Provide SBOMs for Polaris releases #2905
Description
SBOMs (Software Bill of Materials) provide machine readable inventory of components and dependencies that make up a piece of software.
The most common standardized formats for SBOMs are SPDX and CycloneDX.
SPDX focuses on legal Compliance, licensing & IP due diligence.
CycloneDX focuses on security, vulnerability tracking & risk analysis.
The following Polaris distribution artifacts deserve SBOMs:
- Source tarball
- Binary zip/tarball distribution w/ server + admin tool
- Docker images for server + admin tool
- Python client
Apache Trusted Releases likely require SBOMs.