Making reproducible builds & GitBOM work together in spite of low-level component variation

Santiago Torres-Arias santiago at archlinux.org
Wed Jun 22 20:19:34 UTC 2022


On Wed, Jun 22, 2022 at 12:28:51PM -0700, Vagrant Cascadian wrote:
> On 2022-06-22, Vagrant Cascadian wrote:
> > On 2022-06-22, David A. Wheeler wrote:
> >> GitBOM is explained at <https://gitbom.dev/>. As they explain it, its purpose is to:
> >> 	• Build a compact Artifact Dependency Graph (ADG), tracking every source code file incorporated into each built artifact.
> >> 	• Embed a unique, content-addressable reference for that Artifact Dependency Graph (ADG), the GitBOM identifier, into the artifact
> >> at build time.
> 
> In my previous reply, I somehow glazed over the fact that the ADG and
> GitBOM identifier are embedded in the artifacts at build time...

My understanding is that gitbom in and by itself is not picky on where
you put it, and embedding it in, say an ELF header, is just a particular
instantiation of it. Part of what I'm hoping we can do is e.g., create a
SLSA provenance attestation in in-toto that points to the gitbom of the
sources/environment and whatnot.

Ideologically, I don't think it's much different from a buildinfo
file...

Cheers!
-Santiago
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://lists.reproducible-builds.org/pipermail/rb-general/attachments/20220622/6dca8c27/attachment.sig>


More information about the rb-general mailing list