New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Q] Software Bill Of Materials? #4050
Comments
Here are some starting points and initial thoughts. This should tie into the Usage : Security documentation since some issues can be mitigated or bypassed using a tight configuration. The closest thing we have to an overview of the dependencies is here: https://github.com/Xpra-org/xpra/blob/master/docs/Build/Dependencies.md (and includes some pretty diagrams) MacOSThe MacOS builds are by far the easiest to track since we define and build every single library ourselves. MS WindowsThe full $ pacman -Qe | wc -l
179 There are also python dependencies which do not have corresponding MINGW packages and are installed via pip: xpra/packaging/MSWindows/SETUP.sh Lines 38 to 42 in 15bce9d
Then there are also some manual steps: xpra/packaging/MSWindows/SETUP.sh Line 46 in 15bce9d
Packages we do not update as often as othersThere can be many reasons why some packages are not updated as regularly as others:
Opaque packages:
3.1Some issues are magnified in 3.1:
On the whole, I don't think that it is reasonable to expect the 3.1.x to have the same level of maintenance as current versions. |
We should probably split the dependencies into categories - this is probably too many:
|
The MS Windows dependencies can be recorded in |
This seems relevant: Understanding the NSA’s latest guidance on managing OSS and SBOMs |
Both MacOS and MS Windows builds will now record the libraries and python modules present on the build system when the installer is generated. The feature for the html5 client is now tracked here: Xpra-org/xpra-html5#277 Next up:
|
Another tricky one to handle is pdfium-binaries releases - this release page does show a line that says something like "This version was built with branch chromium/6337 of PDFium".
The easiest way might be to create a "fake" pacman |
The new script that I am working on would flag: Fixed in: On the plus side, the exploit seems to target a specific function in openssh - with glibc, and we don't use openssh by default, and no glibc, and not as a server... So no need to panic. Good links on the subject: |
Forgot another packages missing from MSYS2 that we should contribute upstream: xpra/packaging/MSWindows/SETUP.sh Line 70 in 79d8e18
Trivial to install: meson build && ninja install .
|
cyclonedx-python-lib: This Python package provides data models, validators and more, to help you create/render/read CycloneDX documents. |
For security and compliance concerns, it would be good to have a list
of dependencies for example to assess which security vulnerabilities affect Xpra:
https://en.wikipedia.org/wiki/Software_supply_chain
While this is rather clear for linux (RPM) packages, this is less
clear for windows packages and HTML5 client packages.
Is there already a way to get these informations?
The text was updated successfully, but these errors were encountered: