SBOMs - Anywhere?

Anthony Harrison anthony.p.harrison at gmail.com
Fri Mar 3 16:17:50 UTC 2023


Morten

Good to see that you are producing SBOMs. Do you produce them in both SPDX
and Cyc;oneDX formats?

Are the SBOMs generated at an individual package level or at a distribution
level? Where are they stored/how are they made available to users?

Regards

Anthony

On Mon, 27 Feb 2023 at 12:36, Morten Linderud <foxboron at archlinux.org>
wrote:

> On Sat, Feb 25, 2023 at 03:56:59PM +0000, Anthony Harrison wrote:
> > So should Reproducible Builds start creating and using SBOMs (and
> > delivering them with builds)?
>
> Well, we have been doing that for many years.
>
> One of the importants of being able to reproduce the builds is to record
> the
> information present in the build information into something serializeable.
> The
> repro community landed on calling these files "buildinfo" and they predate
> several of the current SBOM standards being defined.
>
> We have some documentation here:
> https://reproducible-builds.org/docs/recording/
>
> The pacman format can be found here:
> https://man.archlinux.org/man/core/pacman/BUILDINFO.5.en
>
> Depending on the distributions they are not delivered with the builds.
> Debian/apt went with a out-of-build approach and the files are fetched
> centralized from one server, while Arch/pacman went with having these
> embedded
> into the package archives.
>
> --
> Morten Linderud
> PGP: 9C02FF419FECBE16
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.reproducible-builds.org/pipermail/rb-general/attachments/20230303/0710e340/attachment.htm>


More information about the rb-general mailing list