rekor icon indicating copy to clipboard operation
rekor copied to clipboard

Published 20 hours ago verified publisher icon sigstore

Assess SPDX inclusion for k8s release BOM implementation

Open lukehinds opened this issue 4 years ago • 4 comments

Related to the following in k8s release SIG : https://github.com/kubernetes/release/issues/1837#issuecomment-777076220

Explore inclusion of SPDX manifests (XML :frowning: ) , namely:

  • What sort of values would be critical (place in the t-log) and what could go in ExtraData.
  • What sort of signing system is used, how would we ensure non-repudiation.
  • How would k8s release display entry and make it valuable, perhaps an inclusion URL pointing to the UUID?

lukehinds avatar Feb 11 '21 08:02 lukehinds

👋 I can help answer SPDX questions (XML is only one of the supported formats)

nishakm avatar Feb 11 '21 14:02 nishakm

great, sounds good @nishakm , look forward to collaborating with you.

I guess a key question to kick off is if you do any sort of key signing(s) of either the SPDX manifest or the artifacts listed in the manifest, if so what is used (GPG, x509,..)?

lukehinds avatar Feb 11 '21 14:02 lukehinds

great, sounds good @nishakm , look forward to collaborating with you.

I guess a key question to kick off is if you do any sort of key signing(s) of either the SPDX manifest or the artifacts listed in the manifest, if so what is used (GPG, x509,..)?

You can sign a SPDX document/blob just like you would sign any artifact. At this time, the document itself doesn't support a "signature" metadata, but the community is working on adding it in SPDX 3.0.

nishakm avatar Feb 11 '21 14:02 nishakm

@nishakm sent you slack invite if that's ok

lukehinds avatar Feb 11 '21 15:02 lukehinds