[Git][reproducible-builds/reproducible-website][master] 2022-05: SPDX team for build metadata

Mon Jun 6 07:11:10 UTC 2022


Chris Lamb pushed to branch master at Reproducible Builds / reproducible-website


Commits:
17ca3358 by Sebastian Crane at 2022-06-05T22:41:58+01:00
2022-05: SPDX team for build metadata

- - - - -


1 changed file:

- _reports/2022-05.md


Changes:

=====================================
_reports/2022-05.md
=====================================
@@ -41,6 +41,20 @@ Johannes Schauer discovered a fascinating bug where simply naming your Python va
 
 Simply renaming the dummy method from `_m` to `_b` was enough to workaround the problem. [Johannes' bug report](https://github.com/python/cpython/issues/92132) first led to a number of improvements in *diffoscope* to aid in dissecting `.pyc` files, but upstream identified this as caused by an issue surrounding [interned strings](https://en.wikipedia.org/wiki/String_interning) and is being tracked in [CPython bug #78274](https://github.com/python/cpython/issues/78274).
 
+#### SPDX forms new team to bring build metadata to Software Bill of Materials
+
+[SPDX, the open standard for Software Bill of Materials (SBOM)](https://spdx.dev), is continuously developed by a number of teams and committees. SPDX now welcomes a new addition - a team dedicated to enhancing metadata about software builds, complementing reproducible builds in creating a more secure software supply chain. The SPDX Builds Team has been working throughout May to define the universal primitives shared by all build systems, including the 'who, what, where and how' of builds:
+
+* Who: the identity of the person or organisation that controls the build infrastructure
+
+* What: the inputs and outputs of a given build, combining metadata about the build's configuration with an SBOM describing source code and dependencies
+
+* Where: the software packages making up the build system, from build orchestration tools such as [Woodpecker CI](https://woodpecker-ci.org/docs/intro) and [Tekton](https://tekton.dev/) to language-specific tools
+
+* How: the invocation of a build, linking metadata of a build to the identity of the person or automation tool that initiated it
+
+The SPDX Builds Team expects to have a usable data model by September, ready for inclusion in the upcoming SPDX 3.0 standard. The team welcomes new contributors, inviting those interested in joining to introduce themselves on the [SPDX Tech mailing list](https://lists.spdx.org/g/spdx-tech).
+
 #### Supply-chain security attacks
 
 This was another bumper month for supply-chain attacks in package repositories. Early in the month, Lance R. Vick noticed that the maintainer of the NPM `foreach` package let their personal email domain expire, so they bought it and now "[controls `foreach` on NPM and the 36,826 projects that depend on it](https://mastodon.social/@lrvick/108274265429826806)". Shortly afterwards, [Drew DeVault](https://drewdevault.com/) published a related blog post titled [*When will we learn?*](https://drewdevault.com/2022/05/12/Supply-chain-when-will-we-learn.html) that offers a brief timeline of major incidents in this area and, not uncontroversially, suggests that the "correct way to ship packages is with your distribution’s package manager".



View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-website/-/commit/17ca3358b1408903d68490a9474d895bac7846b5

-- 
View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-website/-/commit/17ca3358b1408903d68490a9474d895bac7846b5
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.reproducible-builds.org/pipermail/rb-commits/attachments/20220606/af0460b4/attachment.htm>
