+ AlmaLinux provides a Software Bill of Materials (SBOM) for its releases. +
+What is an SBOM?
++ SBOM, which stands for Software Bill of Materials, is something akin to an “ingredient list” for a +codebase. It helps identify the contents of software, including what open source and third-party +components are used, licensing information, components' versions and if there are any known +vulnerabilities in those components. +
++ The SBOM is the “ingredient list”, the code are the ingredients, the build system is the “kitchen” +where those ingredients get built into the final piece of software which you consume. +
++ Why are SBOMs important? +
++ Open source software is used extensively in applications, but it has led to the discovery of high- +profile hacks and vulnerabilities. SBOMs are meant to provide the community and users of open +source with even more transparency, and an efficient way to identify (in the case of a risk) +individual files, libraries, dependencies, etc. thereby increasing the trust and confidence in the +use of open source software. +
++ The Linux Foundation thinks so too… +
++ The Linux Foundation and open source Security Foundation (OpenSSF) have also produced a +plan called the Source Software Security Mobilization Plan which calls for industry action +to develop software component frameworks, including SBOMs, to expedite discovery of and +response to future vulnerabilities like Log4j. +
++ ...And the president himself +
++ An SBOM has been spotlighted as a key part of the solution presented by the president in the Executive Order on Improving the Nation’s Cybersecurity. +
++ "the term “Software Bill of Materials” or “SBOM” means a formal record containing +the details and supply chain relationships of various components used in building +software. Software developers and vendors often create products by assembling +existing open source and commercial software components. The SBOM +enumerates these components in a product. It is analogous to a list of +ingredients on food packaging." ++
+ What AlmaLinux Provides +
++ The AlmaLinux Build System has implemented SBOM into the pipeline for the reasons listed above, to enable: +
+-
+
- Tracing the whole build process from pulling sources from CentOS git repositories to releasing a verified and signed package in the public repository +
- Making the build pipeline more secure like ensuring that only trusted sources are used for builds, avoiding attack consequences, etc +
- Reducing the number of ways of data corruption +
How are we doing this?
+AlmaLinux is leveraging Codenotary’s open source Community Attestation Service (CAS) to provide administrators with authentication, verification and full SBOM visibility.
+-
+
- CAS stores all signatures inside of immudb, the standard for open source for + immutable databases, used by some of the world’s leading companies and + governments. +
- CAS is protected against tampering. All attestation data is integrity-checked and + cryptographically verified by the CAS client. No one can change this data, not + AlmaLinux or anyone else. +
- CAS is also protected against MITM attacks. The encryption key is client-side + verified and checked before every communication. +
Getting Started
+For more information, see the Almalinux wiki: https://github.com/AlmaLinux/build-system/wiki/Codenotary-SBOM-integration
+