capable of the use cases Microsoft has?
>> I am not aware of success metrics for other organizations with policy-based SBOM build pipelines. Is there information you can share? Are there other organizations we can bring into this effort so that we can share learning?
Anyway, any info would be useful.
On Jan 28, 2020, 4:30 PM -0600, Kay Williams <firstname.lastname@example.org>, wrote: