Collaborative Working Sessions - SBOM for rpm

SBOM discussion led by Marek

rpmbuild should produce buildinfo file during package-build

currently fragmented: OBS, koji, others reinvent their own formats

There was previous discussion with rpm maintainers. Idea: produce separate sub-package with that buildinfo file. format was too Debian-ish and therefore disliked by rpm maintainers.

buildinfo-rpm can be signed the normal way can be published to separate repo (similar to debuginfo)

Prior work:

  • + rpmrebuild
  • has slsa_provenance.json in-toto format
  • some Yocto-based medical device collects plenty data from build


  • be able to independently verify rpms / containers
  • common tool for reproducing rpm packages - no matter from which distribution
  • also for 3rd-party packages such as google-chrome


  • discuss more with upstream: what value it would provide
  • let upstream come up with a PR
  • have prepared shared zstd dict for efficient SBOM compression

result/output-SBOM vs input/build-SBOM => see also notes on Wed discussion on SBOM SPDX + CycloneDX + in-toto file format

consumers for SBOM files:

  • CVE-scanners
  • License-scanners

missing link for publishing required buildrequires rpm + fetching via name|shasum

  • URL for provider service
  • IPFS
  • other