AlmaLinux 为其发布的版本提供 SBOM(软件物料清单)。
什么是 SBOM(软件物料清单)?
SBOM,即软件物料清单,类似于代码库的 "成分清单"。 它有助于识别软件的内容,包括使用了哪些开源和第三方组件、许可信息、组件;版本以及这些组件中是否存在任何已知漏洞。
软件物料清单是 "配料表",代码是“配料”,构建系统是 "厨房",在这里,这些配料被构建成最终的软件,供用户使用。
软件物料清单为什么重要?
开放源码软件被广泛应用于各种应用程序中,但它也导致了一些备受关注的黑客攻击和漏洞的发现。 软件物料清单旨在为开源社区和用户提供更高的透明度,以及识别(风险情况下的)单个文件、库、依赖关系等的有效方法,从而增强对使用开源软件的信任和信心。
The Linux Foundation thinks so too…
The Linux Foundation and Open Source Security Foundation (OpenSSF) have also produced a plan called the Source Software Security Mobilization Plan which calls for industry action to develop software component frameworks, including SBOMs, to expedite discovery of and response to future vulnerabilities like Log4j.
...And the president himself
An SBOM has been spotlighted as a key part of the solution presented by the president in the Executive Order on Improving the Nation’s Cybersecurity.
"the term “Software Bill of Materials” or “SBOM” means a formal record containing the details and supply chain relationships of various components used in building software. Software developers and vendors often create products by assembling existing open source and commercial software components. The SBOM enumerates these components in a product. It is analogous to a list of ingredients on food packaging."
What AlmaLinux Provides
The AlmaLinux Build System has implemented SBOM into the pipeline for the reasons listed above, to enable:
- Tracing the whole build process from pulling sources from CentOS git repositories to releasing a verified and signed package in the public repository
- Making the build pipeline more secure like ensuring that only trusted sources are used for builds, avoiding attack consequences, etc
- Reducing the number of ways of data corruption
How are we doing this?
AlmaLinux is leveraging Codenotary’s open source immudb to provide administrators with authentication, verification and full SBOM visibility.
- The AlmaLinux Build System stores SBOM data inside of immudb, the standard for open source for immutable databases, used by some of the world’s leading companies and governments.
- immudb is protected against tampering. All attestation data is integrity-checked and cryptographically verified by clients. No one can change this data, not AlmaLinux or anyone else.
- immudb is also protected against MITM attacks. The encryption key is client-side verified and checked before every communication.
Getting Started
For more information, see the Almalinux wiki: https://github.com/AlmaLinux/build-system/wiki/Codenotary-SBOM-integration