Hello Fedora Infrastructure team,
Red Hat Product Security are building an application called Component Registry to meet the requirements set out in the recent Executive Order 14028 [1], "Improving the Nation's Cybersecurity". The executive order requires that software producers and suppliers should take steps to report and validate a listing of all components included in or used by their software products, aka a Software Bill of Materials. We'd like to build our application in the open by providing the source code to the opensource community.
Since all the Red Hat build infrastructure is internal to Red Hat, we'd like also provide this service to Fedora so that our open source project can have a life outside of Red Hat's corporate firewall. I suspect we are close to being able to provide an example of the Software Bill of Materials (SBOM) for Fedora, since it is built in a very similar way to Red Hat Enterprise Linux. The reason for reaching out is to find out if you are interested in hosting an SBOM for Fedora or not. We could build it inside the Red Hat firewall, and provide a static file for each target release of Fedora, undated periodically. Alternatively we could run the application somewhere on your infrastructure in order to make the data available via an API on demand. In which case we'd probably need to help to maintain that infrastructure.
Let me know your thoughts. I didn't provide a link to the code repository as it's currently private to Red Hat associates. But we expect to opensource the project in the coming weeks. At that time we'll be able to provide the source code.
Regards,
Jason Shepherd
Jason Shepherd
Red Hat Product Security
_______________________________________________ infrastructure mailing list -- infrastructure@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to infrastructure-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/infrastructure@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure