Felix Moessbauer <[email protected]> writes: > * Package name : debsbom > Version : 0.5.1 > Upstream Contact: Felix Moessbauer <[email protected]> > * URL : https://github.com/siemens/debsbom > * License : MIT > Programming Lang: Python > Description : Software Bill of Materials generator for distributions > based on Debian > > debsbom generates SBOMs (Software Bill of Materials) for distributions > based on Debian in the two standard formats SPDX and CycloneDX. > The generated SBOM includes all installed binary packages and also > contains Debian Source packages.
This seems great! Do you have an example file for how these SBOMs will look like for some Debian package? How stable is the file format specification? How is the plan to distribute and consume these SBOMs? I suppose they can't be included in the package itself, if they contain hash checksums of *.deb's etc. If they don't contain hash checksums, how do you deal with multiple variants of a package with identical name and version? There are known examples of this in the archive. > The generated SBOM includes all installed binary packages and also > contains Debian Source packages. That's not necessarily the entire story of what went into building a particular package. Information about the running kernel and the presence and version of any non-free firmware microcode is essential. Not everything about the build environment is captured by the list of installed packages. If there is a specification around this, commenting on that will be simpler. /Simon
signature.asc
Description: PGP signature
