Collaborative Working Sessions - SBOM for rpm

SBOM discussion led by Marek

rpmbuild should produce buildinfo file during package-build

currently fragmented: OBS, koji, others reinvent their own formats

There was previous discussion with rpm maintainers. Idea: produce separate sub-package with that buildinfo file. format was too Debian-ish and therefore disliked by rpm maintainers.

buildinfo-rpm can be signed the normal way can be published to separate repo (similar to debuginfo)

Prior work:

  • https://github.com/rpm-software-management/rpm/pull/1532 + rpmrebuild
  • https://github.com/rpm-software-management/rpm/issues/2389
  • http://download.opensuse.org/update/leap/15.5/sle/x86_64/ has slsa_provenance.json in-toto format
  • https://github.com/opensbom-generator/spdx-sbom-generator#module-json-example
  • https://cyclonedx.org/
  • some Yocto-based medical device collects plenty data from build

goal:

  • be able to independently verify rpms / containers
  • common tool for reproducing rpm packages - no matter from which distribution
  • also for 3rd-party packages such as google-chrome

Ideas:

  • discuss more with upstream: what value it would provide
  • let upstream come up with a PR
  • have prepared shared zstd dict for efficient SBOM compression

result/output-SBOM vs input/build-SBOM => see also notes on Wed discussion on SBOM SPDX + CycloneDX + in-toto file format

consumers for SBOM files:

  • CVE-scanners
  • License-scanners

missing link for publishing required buildrequires rpm + fetching via name|shasum

  • URL for provider service
  • archive.org
  • IPFS
  • other

Follow us on Twitter @ReproBuilds, Mastodon @reproducible_builds@fosstodon.org & Reddit and please consider making a donation. • Content licensed under CC BY-SA 4.0, style licensed under MIT. Templates and styles based on the Tor Styleguide. Logos and trademarks belong to their respective owners. • Patches for this website welcome via our Git repository (instructions) or via our mailing list. • Full contact info