Morten Good to see that you are producing SBOMs. Do you produce them in both SPDX and Cyc;oneDX formats?
Are the SBOMs generated at an individual package level or at a distribution level? Where are they stored/how are they made available to users? Regards Anthony On Mon, 27 Feb 2023 at 12:36, Morten Linderud <[email protected]> wrote: > On Sat, Feb 25, 2023 at 03:56:59PM +0000, Anthony Harrison wrote: > > So should Reproducible Builds start creating and using SBOMs (and > > delivering them with builds)? > > Well, we have been doing that for many years. > > One of the importants of being able to reproduce the builds is to record > the > information present in the build information into something serializeable. > The > repro community landed on calling these files "buildinfo" and they predate > several of the current SBOM standards being defined. > > We have some documentation here: > https://reproducible-builds.org/docs/recording/ > > The pacman format can be found here: > https://man.archlinux.org/man/core/pacman/BUILDINFO.5.en > > Depending on the distributions they are not delivered with the builds. > Debian/apt went with a out-of-build approach and the files are fetched > centralized from one server, while Arch/pacman went with having these > embedded > into the package archives. > > -- > Morten Linderud > PGP: 9C02FF419FECBE16 >
