Hello Fedora Infrastructure team,
Red Hat Product Security are building an application called Component Registry to meet the requirements set out in the recent Executive Order 14028 [1], "Improving the Nation's Cybersecurity". The executive order requires that software producers and suppliers should take steps to report and validate a listing of all components included in or used by their software products, aka a Software Bill of Materials. We'd like to build our application in the open by providing the source code to the opensource community.
Since all the Red Hat build infrastructure is internal to Red Hat, we'd like also provide this service to Fedora so that our open source project can have a life outside of Red Hat's corporate firewall. I suspect we are close to being able to provide an example of the Software Bill of Materials (SBOM) for Fedora, since it is built in a very similar way to Red Hat Enterprise Linux. The reason for reaching out is to find out if you are interested in hosting an SBOM for Fedora or not. We could build it inside the Red Hat firewall, and provide a static file for each target release of Fedora, undated periodically. Alternatively we could run the application somewhere on your infrastructure in order to make the data available via an API on demand. In which case we'd probably need to help to maintain that infrastructure.
Let me know your thoughts. I didn't provide a link to the code repository as it's currently private to Red Hat associates. But we expect to opensource the project in the coming weeks. At that time we'll be able to provide the source code.
Regards, Jason Shepherd Red Hat Product Security
[1] https://www.cisa.gov/executive-order-improving-nations-cybersecurity
On Mon, Jul 11, 2022 at 12:53:57PM +1000, Jason Shepherd wrote:
Hello Fedora Infrastructure team,
Red Hat Product Security are building an application called Component Registry to meet the requirements set out in the recent Executive Order 14028 [1], "Improving the Nation's Cybersecurity". The executive order requires that software producers and suppliers should take steps to report and validate a listing of all components included in or used by their software products, aka a Software Bill of Materials. We'd like to build our application in the open by providing the source code to the opensource community.
Since all the Red Hat build infrastructure is internal to Red Hat, we'd like also provide this service to Fedora so that our open source project can have a life outside of Red Hat's corporate firewall. I suspect we are close to being able to provide an example of the Software Bill of Materials (SBOM) for Fedora, since it is built in a very similar way to Red Hat Enterprise Linux. The reason for reaching out is to find out if you are interested in hosting an SBOM for Fedora or not. We could build it inside the Red Hat firewall, and provide a static file for each target release of Fedora, undated periodically. Alternatively we could run the application somewhere on your infrastructure in order to make the data available via an API on demand. In which case we'd probably need to help to maintain that infrastructure.
This sounds really interesting, thanks for reaching out!
Do you know what kind of requirements your application has currently? Can it easily be run on openshift? Which approach would you prefer? Is there an interest in hosting a "live" instance in the Fedora Infrastructure, beside having an API instead of static files? (Are the static files JSON files or HTML btw?)
Pierre
Dne 11. 07. 22 v 4:53 Jason Shepherd napsal(a):
Red Hat Product Security are building an application called Component Registry to meet the requirements set out in the recent Executive Order 14028 [1], "Improving the Nation's Cybersecurity". The executive order requires that software producers and suppliers should take steps to report and validate a listing of all components included in or used by their software products, aka a Software Bill of Materials. We'd like to build our application in the open by providing the source code to the opensource community.
What it means technically? SWID tags? Something else?
Miroslav
Hi -
[...] Let me know your thoughts. I didn't provide a link to the code repository as it's currently private to Red Hat associates. But we expect to opensource the project in the coming weeks. At that time we'll be able to provide the source code. [...]
I suspect your message is hard to answer substantively without any information about the scale and composition of this infrastructure, its needed inputs, resources, usefulness (in terms of client tooling), and so on.
- FChE
On Mon, Jul 11, 2022 at 09:22:48AM -0400, Frank Ch. Eigler wrote:
Hi -
[...] Let me know your thoughts. I didn't provide a link to the code repository as it's currently private to Red Hat associates. But we expect to opensource the project in the coming weeks. At that time we'll be able to provide the source code. [...]
I suspect your message is hard to answer substantively without any information about the scale and composition of this infrastructure, its needed inputs, resources, usefulness (in terms of client tooling), and so on.
Yeah. Once the open sourcing happens, perhaps we could get a overview of how it works, what it needs, etc.
kevin
It's perfect if we can run it on your OpenShift, and only maintain the application itself without having to also maintain OpenShift. We run it on PSI OpenShift Red Hat infrastructure inside the Red Hat firewall for now. We're planning on migrating to Managed Platform Plus before GA in Sept.
You can found the source code here:
https://github.com/RedHatProductSecurity/component-registry/
Our current setup in PSI has:
- 9Gb - persistent storage - 20 Mb - memory requested - with the ability to run 10-20 pods.
We don't have any client tooling yet. Our application hosts an API endpoint, which you can get a preview of by visiting this if you're a Red Hat employee:
https://corgi.prodsec.redhat.com/api/v1/
We're planning to produce SPDX documents for now, here's a sample for RHEL-8 if you're a Red Hat employee:
https://corgi.prodsec.redhat.com/api/v1/product_streams/3264efff-4d6a-4fee-8...
Regards, Jason
On Tue, Jul 12, 2022 at 4:41 AM Kevin Fenzi kevin@scrye.com wrote:
On Mon, Jul 11, 2022 at 09:22:48AM -0400, Frank Ch. Eigler wrote:
Hi -
[...] Let me know your thoughts. I didn't provide a link to the code repository as it's currently private to Red Hat associates. But we expect to opensource the project in the coming weeks. At that time we'll be able to provide the source code. [...]
I suspect your message is hard to answer substantively without any information about the scale and composition of this infrastructure, its needed inputs, resources, usefulness (in terms of client tooling), and so on.
Yeah. Once the open sourcing happens, perhaps we could get a overview of how it works, what it needs, etc.
kevin _______________________________________________ infrastructure mailing list -- infrastructure@lists.fedoraproject.org To unsubscribe send an email to infrastructure-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/infrastructure@lists.fedorapro... Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
infrastructure@lists.fedoraproject.org