hennevogel
commented
7 months ago we have SBOM support by now which is the de-facto standard for this.
Open lnussel opened 4 years ago
hennevogel
commented
7 months ago we have SBOM support by now which is the de-facto standard for this.
lnussel
commented
6 months ago ok but that information is not shown either? https://build.opensuse.org/projects/openSUSE:Factory/packages/openSUSE-MicroOS:kvm-and-xen-sdboot/repositories/images/binaries only has download links, no "Details" like it's available for packages
hennevogel
commented
6 months ago I don't think people want to use OBS for viewing/verifying/working with SBOM files. There are tons of already established dedicated tools for this, lots of them are open source.
Any image build in OBS produces an additional ".packages" file. That file lists the contained rpm packages with their name, version, disturl and most importantly license. That information is very valuable to a class of users that have a whitelist of free software licenses they are allowed to run on their infrastructure.
OBS unfortunately doesn't seem to have a handler for that file so there's just a generic view as used for rpm packages, eg.:
https://build.opensuse.org/package/binary/openSUSE:Containers:Tumbleweed/tumbleweed-busybox-image.20200117174618/containers/aarch64/tumbleweed-busybox-image.aarch64-1.0.0-Build5.242.packages
How about showing a nice table with the actual file content there?