Afaik becoming a CNA will allow you to prevent such CVEs in the first place.

So basically a "get or create"? Haki has a great article about the ups and downs of the individual approaches: hakibenita.com/postgresql-g...

Certainly "as we know it". I am so sorry, I just couldn't resist.

Thanks, that brings me to my next question: would you recommend NATS or rather not use it again (independent of Channels). It looks really great, but I don't have any experience with it yet.

I wonder why that often happens? I think Kubernetes really seems off-putting at first due to the sheer size. Docker Swarm and Hashicorp Nomad seem so much simpler in comparison (but also offer less I guess).

I nearly spilled my coffee 😂 Funny enough we are just working out a plan to start using k8s. I think I still hate it but one cannot deny the benefits.

No argument on cibuildwheel which is why I was explicitly asking about stage 1 -- ie source bundling. downloadLocation might be indeed an answer but most likely means using all the security analysis you'd get otherwise

And while I agree that a name & version is better than nothing, it is pretty much close to nothing imo. Maybe it helps someone looking at the SBOM manually but I do not have the feeling that it will help any software using that SBOM.

But do Package URLs actually work? I mean if I embed libpq what would be the correct purl for it -- there doesn't seem to be a scheme for the actual source without having a repository (might miss something). I am trying to use purls over CPE where possible due to all the false positives with CPEs :/

Nice post, some questions though. Stage 1: what are suitable identifies for bundled software (purl/packageUrl)? Stage 2: Even without extra dependencies like Maturin etc shouldn't the build backend inject itself as well?

Uff, can't wait to read that. Will it have tooling advice as well? All the generators I tried till now seem to have issues one way or the other. 🙈 So I am kinda afraid of even trying to merge sboms 😂