AlmaLinux 为其发布的版本提供 SBOM(软件物料清单)。
什么是 SBOM(软件物料清单)?
SBOM,即软件物料清单,类似于代码库的 "成分清单"。 它有助于识别软件的内容,包括使用了哪些开源和第三方组件、许可信息、组件;版本以及这些组件中是否存在任何已知漏洞。
软件物料清单是 "配料表",代码是“配料”,构建系统是 "厨房",在这里,这些配料被构建成最终的软件,供用户使用。
软件物料清单为什么重要?
开放源码软件被广泛应用于各种应用程序中,但它也导致了一些备受关注的黑客攻击和漏洞的发现。 软件物料清单旨在为开源社区和用户提供更高的透明度,以及识别(风险情况下的)单个文件、库、依赖关系等的有效方法,从而增强对使用开源软件的信任和信心。
The Linux Foundation 我也这么认为……
Linux 基金会和开源安全基金会(OpenSSF)也制定了一项计划名为 Source Software Security Mobilization Plan 其中呼吁业界采取行动,开发包括 SBOM 在内的软件组件框架,以加快发现和应对未来的 Log4j 等漏洞。
...And the president himself
An SBOM has been spotlighted as a key part of the solution presented by the president in the Executive Order on Improving the Nation’s Cybersecurity.
"the term “Software Bill of Materials” or “SBOM” means a formal record containing the details and supply chain relationships of various components used in building software. Software developers and vendors often create products by assembling existing open source and commercial software components. The SBOM enumerates these components in a product. It is analogous to a list of ingredients on food packaging."
AlmaLinux 提供什么
The AlmaLinux Build System has implemented SBOM into the pipeline for the reasons listed above, to enable:
- 跟踪从 CentOS git 仓库提取源代码到在公共仓库发布经过验证和签名的软件包的整个构建过程
- 使构建管道更安全,如确保只使用可信来源进行构建、避免攻击后果等
- 减少数据损坏的途径
我们如何做到这一点?
AlmaLinux 正在利用 Codenotary 的开放源代码 immudb 为管理员提供身份验证、验证和全面的 SBOM 可见性。
- AlmaLinux 编译系统将 SBOM 数据存储在 immudb 中, the standard for open source for immutable databases, used by some of the world’s leading companies and governments.
- immudb is protected against tampering. All attestation data is integrity-checked and cryptographically verified by clients. No one can change this data, not AlmaLinux or anyone else.
- immudb is also protected against MITM attacks. The encryption key is client-side verified and checked before every communication.
Getting Started
For more information, see the Almalinux wiki: https://github.com/AlmaLinux/build-system/wiki/Codenotary-SBOM-integration
