feat: add SBOM downloads based on cut-off date #1097
Conversation
|
@oscerd PTAL :) |
There was a problem hiding this comment.
Looks good to me.
I guess there is some difference around the naming conventions:
For example for camel-quarkus is
camel-quarkus-3.5.0-cyclonedx.json
While for Spring-boot is
spring-boot-4.2.0-cyclonedx.json
This is not a real problem because we can renominate the files will creating the dist/dev folder and signing them.
|
This looks really great, I will align the naming convention around and coordinate the dist/dev push and dist/release post vote process. |
|
Thanks a lot @zregvart ! |
|
The, semi-obvious drawback of using the cutoff date is that all releases (in the select categories) made from that date forward need SBOMs. That includes any 3.21.x, 4.0.x and 4.1.x patch releases. |
|
Let's also wait for the preview and see what cutoff date we would like to set before merging this... |
|
We can wait until January 2024, then 3.14 and 3.20 is EOL and no new releases of those. |
|
Let's try to prepare everything so eventually it will be easy to publish these informations. |
|
Another possibility is adding a separated page for SBOMs, or maybe create a table in Security page. |
|
🚀 Preview is available at https://pr-1097--camel.netlify.app |
|
For 4.3.0, coming release, we should be fine, I added the steps in release-guide, same for camel-quarkus and camel-kamelets. @zregvart can we maybe add some kind of "N/A" for releases 3.21.x (and the 3.x in general) and 4.0.x and 4.1.x? So we can try to publish what we have. |
I wouldn't, it just adds to the noise. I think simply omitting it should be okay. |
Yesterday I added the sboms for 4.2.0 on dist/release https://dist.apache.org/repos/dist/release/camel/apache-camel/4.2.0/, so we could try to see how it looks. Can you work on omitting the column for the old versions? |
|
@oscerd I can set the SBOM cutoff date to 2023-11-14. Bare in mind with the code as is on this PR this will apply:
I see that the SBOMS are currently missing for Camel Core 4.0.3 and Camel Kamelets 4.2.0. |
With this the SBOM downloads will be available for any release created after 2023-10-11. Both JSON and XML download links will be available. The Apache conventions for distributing these via dist.apache.org must be followed, so .asc and .sha512 files must be present in addition to the .json and .xml SBOM files. Resolves apache#1096
|
yes, I still have to push them. But I don't know if it makes sense for 4.0.3 |
|
I pushed SBOMs for Kamelets 4.2.0 |
|
Pushed for 4.0.3 too |
|
🚀 Preview is available at https://pr-1097--camel.netlify.app |
|
Looks good. I'll need to add the sbom profile to release also for 3.21.x and ckc I guess, but for the moment it looks good. |
With this the SBOM downloads will be available for any release created after 2023-10-11. Both JSON and XML download links will be available. The Apache conventions for distributing these via dist.apache.org must be followed, so .asc and .sha512 files must be present in addition to the .json and .xml SBOM files.
Resolves #1096