Software Bill of Materials (SBoM) and Supply Chain with the Yocto Project - Generating and Using SBoMs

Explore the critical role of Software Bill of Materials (SBoMs) in protecting the software supply chain through this 35-minute conference talk. Learn why SBoMs are essential, how to generate them using the Yocto Project, and their practical applications. Discover the unique position of the Yocto Project in describing complex supply chains, understand the regulatory importance of SBoMs, and delve into SPDX generation and relationships. Gain insights into future improvements, the significance of reproducible builds, and the upcoming SPDX 3.0 standard. Equip yourself with knowledge on maintaining comprehensive software supply chain descriptions and leveraging the Yocto Project's rich metadata for enhanced software development practices.

Intro
Outline
Protecting the Software Supply Chain
Regulatory Agencies have taken notice
Build Images from Source Code
Simplified Build Flow
"Nutrition Information" for Software
Recipe Metadata
SPDX Generation
Yocto Project role in the Software Supply Chain
Yocto SPDX Features
What can we generate SPDX documents for?
SPDX Relationships
Future Improvements
Why do we need reproducible builds?
Binary output should associate with recipe hashes
Enabling Reproducible Builds
Reproducibility Testing
Extending Quality Assurance Test
Buildtools replaces Host tools
SPDX 3.0 and the Future