On Sat, Feb 25, 2023 at 03:56:59PM +0000, Anthony Harrison wrote: > So should Reproducible Builds start creating and using SBOMs (and > delivering them with builds)?
Well, we have been doing that for many years. One of the importants of being able to reproduce the builds is to record the information present in the build information into something serializeable. The repro community landed on calling these files "buildinfo" and they predate several of the current SBOM standards being defined. We have some documentation here: https://reproducible-builds.org/docs/recording/ The pacman format can be found here: https://man.archlinux.org/man/core/pacman/BUILDINFO.5.en Depending on the distributions they are not delivered with the builds. Debian/apt went with a out-of-build approach and the files are fetched centralized from one server, while Arch/pacman went with having these embedded into the package archives. -- Morten Linderud PGP: 9C02FF419FECBE16
signature.asc
Description: PGP signature
