@pmatilai converted this issue into discussion #2851.
--
Reply to this email directly or view it on GitHub:
https://github.com/rpm-software-management/rpm/issues/2389#event-11510089819
You are receiving this because you are subscribed to this thread.
Message ID:
@mlschroe A lot of the stuff around bundled dependencies are often expressed as
`bundled()` Provides either manually or via dependency generators in Fedora.
I'm not sure we want to do something different when that works fairly well...
--
Reply to this email directly or view it on GitHub:
https:
I am interested in this as well.
This does not need to be fully implemented by rpmbuild itself. The list of
"components" used for the build can be gathered by the build system. E.g., Mock
can already do that
https://rpm-software-management.github.io/mock/Plugin-PackageState In this
case, the f
Both #1532 and #607 seem to touch on the same subject.
I'm not opposed at all in principle, the question is more in the details:
should the info be in the header of each binary package, or would a
buildinfo-style file/subpackage (with a strong identifier tying it to the same
build) be enough? T
I hope I get this right, because I'm no expert for that topic either.
SBOM is "Software bill of materials". Basically it is a document that describes
what exactly is on a product/appliance/container/... There are two standard
formats, SPDX and CycloneDX, coming from different directions.
SPDX c
Deep in the Finnish countryside? :sweat_smile:
--
Reply to this email directly or view it on GitHub:
https://github.com/rpm-software-management/rpm/issues/2389#issuecomment-1424229682
You are receiving this because you are subscribed to this thread.
Message ID: _
But but but... where have you been? Software supply chain security is the thing
nowadays ;-)
--
Reply to this email directly or view it on GitHub:
https://github.com/rpm-software-management/rpm/issues/2389#issuecomment-1424220433
You are receiving this because you are subscribed to this thread.
Hard for me to comment when I don't know a single term/name mentioned here,
starting with SBOM which I looked up from wikipedia :laughing:
A smallish practical example of what that data may look like would help.
--
Reply to this email directly or view it on GitHub:
https://github.com/rpm-softw
I'm currently looking into generating SBOMs for container, and I wonder if
someone has already pondered if we want to store SBOM data in an rpm header.
Here's where I come from: SBOM generator tools like "syft" support both
querying the systems package database to know what packages are installe
