On Mon, Jul 11, 2022 at 12:53:57PM +1000, Jason Shepherd wrote:
Hello Fedora Infrastructure team,
Red Hat Product Security are building an application called Component
Registry to meet the requirements set out in the recent Executive Order
14028 [1], "Improving the Nation's Cybersecurity". The executive order
requires that software producers and suppliers should take steps to report
and validate a listing of all components included in or used by their
software products, aka a Software Bill of Materials. We'd like to build our
application in the open by providing the source code to the
opensource community.
Since all the Red Hat build infrastructure is internal to Red Hat, we'd
like also provide this service to Fedora so that our open source project
can have a life outside of Red Hat's corporate firewall. I suspect we are
close to being able to provide an example of the Software Bill of Materials
(SBOM) for Fedora, since it is built in a very similar way to Red Hat
Enterprise Linux. The reason for reaching out is to find out if you are
interested in hosting an SBOM for Fedora or not. We could build it inside
the Red Hat firewall, and provide a static file for each target release of
Fedora, undated periodically. Alternatively we could run the application
somewhere on your infrastructure in order to make the data available via an
API on demand. In which case we'd probably need to help to maintain that
infrastructure.
This sounds really interesting, thanks for reaching out!
Do you know what kind of requirements your application has currently? Can it
easily be run on openshift?
Which approach would you prefer? Is there an interest in hosting a "live"
instance in the Fedora Infrastructure, beside having an API instead of static
files? (Are the static files JSON files or HTML btw?)
Pierre