Software Supply Chain with the Yocto Project

Explore the Yocto Project's approach to software supply chain management in this 32-minute conference talk by Joshua Watt from Garmin. Delve into the importance of software supply chains and learn how Yocto Project addresses key concerns. Discover the process of building images from source code, understand the concept of Software Bill of Materials (SBOM), and examine recipe metadata and SBOM relationships. Gain insights into enabling SPDX generation and future improvements in the pipeline. Investigate the significance of reproducible builds, binary output association with recipe hashes, and tracing target images. Learn about reproducibility testing, extending quality assurance tests, and CVE tracking within the Yocto Project. Explore CVE metrics and how buildtools replace host tools to extend the supply chain.

Intro
Yocto Project and OpenEmbedded
Why is the Software Supply Chain Important?
Addressing The Supply Chain
Build Images from Source Code
Simplified Build Flow
What is an SBOM?
Recipe Metadata
SBOM Relationships
Enabling SPDX Generation
Future Improvements
Why do we need reproducible builds?
Binary output should associate with recipe hashes
Tracing target images back to recipe outputs
Reproducibility Testing
Extending Quality Assurance Test
CVE Tracking from Yocto Project
CVE Metrics
Buildtools replaces Host tools
Using Buildtools to extend the Supply Chain