Скачать или смотреть Strengthening Software Supply Chains: Harmonizing SLSA Provenance and SPDX SBOM for Better Adoption

Don't miss out! Join us at the next Open Source Summit in Hyderabad, India (August 5); Amsterdam, Netherland (August 25-29); Seoul, South Korea (November 4-5). Join us at the premier vendor-neutral open source conference, where developers and technologists come together to collaborate, share knowledge, and explore the latest innovations and advancements in open source technology. Learn more at https://events.linuxfoundation.org/

Panel Discussion: Strengthening Software Supply Chains: Harmonizing SLSA Provenance and SPDX SBOM for Better Adoption - Mihai Maruseac, Google; Kate Stewart, The Linux Foundation; Hasan Yasar, Software Engineering Institute | Carnegie Mellon University; D

The Software Bill of Materials (SBOM) and Supply-chain Levels for Software Artifacts (SLSA) are key frameworks for securing modern software supply chains. SPDX SBOM provides a detailed inventory of software components, dependencies, and metadata, while SLSA ensures these components are built through verifiable, tamper-resistant processes with clear provenance.

This talk will examine the synergies and differences between SLSA and SPDX SBOM, focusing on how SLSA’s provenance and authentication mechanisms can enhance the trustworthiness of SBOMs. We will explore overlapping fields captured by both standards, emphasizing the importance of interoperability and a shared roadmap to reduce duplication while leveraging their respective strengths.

A clear separation of concerns, with SLSA handling provenance and verification, and SPDX SBOM capturing comprehensive component metadata, can reduce redundancy and promote more efficient adoption. This session will outline how aligning these standards can improve software supply chain security and reliability, while fostering collaboration for cohesive evolution within the open-source community.