Atalay Kelestemur
3 years ago
3 changed files with 126 additions and 1 deletions
@ -0,0 +1,120 @@ |
|||
{% extends 'layouts/base.html' %} |
|||
{% load i18n %} |
|||
{% load static %} |
|||
{% load encore %} |
|||
|
|||
{% block title %}{% translate 'AlmaLinux OS - SBOM' %}{% endblock %} |
|||
{% block description %} |
|||
{% translate 'ELevate enables migration between major versions of RHEL(r) derivatives. Easily go from CentOS 7.x to any 8.x of your choice' %}{% endblock %} |
|||
|
|||
{% block head_end %} |
|||
{% encore_entrypoint_css 'page_elevate' %} |
|||
{% endblock %} |
|||
{% block body_end %} |
|||
{% encore_entrypoint_js 'page_elevate' %} |
|||
{% endblock %} |
|||
|
|||
{% block body %} |
|||
<section class="al-page-blog-post"> |
|||
<div class="container py-5"> |
|||
<h1 class="al-section-title mb-3">AlmaLinux Software Bill of Materials (SBOM) Information</h1> |
|||
<article> |
|||
{% if post.featured_image %} |
|||
<div class="al-article-feature mb-4"> |
|||
<img src="{{ post.featured_image.url }}" |
|||
class="d-block mx-lg-auto img-fluid" |
|||
alt="{{ post.title }}" |
|||
loading="lazy"> |
|||
</div> |
|||
{% endif %} |
|||
<div class="al-article-content pb-5 al-wysiwyg"> |
|||
<p> |
|||
AlmaLinux provides a Software Bill of Materials (SBOM) for its releases. |
|||
</p> |
|||
<h2>What is an SBOM?</h2> |
|||
<p> |
|||
SBOM, which stands for Software Bill of Materials, is something akin to an “ingredient list” for a |
|||
codebase. It helps identify the contents of software, including what open source and third-party |
|||
components are used, licensing information, components' versions and if there are any known |
|||
vulnerabilities in those components. |
|||
</p> |
|||
<p> |
|||
The SBOM is the “ingredient list”, the code are the ingredients, the build system is the “kitchen” |
|||
where those ingredients get built into the final piece of software which you consume. |
|||
</p> |
|||
<h2> |
|||
Why are SBOMs important? |
|||
</h2> |
|||
<p> |
|||
Open source software is used extensively in applications, but it has led to the discovery of high- |
|||
profile hacks and vulnerabilities. SBOMs are meant to provide the community and users of open |
|||
source with even more transparency, and an efficient way to identify (in the case of a risk) |
|||
individual files, libraries, dependencies, etc. thereby increasing the trust and confidence in the |
|||
use of open source software. |
|||
</p> |
|||
<p> |
|||
The Linux Foundation thinks so too… |
|||
</p> |
|||
<p> |
|||
The Linux Foundation and open source Security Foundation (OpenSSF) have also produced a |
|||
plan called the <a href="https://openssf.org/oss-security-mobilization-plan/" target="_blank">Source Software Security Mobilization Plan</a> which calls for industry action |
|||
to develop software component frameworks, including SBOMs, to expedite discovery of and |
|||
response to future vulnerabilities like Log4j. |
|||
</p> |
|||
<p> |
|||
...And the president himself |
|||
</p> |
|||
<p> |
|||
An SBOM has been spotlighted as a key part of the solution presented by the president in the <a href="https://www.whitehouse.gov/briefing-room/presidential-actions/2021/05/12/executive-order-on-improving-the-nations-cybersecurity/" target="_blank">Executive Order on Improving the Nation’s Cybersecurity.</a> |
|||
</p> |
|||
<blockquote> |
|||
"the term “Software Bill of Materials” or “SBOM” means a formal record containing |
|||
the details and supply chain relationships of various components used in building |
|||
software. Software developers and vendors often create products by assembling |
|||
existing open source and commercial software components. The SBOM |
|||
enumerates these components in a product. It is analogous to a list of |
|||
ingredients on food packaging." |
|||
</blockquote> |
|||
<h2> |
|||
What AlmaLinux Provides |
|||
</h2> |
|||
<p> |
|||
<a href="https://build.almalinux.org/" target="_blank">The AlmaLinux Build System</a> has implemented SBOM into the pipeline for the reasons listed above, to enable: |
|||
</p> |
|||
<ul> |
|||
<li>Tracing the whole build process from pulling sources from CentOS git repositories to releasing a verified and signed package in the public repository</li> |
|||
<li>Making the build pipeline more secure like ensuring that only trusted sources are used for builds, avoiding attack consequences, etc</li> |
|||
<li>Reducing the number of ways of data corruption</li> |
|||
</ul> |
|||
<h3>How are we doing this?</h3> |
|||
<p>AlmaLinux is leveraging Codenotary’s open source <a href="https://cas.codenotary.com/" target="_blank"> Community Attestation Service</a> (CAS) to provide administrators with authentication, verification and full SBOM visibility.</p> |
|||
<ul> |
|||
<li>CAS stores all signatures inside of <a href="https://immudb.io/" target="_blank">immudb</a>, the standard for open source for |
|||
immutable databases, used by some of the world’s leading companies and |
|||
governments.</li> |
|||
<li>CAS is protected against tampering. All attestation data is integrity-checked and |
|||
cryptographically verified by the CAS client. No one can change this data, not |
|||
AlmaLinux or anyone else.</li> |
|||
<li>CAS is also protected against MITM attacks. The encryption key is client-side |
|||
verified and checked before every communication.</li> |
|||
</ul> |
|||
<h2>Getting Started</h2> |
|||
<p>For more information, see the Almalinux wiki: <a href="https://github.com/AlmaLinux/build-system/wiki/Codenotary-SBOM-integration">https://github.com/AlmaLinux/build-system/wiki/Codenotary-SBOM-integration</a></p> |
|||
</div> |
|||
</article> |
|||
<div class="al-blog-pagination mt-3"> |
|||
{% if previous_post %} |
|||
<a href="{% url 'blog_post' previous_post.slug %}" class="al-blog-previous-button"> |
|||
<span>{% translate '« Previous' %}</span> |
|||
</a> |
|||
{% endif %} |
|||
|
|||
{% if next_post %} |
|||
<a href="{% url 'blog_post' next_post.slug %}" class="al-blog-next-button"> |
|||
<span>{% translate 'Next »' %}</span> |
|||
</a> |
|||
{% endif %} |
|||
</div> |
|||
</div> |
|||
</section> |
|||
{% endblock %} |
|||
Loading…
Reference in new issue