Setup OSS Review Toolkit SBoM generation #14241
Conversation
Theoretically Elixir depends on Make (build-time only) and Erlang, but those are done through the system. Does SBOM make a distinction between build and runtime deps? What about system vs actual deps?
What are mix/rebar applications here? And does it impact this repo in any way, given we don't depend on any of those? Regarding licenses and copyrights, agreed. Let's do that next. :) |
The only thing that this claims is the source Software Bill of Materials (SBOM), so the files that exist in this repo. |
That depends heavily between standards and their versions. I'll have a closer look at that once we add build information to the SBoMs.
Elixir contains multiple "components" like elixir, mix, eex, etc. It would be good if the tooling recognized those distinctly. |
maennchen
force-pushed
the
jm/oss-review-toolkit
branch
from
69afc0a to
f8b859d
Compare
@kikofernandez is Erlang being broken into multiple components as well or a single one? I am not sure for Elixir if it makes sense to break them apart. They are always shipped together anyway. Might as well consider as a single entity? |
At the moment, we are going to create a single package for the source SBOM, which will contain all of OTP. |
|
If I may, I would suggest that Elixir starts to annotate all files with a license and possibly copyright identifier. I create a REUSE PR (PR-1117) that allows to add easily licenses to Erlang, Elixir, and Gleam |
|
@kikofernandez we plan to do that in a future PR :) @maennchen let's focus on shipping Elixir as a single unit for the foreseeable future as well! |
maennchen
force-pushed
the
jm/oss-review-toolkit
branch
from
f8b859d to
cd35a32
Compare
maennchen
force-pushed
the
jm/oss-review-toolkit
branch
from
cd35a32 to
422b0ad
Compare
|
💚 💙 💜 💛 ❤️ |
Implement Source SBoM Generation
Scope
This PR implements source SBoM generation using OSS Review Toolkit
in the following formats:
The PR implements a very simple Open Source Policy with a list of allowed licenses. Namely:
Apache-2.0(Elixir itself / copied OTP code)LicenseRef-elixir-trademark-policy(Elixir Logo)LicenseRef-scancode-unicode(Unicode Files)The idea is that if we add other code / dependencies with other licenses, the inclusion has to be
agreed by the Elixir team and the list extended.
OpenChain
This PR implements the technical parts of OpenChain ISO/IEC 18974:2023.
Specifically:
Future
There's a few things I would like to address in the future:
be relatively trivial to achieve OpenChain compliance after this PR. I'd like to
propose the required documentation and certify compliance. (btw. Ericsson including
OTP is OpenChain compliant and on the way to be certified as well.)
While we attest the distribution assets with the SBoMs, the SBoM itself does not list- Will be handled in a lat er stage with an actual build SBoM.the distribution assets. This is not feasible until ORT recognizes mix applications.
SBoMs themselves, I'd like to incorporate that.
.ort.yml. It would bebetter to include a header in each file to state the license explicitly. This also
works when code is copied from this repository.
LICENSEin theroot. It would be better to include a header in each file to state the copyright explicitly.
This also works when code is copied from this repository.
Results
ci.ymlrun: https://github.com/maennchen/elixir/actions/runs/13029706072release.ymlrun: https://github.com/maennchen/elixir/actions/runs/13029706053