AlmaLinux provides a Software Bill of Materials (SBOM) for its releases.
What is an SBOM?
SBOM, which stands for Software Bill of Materials, is something akin to an “ingredient list” for a codebase. It helps identify the contents of software, including what open source and third-party components are used, licensing information, components' versions and if there are any known vulnerabilities in those components.
The SBOM is the “ingredient list”, the code are the ingredients, the build system is the “kitchen” where those ingredients get built into the final piece of software which you consume.
Why are SBOMs important?
Open source software is used extensively in applications, but it has led to the discovery of high-profile hacks and vulnerabilities. SBOMs are meant to provide the community and users of open source with even more transparency, and an efficient way to identify (in the case of a risk) individual files, libraries, dependencies, etc. thereby increasing the trust and confidence in the use of open source software.
The Linux Foundation thinks so too…
The Linux Foundation and Open Source Security Foundation (OpenSSF) have also produced a plan called the Source Software Security Mobilization Plan which calls for industry action to develop software component frameworks, including SBOMs, to expedite discovery of and response to future vulnerabilities like Log4j.
...And the president himself
An SBOM has been spotlighted as a key part of the solution presented by the president in the Executive Order on Improving the Nation’s Cybersecurity.
"the term “Software Bill of Materials” or “SBOM” means a formal record containing the details and supply chain relationships of various components used in building software. Software developers and vendors often create products by assembling existing open source and commercial software components. The SBOM enumerates these components in a product. It is analogous to a list of ingredients on food packaging."
What AlmaLinux Provides
The AlmaLinux Build System has implemented SBOM into the pipeline for the reasons listed above, to enable:
- Tracing the whole build process from pulling sources from CentOS git repositories to releasing a verified and signed package in the public repository
- Making the build pipeline more secure like ensuring that only trusted sources are used for builds, avoiding attack consequences, etc
- Reducing the number of ways of data corruption
How are we doing this?
AlmaLinux is leveraging Codenotary’s open source Community Attestation Service (CAS) to provide administrators with authentication, verification and full SBOM visibility.
- CAS stores all signatures inside of immudb, the standard for open source for immutable databases, used by some of the world’s leading companies and governments.
- CAS is protected against tampering. All attestation data is integrity-checked and cryptographically verified by the CAS client. No one can change this data, not AlmaLinux or anyone else.
- CAS is also protected against MITM attacks. The encryption key is client-side verified and checked before every communication.
For more information, see the Almalinux wiki: https://github.com/AlmaLinux/build-system/wiki/Codenotary-SBOM-integration