October 31st, November 1st-2nd 2023
Navigate…
Agenda
Project updates - SUSE and openSUSE
Mapping the Big Picture
Mapping the Big Picture - Success Stories
Mapping the Big Picture - Projects
Mapping the Big Picture - Mapping projects infra
Mapping the Big Picture - Mapping lists
Collaborative Working Sessions - Towards a snapshot service
Collaborative Working Sessions - Understanding user-facing needs and personas
Collaborative Working Sessions - Language-specific package managers
Collaborative Working Sessions - Defining our definitions
Collaborative Working Sessions - The Ten Commandments
Collaborative Working Sessions - Embedded systems
Collaborative Working Sessions - Guix To-Do's
Collaborative Working Sessions - Signature storage and sharing
Collaborative Working Sessions - Public verification service
Collaborative Working Sessions - Verification Use Cases
Collaborative Working Sessions - Web site audiences
Collaborative Working Sessions - Born Reproducible I
Collaborative Working Sessions - Success stories
Collaborative Working Sessions - SBOM for rpm
Collaborative Working Sessions - Filtering diffoscope output
Collaborative Working Sessions - Born Reproducible II
Collaborative Working Sessions - Images, filesystems and containers
Collaborative Working Sessions - Using verification data
Collaborative Working Sessions - Born reproducible III
Collaborative Working Sessions - Fedora packages
Collaborative Working Sessions - Arch huddle
Collaborative Working Sessions - Debian
Collaborative Working Sessions - Diffoscope II
Collaborative Working Sessions - SBOM for rpm
SBOM discussion led by Marek
rpmbuild should produce buildinfo file during package-build
currently fragmented: OBS, koji, others reinvent their own formats
There was previous discussion with rpm maintainers.
Idea: produce separate sub-package with that buildinfo file.
format was too Debian-ish and therefore disliked by rpm maintainers.
buildinfo-rpm can be signed the normal way
can be published to separate repo (similar to debuginfo)
Prior work:
https://github.com/rpm-software-management/rpm/pull/1532 + rpmrebuild
https://github.com/rpm-software-management/rpm/issues/2389
http://download.opensuse.org/update/leap/15.5/sle/x86_64/ has slsa_provenance.json in-toto format
https://github.com/opensbom-generator/spdx-sbom-generator#module-json-example
https://cyclonedx.org/
some Yocto-based medical device collects plenty data from build
goal:
be able to independently verify rpms / containers
common tool for reproducing rpm packages - no matter from which distribution
also for 3rd-party packages such as google-chrome
Ideas:
discuss more with upstream: what value it would provide
let upstream come up with a PR
have prepared shared zstd dict for efficient SBOM compression
result/output-SBOM vs input/build-SBOM
=> see also notes on Wed discussion on SBOM
SPDX + CycloneDX + in-toto file format
consumers for SBOM files:
CVE-scanners
License-scanners
missing link for publishing required buildrequires rpm + fetching via name|shasum
URL for provider service
archive.org
IPFS
other
