Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SBOM: more fixes. #17284

Merged
merged 1 commit into from
May 13, 2024
Merged

SBOM: more fixes. #17284

merged 1 commit into from
May 13, 2024

Conversation

MikeMcQuaid
Copy link
Member

  • Remove use of (unused) Cachable module.
  • Pass whether we're bottling to determine whether to create reproducible SBOM or not. A reproducible SBOM omits the time and compiler.
  • Remove bottle information when bottling: we cannot know what e.g. the checksum (and, with GitHub Packages, therefore also the download location) will be before we've created the tarball contents.
  • Always write a bottle on installation (unless we're bottling) to provide new bottle information or freshen the existing one with the information we stripped out for reproducibility e.g. the time and compiler.
  • Don't need to handle a nil @source_modified_time as it's always set.

Fixes #17281

@MikeMcQuaid MikeMcQuaid requested a review from carlocab May 13, 2024 05:14
@SMillerDev
Copy link
Member 

Cannot convert NillClass into an exact number
     # ./sbom.rb:367:in `to_spdx_sbom'

@MikeMcQuaid
SBOM: more fixes.
7461bf8 
- Remove use of (unused) `Cachable` module.
- Pass whether we're bottling to determine whether to create
  reproducible SBOM or not. A reproducible SBOM omits the time and
  compiler.
- Remove bottle information when bottling: we cannot know what e.g.
  the checksum (and, with GitHub Packages, therefore also the download
  location) will be before we've created the tarball contents.
- Always write a bottle on installation (unless we're bottling) to
  provide new bottle information or freshen the existing one with the
  information we stripped out for reproducibility e.g. the time and
  compiler.
- Don't need to handle a `nil` `@source_modified_time` as it's always
  set.

Fixes #17281
@MikeMcQuaid MikeMcQuaid merged commit b6d7230 into master May 13, 2024
25 checks passed
@MikeMcQuaid MikeMcQuaid deleted the sbom_fixes branch May 13, 2024 06:53
@MikeMcQuaid MikeMcQuaid mentioned this pull request May 13, 2024
Closed
3 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@SMillerDev SMillerDev SMillerDev approved these changes

@carlocab carlocab Awaiting requested review from carlocab

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

SBOMs break bottle reproducibility
2 participants
@MikeMcQuaid @SMillerDev