Back

@evana What makes you think because they "made the thing" they know what's inside? At many vendors, what they call the "development team" is mostly clicking things together from some "modular system". They have no clue what gets dragged in or, when you tell them, how to get rid of some unwanted dependency ("but we don't use that!"). Telling them "use exclude:group in your build.gradle" overtaxes them (yepp, a real case I had) @danderson

@IzzyOnDroid @danderson I guess I need to be more clear:

I think it's unfortunate that our tools don't automatically record what they put inside. I'm hopeful that the addition of SBOM requirements for federal contracting will help drive improvements in the tooling so that we can get the contents of our software automatically.

Right now, I'm hearing that we know everything that goes into the factory, so we assume that all of that goes into the Twinkies that come out. Including the bolts...

@evana Oopsie… No offense meant! Wasn't aware you were involved. Still, my "rant" holds its truth unfortunately in far too many places. But I should add that with the current tools it's not always easy to be aware what went it or what dragged in other things (well, one can check the dependency tree in most cases, but does not always remember too). One reason more than one FOSS dev expressed their thanks to the additional checks at the #IzzyOnDroid repo, for example…

So: apologies 4 my phrasing!

@IzzyOnDroid no problem! The post went a little further than I expected, and I wanted to follow up with how I thought we could genuinely make software better.