Why the World Needs a Software Bill of Materials Now

• rekor

  29 830 9.7 Go

  Software Supply Chain Transparency Log

  

The rekor project under sigstore is interesting in this regard: https://github.com/sigstore/rekor

Its listed as a signature transparency log, but they support some sort of custom manifest system, so you can set your own schema in your prefered format (xml, json, yaml) - the only thing is they require the manifest / material file is signed (I guess as it then brings a level of non-repudation). I am planning on building an SBOM type.

I heard some of the in-toto folks are working on the project as well. This is a good step towards a SBOM recorded supply chain.

• vis_avs_dx

  1 43 4.1 C++

  Direct3D 11 port of Advanced Visualization Studio, a music visualization plugin for Winamp.

When I develop software, the source code repo contains a text file with all the third-party stuff I have used, both linked and copy-pasted, along with the URLs where I got the code and their licenses.

Not precisely a BOM and I maintain them for different reason, but overall I think pretty close to what’s proposed. Couple examples from my open-source projects: https://github.com/Const-me/vis_avs_dx/blob/master/legal.txt https://github.com/Const-me/Vrmac/blob/master/Pre-existing%2...

• InfluxDB

  www.influxdata.com featured

  Power Real-Time Data Analytics at Scale. Get real-time insights from all types of time series data with InfluxDB. Ingest, query, and analyze billions of data points in real-time with unbounded cardinality.

  

• hashlink

  2 15 0.0 XSLT

  An IETF specification for cryptographic hyperlinking (by w3c-ccg)

  

> What about websites though?

It is possible for a web page to specify the expected hash of a script file, which the browser will enforce. This is called SRI (Subresource Integrity).[0]

Of course that still leaves the bootstrapping problem of how the page itself can be guaranteed to have a specific hash, but fortunately there is a clever hack that can be done with bookmarklets[1], or the page can just be saved and loaded/served locally.

While that works technically, the UX isn't great because the address bar won't show the domain of the remote server (although browsers seem to be hiding the address bar from the user more and more). A better solution would be for browsers to support Hashlinks[2], which would allow a bookmark to point to a remote page with fixed contents.

[0] https://developer.mozilla.org/en-US/docs/Web/Security/Subres...

[1] https://news.ycombinator.com/item?id=17776456

[2] https://github.com/w3c-ccg/hashlink

• seL4

  60 4,538 9.0 C

  The seL4 microkernel

  

> I know there is research at some universitys into formally verified OS's, but it's a long way off IMO.

I believe seL4 is verified and used in production ( https://sel4.systems/ )

Suggest a related project