"caddy add-package", "caddy remove-package", "caddy list-modules" could have a JSON out param to aid with SBOM and other factors

[gedw99]

We could add JSON out on caddy add-package , caddy remove-package and caddy list-modules --packages --versions commands, so that we can do solid automation, to help have a good SBOM practices.

I often do this so that I know whats inside at all times, and pipe it to a file as meta data for all systems.

JSON seems like the defecto format.

Its also a good way to do higher level automations.

[mohammed90]

Given this issue and the others (#6549 and #6548, and the linked infogulch/xtemplate#19), I think you're using the wrong tool for the job. The add-package and remove-package are not build systems to expect them to produce SBOMs. The 2 commands use our build-server (same used by download page) for the builds, which comes without any SLA. We also run the risk of reinventing goreleaser, which does everything you want and more.

If you want to achieve automation, use xcaddy (standalone or in combination with goreleaser) to control your builds. Baking everything into Caddy is the wrong way to go about it.

[mholt]

Yeah, I think I agree; I haven't intended those commands to automate builds, not in this way. There are better ways to do it with xcaddy.

[gedw99]

Got it . Thanks all for the steeeing !!