Explore the critical role of Software Bill of Materials (SBoMs) in protecting the software supply chain through this 35-minute conference talk. Learn why SBoMs are essential, how to generate them using the Yocto Project, and their practical applications. Discover the unique position of the Yocto Project in describing complex supply chains, understand the regulatory importance of SBoMs, and delve into SPDX generation and relationships. Gain insights into future improvements, the significance of reproducible builds, and the upcoming SPDX 3.0 standard. Equip yourself with knowledge on maintaining comprehensive software supply chain descriptions and leveraging the Yocto Project's rich metadata for enhanced software development practices.
Software Bill of Materials (SBoM) and Supply Chain with the Yocto Project - Generating and Using SBoMs
Yocto Project via YouTube
Overview
Syllabus
Intro
Outline
Protecting the Software Supply Chain
Regulatory Agencies have taken notice
Build Images from Source Code
Simplified Build Flow
"Nutrition Information" for Software
Recipe Metadata
SPDX Generation
Yocto Project role in the Software Supply Chain
Yocto SPDX Features
What can we generate SPDX documents for?
SPDX Relationships
Future Improvements
Why do we need reproducible builds?
Binary output should associate with recipe hashes
Enabling Reproducible Builds
Reproducibility Testing
Extending Quality Assurance Test
Buildtools replaces Host tools
SPDX 3.0 and the Future
Taught by
Yocto Project
Related Courses
-
Software Supply Chain with the Yocto Project
-
Software Bill of Materials and Supply Chain with the Yocto Project
-
Generating SPDX Software Bill of Materials with Yocto Project
-
SBOM Implementation Reality - The SPDX Lite Profile for First Step
-
SBOMs for Embedded Systems - What's Working, What's Not
-
Software Supply Chain Aspects in Infrastructure as Code
