Re: Urgent need for SPDX-formatted bill of materials.


Trevor Woerner
 

On Tue, May 18, 2021 at 4:59 PM akuster808 <akuster808@...> wrote:
On 5/18/21 11:32 AM, Trevor Woerner wrote:
> I'd like to recommend this be a round-table topic for next week's OE
> Developers Meeting?
If meta-doubleopen addresses the issue for folks, what is the topic of
this Round-table?

I'm still investigating and putting together a set of ideas.

meta-doubleopen says "This meta layer is intended for use with Double Open's open source license compliance workflow". *license* workflow, we're talking about SBOMs. The fact they produce SPDX files isn't all that's required to create an SBOM. SPDX is just a file format. In fact there's nothing in that layer that says anything about SBOM. From what I can tell, all meta-doubleopen is producing is an SPDX version of the various manifest files one would find if buildhistory is enabled.

SPDX is only one of several file formats that can be used to generate an SBOM in a standard way. It could be worth a discussion to at least mention the others.

We could look at what an SBOM is, and what are the minimum required fields to produce an SBOM.

Another question for the round table: should we integrate this into oe-core, or leave it as a separate layer?

The round table is also a great way of introducing this important topic to the community at large. I bet you half the people attending the conference have never heard of an SBOM, but might be interested to know YP/OE is looking into integrating it into the build system (especially now that the US government has released an Executive Order regarding SBOMs, and that the EU is also looking into these sorts of things as well).

I'll look into inviting the DoubleOpen people to the meeting.

Joshua mentioned that the company he works for is also investigating generating SBOMs from YP/OE builds, so let's make sure everyone is working on one project, instead of scattering the community.

So there are a couple things we could talk about :-)
 
 
>
> Saul, Randy, Joshua, (and anyone else) I'll offer to moderate if you'd
> be interesting in joining the discussions?
>
>
>

Join licensing@lists.yoctoproject.org to automatically receive all group messages.