SBOMs - Anywhere?

Anthony Harrison anthony.p.harrison at
Fri Mar 3 16:17:50 UTC 2023


Good to see that you are producing SBOMs. Do you produce them in both SPDX
and Cyc;oneDX formats?

Are the SBOMs generated at an individual package level or at a distribution
level? Where are they stored/how are they made available to users?



On Mon, 27 Feb 2023 at 12:36, Morten Linderud <foxboron at>

> On Sat, Feb 25, 2023 at 03:56:59PM +0000, Anthony Harrison wrote:
> > So should Reproducible Builds start creating and using SBOMs (and
> > delivering them with builds)?
> Well, we have been doing that for many years.
> One of the importants of being able to reproduce the builds is to record
> the
> information present in the build information into something serializeable.
> The
> repro community landed on calling these files "buildinfo" and they predate
> several of the current SBOM standards being defined.
> We have some documentation here:
> The pacman format can be found here:
> Depending on the distributions they are not delivered with the builds.
> Debian/apt went with a out-of-build approach and the files are fetched
> centralized from one server, while Arch/pacman went with having these
> embedded
> into the package archives.
> --
> Morten Linderud
> PGP: 9C02FF419FECBE16
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the rb-general mailing list