PeterConstable
commented
1 month ago FYI: https://www.cisa.gov/sites/default/files/2024-07/SBOM%20FAQ%202024.pdf.
FWIW, Microsoft has adopted the Linux Foundation’s SPDX standard (ISO/IEC 5962) for SBOMs.
Open davelab6 opened 1 month ago
PeterConstable
commented
1 month ago FYI: https://www.cisa.gov/sites/default/files/2024-07/SBOM%20FAQ%202024.pdf.
FWIW, Microsoft has adopted the Linux Foundation’s SPDX standard (ISO/IEC 5962) for SBOMs.
simoncozens
commented
1 month ago This may turn out to be quite easy...
PeterConstable
commented
1 month ago Nice find. But is that at the appropriate granularity? That seems to export one SBOM encompassing an entire repo.
simoncozens
commented
1 month ago Most of the GF font projects are one font per repo, so yes, that will work in most cases. I'll do something custom for Noto CJK because of the supplier/originator split.
davelab6
commented
1 month ago Simon noted offline,
DSIG is specified to use a PKCS#7 signature, and it is specified to be a signed hash of the font binary. It doesn't help us for SBOMing.
anthrotype
commented
1 month ago sorry if my question sounds stupid but.. I'm trying to wrap my head around how exactly such a "SBOM" may help the users of a font file with determining "whether they are at potential risk of a newly discovered vulnerability"? A font is not like an application that may be assembled from a bunch of existing software components. Yes, we use various applications in turn made up of various components to build font files, but these do not become part of the actual font, do they? It's more like "this app was compiled with Xcode 15.4" -- is that all this is about? What risks are we talking about exactly? Why would knowing details of its "supply chain" mitigate security or compliance risks? These are genuine questions.
hepwori
commented
1 month ago @anthrotype one short answer is that although much of the industry's focus today is on SBOMs as enablers of automated vulnerability management across complex software supply chains, there are a bunch of other uses. This NTIA document is a decent round-up of many of them.
I definitely agree that font files are on the very edges of SBOM applicability (and arguably outside those edges in today's common SBOM discourse), but having metadata describing the lineage of binary files in a software distribution is a generally useful capability for operability of the distribution.
PeterConstable
commented
1 month ago Wrt DSIG, for Microsoft’s purposes, I’m still getting clarification from our SDL experts as to whether DSIG will meet MS’s requirements in relation to the current security goals, but it’s sounding like probably not.
PeterConstable
commented
1 month ago Most of the GF font projects are one font per repo
Can you point me at one such repo. I'd like to export the sbom and confirm with Microsoft's SDL people whether that meets their current requirements.
davelab6
commented
1 month ago https://github.com/googlefonts/science-gothic was updated recently
https://github.com/JulietaUla/Montserrat/ has often been used as a reference
There was a USA Cybersecurity Executive Order issued in 2021 that requires each software package supplied to the USA federal government to have a "Software Bill Of Materials" (SBOM):
In order to enable the maximum distribution of libre fonts, I'd like to include a SBOM for each font family in the Google Fonts collection, with provenance and production details and signed with COSE Sign1; I wonder if we can finally make use of the DSIG table for real.
I'm assigning @simoncozens to start, and suggest to start with Noto CJK since that is one of the more difficult situations, since we don't build it ourselves, and its probably the most valuable font project we operate; and then integrate this into builder2 and the repo template.