SBOMs - Anywhere?

Morten Linderud foxboron at archlinux.org
Mon Feb 27 12:35:45 UTC 2023


On Sat, Feb 25, 2023 at 03:56:59PM +0000, Anthony Harrison wrote:
> So should Reproducible Builds start creating and using SBOMs (and
> delivering them with builds)?

Well, we have been doing that for many years.

One of the importants of being able to reproduce the builds is to record the
information present in the build information into something serializeable. The
repro community landed on calling these files "buildinfo" and they predate
several of the current SBOM standards being defined.

We have some documentation here:
https://reproducible-builds.org/docs/recording/

The pacman format can be found here:
https://man.archlinux.org/man/core/pacman/BUILDINFO.5.en

Depending on the distributions they are not delivered with the builds.
Debian/apt went with a out-of-build approach and the files are fetched
centralized from one server, while Arch/pacman went with having these embedded
into the package archives.

-- 
Morten Linderud
PGP: 9C02FF419FECBE16
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://lists.reproducible-builds.org/pipermail/rb-general/attachments/20230227/68f88070/attachment.sig>


More information about the rb-general mailing list