| 14 Oct 2021 |
 Alyssa Ross | and I think it's one Nix is not particularly well-suited for, because it's too dynamic | 09:27:04 |
 j-k | what is one? SBOM? | 09:27:49 |
| Alyssa Ross | yeah | 09:28:00 |
| j-k | An SBOM (in it's current incarnation) should be a reproducible bill of materials that covers direct dependencies and transitive dependencies. Some also collect the hashes for every file (but I find the benefit of this dubious, just review your git repo).
As I see it SBOM is generally an inferior .drv (especially if you're using something like go2nix which brings all your deps into the nix ecosystem
I have little value for an SBOM for a project alone, I will also want the SBOM of the tooling (e.g. go) and the SBOM for whatever built that etc etc etc turtles all the way down. I'd also want some guarentees the SBOM I have for a go build is the exact one for that actual go build etc
In my estimation nix drvs solve this | 09:33:52 |
| j-k | There's some complexity using something that bundles dependencies such as buildGoModule but you could either generate an SBOM as part of that output or just migrate to a full nix system like gomod2nix | 09:35:02 |
| Alyssa Ross | hmm, right, in that case perhaps I was misunderstanding what it is | 09:35:41 |
| Alyssa Ross | so if I made a list of all the sources required to build my application, including all transitive build and runtime dependencies, that would be an SBoM? | 09:36:34 |
| j-k | yep, the analogy that's common is a list of ingredients on a food packet | 09:37:21 |
| j-k | I've put some initial thoughs in the nix-slsa channel but I'm hoping to do a full review of different SLSA requirements and covering where nix solves them, where nix invalidates the need for them, or where nix might need some extra help | 09:37:50 |
| Alyssa Ross | right, yeah, that sounds like something Nix would be extremely good at | 09:38:11 |
| Alyssa Ross | I'm not sure if you know this, but this sort of stuff is extremely relevant to my work | 09:40:21 |
| Alyssa Ross | https://spectrum-os.org/ | 09:40:34 |
| j-k | IIRC you're working on Spectrum | 09:40:36 |
| j-k | yeah | 09:40:37 |
| Alyssa Ross | one goal is to minimize the amount of code running on the host system | 09:41:05 |
