On Mon, Jul 11, 2022 at 12:53:57PM +1000, Jason Shepherd wrote: > Hello Fedora Infrastructure team, > > Red Hat Product Security are building an application called Component > Registry to meet the requirements set out in the recent Executive Order > 14028 [1], "Improving the Nation's Cybersecurity". The executive order > requires that software producers and suppliers should take steps to report > and validate a listing of all components included in or used by their > software products, aka a Software Bill of Materials. We'd like to build our > application in the open by providing the source code to the > opensource community. > > Since all the Red Hat build infrastructure is internal to Red Hat, we'd > like also provide this service to Fedora so that our open source project > can have a life outside of Red Hat's corporate firewall. I suspect we are > close to being able to provide an example of the Software Bill of Materials > (SBOM) for Fedora, since it is built in a very similar way to Red Hat > Enterprise Linux. The reason for reaching out is to find out if you are > interested in hosting an SBOM for Fedora or not. We could build it inside > the Red Hat firewall, and provide a static file for each target release of > Fedora, undated periodically. Alternatively we could run the application > somewhere on your infrastructure in order to make the data available via an > API on demand. In which case we'd probably need to help to maintain that > infrastructure. This sounds really interesting, thanks for reaching out! Do you know what kind of requirements your application has currently? Can it easily be run on openshift? Which approach would you prefer? Is there an interest in hosting a "live" instance in the Fedora Infrastructure, beside having an API instead of static files? (Are the static files JSON files or HTML btw?) Pierre _______________________________________________ infrastructure mailing list -- infrastructure@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to infrastructure-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/infrastructure@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure