RFC "2025 Minimum Elements for a Software Bill of Materials"
Ludovic Courtès
ludo at gnu.org
Thu Oct 2 13:49:11 UTC 2025
Hello,
FWIW, comrades and I in Guix replied to a previous CISA request for
comments on identifying software:
https://guix.gnu.org/en/blog/2024/identifying-software/
The TLDR is:
1. Source code can be identified through inherent identifiers such as
cryptographic hashes—see <https://www.swhid.org/> in particular.
2. Binary artifacts, instead, need to be the byproduct of a
verifiable build process itself available as source code.
CISA’s “Minimum Elements for a Software Bill of Materials (SBOM)” seems
to mean “binary artifacts” rather than “source code” when it says
“software” (correct me if I’m wrong, I only skimmed through it), and
then focuses on how to identify those binary artifacts.
If that interpretation is correct, I think that’s a mistake because it
would forego verifiability as provided by reproducible builds in favor
of something that looks more like paperwork.
Ludo’.
More information about the rb-general
mailing list