[Umbrella] Bill of Materials #1837
Comments
|
cc @rnjudge and @kestewart for Tern |
|
@puerco If you need a tool to generate SPDX for Go and other languages, have a look at OSS Review Toolkit. I am both ORT and SPDX maintainer, happy to answer any questions you may have. |
|
Thank you @tsteenbe I certainly will take a look at it :) |
|
/area release-eng |
|
Connecting some threads based on an OSS supply chain convo I had earlier in the week with folks across VMware, Red Hat, and Google (@ncdc, @dlorenc, @wattsteve, @lukehinds, @kimsterv, @jonjohnsonjr to name a few):
@saschagrunert @hasheddan @puerco -- Let's please leverage Rekor here as we build this out. Of course, there's more to consider and supply chain concerns will be core to everything we do in RelEng, but the bill of materials is a great starting point. cc: @kubernetes/sig-security-leads Project Rekor xref: sigstore/rekor#156, sigstore/rekor#144 |
|
Rekor could in particular be beneficial for 'Publish the SPDX manifests with the other release artifacts' - this would provide two key benefits off the top of my head.
I will read up on SPDX (tagging @bobcallaway for types expertise). Do you know if there will be some sort of signature at BOM generation time? |
|
@lukehinds the first iteration of the SPDX BOM will not be signed as we have yet to set a key management mechanism before we start signing the manifests and other release artifacts. We hope to have it resolved soon(ish) as this is the main issue blocking us from generating and hosting debs and rpms in community infra. |
|
Noting this issue in cncf/foundation about short-form copyright headers w/ SPDX identifiers: cncf/foundation#143 |
This commit updates the Namespaces in the SPDX documents of the SBOM to the final hostname: sbom.k8s.io This is needed to make them valid as this is the reference that links both SBOMs. Part of: kubernetes#1837 Signed-off-by: Adolfo García Veytia (Puerco) <adolfo.garcia@uservers.net>
This commit updates the Namespaces in the SPDX documents of the SBOM to the final hostname: sbom.k8s.io This is needed to make them valid as this is the reference that links both SBOMs. Part of: kubernetes#1837 Signed-off-by: Adolfo García Veytia (Puerco) <adolfo.garcia@uservers.net>
|
@puerco is this one done? |
|
@puerco can we close this one as done? |
|
The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs. This bot triages issues and PRs according to the following rules:
You can:
Please send feedback to sig-contributor-experience at kubernetes/community. /lifecycle stale |
|
/remove-lifecycle stale |
|
The SBOM project is done. We are now producing SBOMs with all k8s releases: https://sbom.k8s.io/v1.23.0/release And we have spun off the took into its own repository: https://sigs.k8s.io/bom Thanks for all your help and support, everybody! 🥳 /close |
|
@puerco: Closing this issue. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
We intend to ensure the quality and integrity of the artifacts produced on each release cut by adding a Bill of Materials (BOM). The BOM will be published in SPDX and will include integrity and licensing information for the artifacts we produce. Work on this area will lead to close other outstanding issues (linked here).
Following our road-mapping session, this umbrella issue will track the development to create the BOM.
Make krel aware of binary artifacts expected from the release process:Note: These items are postponed as we delayed the supported platforms effort to 1.23+
Read the data from the proposed (Add machine readable description of platforms #1836) machine-readable platform mapBootstrap the Release Process state object with files expected as output, crossing the platform data and options specified in the run.Verify/process binary artifacts as the release process advances from stage to stage
This step involves:
We need to ensure that binaries are correctly tagged with the corresponding semver tag and commit sha
Write SPDX manifest(s). Output should include data about:
To accomplish this one we will need to:
Integrate the scanner into the release process scanning the vendor/ directory in k/k to get the licenses that will be added to the BOMScan all dependencies licensing information and include them in the SBOM (Generate the first SBOM protoype from the Kubernetes release process #2095)Publish the SPDX manifests with the other release artifacts:
Upload manifests as assets in the GitHub release pageNote: In later discussions we chose to publish the documents only via https for now and not relay on the GH release page.Make our tools available community-wide
/cc @hasheddan @xmudrii @markyjackson-taulia
The text was updated successfully, but these errors were encountered: