RFC "2025 Minimum Elements for a Software Bill of Materials"
Arnout Engelen
arnout at bzzt.net
Thu Oct 2 15:00:19 UTC 2025
On Thu, Oct 2, 2025, at 15:49, Ludovic Courtès wrote:
> FWIW, comrades and I in Guix replied to a previous CISA request for
> comments on identifying software:
>
> https://guix.gnu.org/en/blog/2024/identifying-software/
>
> The TLDR is:
>
> 1. Source code can be identified through inherent identifiers such as
> cryptographic hashes—see <https://www.swhid.org/> in particular.
>
> 2. Binary artifacts, instead, need to be the byproduct of a
> verifiable build process itself available as source code.
👍
> CISA’s “Minimum Elements for a Software Bill of Materials (SBOM)” seems
> to mean “binary artifacts” rather than “source code” when it says
> “software” (correct me if I’m wrong, I only skimmed through it), and
> then focuses on how to identify those binary artifacts.
>
> If that interpretation is correct, I think that’s a mistake because it
> would forego verifiability as provided by reproducible builds in favor
> of something that looks more like paperwork.
Not really: an SBOM is more meant to convey "this aggregate is constructed out of these parts". Identifying the parts (under the 'Software Identifiers' field) is sensibly left to existing schemes, and actually already references SWHID. We can recommend them to update their reference from 1.1 to 1.2 though :)
Kind regards.
--
Arnout Engelen
Engelen Open Source
https://engelen.eu
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.reproducible-builds.org/pipermail/rb-general/attachments/20251002/f839a6ec/attachment.htm>
More information about the rb-general
mailing list