From 1574c6f8605d0d5a5e0ccb6c217566c12affdb5d Mon Sep 17 00:00:00 2001 From: Bozhidara Hristova Date: Thu, 13 Nov 2025 09:48:36 +0100 Subject: [PATCH 1/5] add first draft of benefits doc and delete challenge.md Signed-off-by: Bozhidara Hristova --- content/docs/overview/benefits.md | 46 +++++++++++++ content/docs/overview/challenge.md | 100 ----------------------------- 2 files changed, 46 insertions(+), 100 deletions(-) create mode 100644 content/docs/overview/benefits.md delete mode 100644 content/docs/overview/challenge.md diff --git a/content/docs/overview/benefits.md b/content/docs/overview/benefits.md new file mode 100644 index 000000000..1db3cffc3 --- /dev/null +++ b/content/docs/overview/benefits.md @@ -0,0 +1,46 @@ +--- +title: "Benefits of OCM" +description: "Security for your software supply chain" +icon: "✨" +weight: 12 +toc: true +--- + +The Open Component Model (OCM) is an open-source toolset for secure software delivery. + +- OCM gives you full visibility and control across the supply chain, streamlining compliance checks, security scans, and deployments. +- OCM works everywhere — cloud, on-premises, hybrid, and air-gapped environments. +- OCM integrates seamlessly with your existing tools and is easy to extend. + +With OCM, you gain control, reduce risk, and keep your delivery approach adaptable. + +## Why choose OCM + +#### One Model for All Artifacts + +With OCM, you can describe everything you deliver in a unified, machine-readable format. This enables you to create a *Software Bill of Delivery (SBoD)*. Unlike a Software Bill of Materials (SBOM), which lists all components inside an application, a **Software Bill of Delivery** focuses on **everything you need for a successful deployment** — including container images, Helm charts, configuration files, and binaries. It is a complete, verifiable record of all deliverables and how to access them. + +### Security & End-to-End Traceability + +Security is built into OCM. You can **cryptographically sign and verify** every component in your supply chain to ensure its integrity or confirm its provenance. + +Beyond signatures, OCM uses [**immutable, globally unique component identities**]({{}}). These act like tracking IDs, linking all lifecycle phases. They make compliance checks, audits, and vulnerability scans easier and more reliable. With OCM, your software is fully traceable from build to deployment. + + +### Universal Delivery + +You can **deliver across boundaries** and **deploy anywhere — public cloud, on-premises, or air-gapped environments**. OCM separates the identity of software artifacts from their location. Identities remain stable while locations can change as needed. You can store software artifacts in local registries, move them between systems, and work in environments with limited or no internet access — all without losing integrity or traceability. + +### Technology-Neutral and Extensible + +OCM **works with your current tools**. It is compatible with any implementation technology, whether container images, NPM packages, or binaries. You can manage both cloud-native and legacy software without rewriting existing tools or processes. + +The **extensible design** of OCM makes it easy to adapt to emerging technologies, keeping your software supply chain future-proof. + +### Community-Driven Approach + +OCM is **committed to open source** and **welcomes contributions of any kind**. We work to keep OCM in line with the changing needs of the community. The design of OCM makes it easy to add new features, so anyone can suggest, review, and merge improvements in a transparent way. + +## Who is it for + +- diff --git a/content/docs/overview/challenge.md b/content/docs/overview/challenge.md deleted file mode 100644 index 607dc3e16..000000000 --- a/content/docs/overview/challenge.md +++ /dev/null @@ -1,100 +0,0 @@ ---- -title: "Benefits of OCM" -description: "Solving Software Lifecycle Management Challenges" -icon: "✨" -weight: 12 -toc: true ---- - -Software development is complex. Most organizations struggle with fragmented tools, complicated workflows, and the challenge of managing software across different environments - cloud, on-premises, hybrid, and even air-gapped networks. - -Traditional approaches lead to: - -- Complicated, custom CI/CD pipelines -- Inconsistent software delivery -- Difficulty tracking and securing software components -- Lack of a standard way to describe software and its artifacts - -## Requirements Towards a Modern Software Component Model - -### Community-First Approach - -A truly modern software component model cannot live in isolation. It needs an active, diverse community to grow, adapt, and remain relevant. Open source projects invite users and maintainers to propose ideas, report issues, and deliver improvements. Lowering entry barriers nurtures diverse perspectives, accelerates innovation, and ensures real-world feedback shapes priorities. Continuous collaboration - through design discussions, reviews, and documentation — builds trust and fosters adoption across industries. In this way, the community itself becomes the guarantor of quality, relevance, and long-term sustainability. - -### Immutable and Unique Component Identity - -A crucial requirement is the ability to assign an immutable and globally unique Component Identity to each software component. This identifier acts as a "correlation ID," allowing all lifecycle management processes, such as security compliance and vulnerability scanning, to correlate their outputs to a single, identifiable software component. - -### Artifact Descriptions with Location Information - -The model should facilitate the description of all technical artifacts required for deploying a specific version of a software component. This list, termed a "Software Bill of Delivery" (SBoD), outlines only the artifacts needed for successful deployment. Additionally, the description must encompass the technical access location from which each artifact can be retrieved. - -### Separation of Component Identity and Artifact Location - -Organizations often need to: - -- Store artifacts in local registries -- Work in environments with limited or no internet access (air-gapped) -- Move artifacts between different systems and environments - -The Component Identity must remain stable across all boundaries and system environments, while the artifact locations should be changeable. The ideal model separates the component identity from its artifact locations, allowing maximum flexibility. - -### Technology Neutrality - -Real-world software environments are messy. A good component model must: - -- Support modern containerized applications -- Handle legacy software -- Work across clouds, on-premises, and hybrid infrastructures - -### Technology-Agnostic and Forward-Thinking Design - -The model should: - -- Adapt easily to emerging technologies -- Avoid constant rewrites of existing tools and processes -- Stay relevant as software development evolves -- Cover both legacy and modern software - -### Built-In Security - -Automatic capabilities for: - -- Signing software components -- Verifying artifact integrity -- Protecting against tampering -- Maintaining trust across changing artifact locations - -### Collaborative Potential - -Enable teams to: - -- Easily share and reuse trusted components -- Create a network of verifiable, reusable and high-quality software building blocks - -## OCM: Solving Software Lifecycle Complexity - -The Open Component Model (OCM) is designed to tackle these challenges head-on. It provides a standardized approach to describing, managing, and sharing software components that brings order to software lifecycle management. By linking additional metadata using OCM’s identities, it facilitates asynchronous handling of various lifecycle management processes, such as compliance checks, security scans, deployments, and more, in a decoupled and streamlined manner. - -![OCM as Enabler for asynchronous Lifecycle Management Processes](/images/ocm-benefits-lm-processes-with-ocm-bluebg.png) -
- -- **Community-Driven Governance:** OCM’s open governance and transparent contribution workflow empower anyone to asynchronously propose, review, and merge enhancements — keeping its software lifecycles aligned with evolving community needs. - -- **Unique Component Identities:** OCM assigns an immutable, globally unique ID to each component, enabling seamless correlation across all lifecycle tools and processes. - -- **Software Bill of Delivery:** OCM enables the specification of all artifacts required for delivering a software component. This compilation, termed a "Software Bill of Delivery" (SBoD), lists all artifacts and information how to access them. - -- **Stable IDs, Changing Artifact Locations:** OCM separates immutable component IDs from the changeable artifact locations, essential for private and air-gapped environments. - -- **Technology Agnosticism:** Being agnostic to implementation technologies like container images, NPM packages or binaries, OCM can handle both cloud-native and legacy apps. - -- **Future-Proof Extensibility:** OCM's extensible design allows simple adaptation to emerging trends without disrupting existing tooling. - -- **Trusted Signatures:** Built-in signing and verification ensure artifact integrity even as artifact locations change over time. - -![OCM as Enabler for Asynchronous Lifecycle Management Processes](/images/ocm-benefits-lm-processes-with-ocm-bluebg.png) - -OCM creates a "single source of truth" for software artifacts. It streamlines compliance checks, security scans, and deployments by providing a consistent, location-independent way to identify, access, exchange, and verify software components. - -By making software component management more transparent, secure, and efficient, OCM helps organizations transform their software delivery from a complicated puzzle into a smooth, manageable process. From 45f7c8694426d7e1c738bd350c5a597997f33249 Mon Sep 17 00:00:00 2001 From: Bozhidara Hristova Date: Mon, 24 Nov 2025 16:00:58 +0100 Subject: [PATCH 2/5] change section names, add new section, update text Signed-off-by: Bozhidara Hristova --- content/docs/overview/benefits.md | 26 +++++++++++++++----------- 1 file changed, 15 insertions(+), 11 deletions(-) diff --git a/content/docs/overview/benefits.md b/content/docs/overview/benefits.md index 1db3cffc3..e113cddc2 100644 --- a/content/docs/overview/benefits.md +++ b/content/docs/overview/benefits.md @@ -16,31 +16,35 @@ With OCM, you gain control, reduce risk, and keep your delivery approach adaptab ## Why choose OCM -#### One Model for All Artifacts +### Create a Software Bill of Delivery -With OCM, you can describe everything you deliver in a unified, machine-readable format. This enables you to create a *Software Bill of Delivery (SBoD)*. Unlike a Software Bill of Materials (SBOM), which lists all components inside an application, a **Software Bill of Delivery** focuses on **everything you need for a successful deployment** — including container images, Helm charts, configuration files, and binaries. It is a complete, verifiable record of all deliverables and how to access them. +With OCM, you can describe everything you deliver in a unified, machine-readable format. This enables you to create a *Software Bill of Delivery (SBoD)*. Unlike a Software Bill of Materials (SBOM), which lists all components inside an application, a **Software Bill of Delivery** focuses on **everything you need for a successful deployment** — including container images, Helm charts, configuration files, and binaries. It is a complete, verifiable record of **all deliverables and how to access them**. -### Security & End-to-End Traceability +### Protect Your Supply Chain Security is built into OCM. You can **cryptographically sign and verify** every component in your supply chain to ensure its integrity or confirm its provenance. Beyond signatures, OCM uses [**immutable, globally unique component identities**]({{}}). These act like tracking IDs, linking all lifecycle phases. They make compliance checks, audits, and vulnerability scans easier and more reliable. With OCM, your software is fully traceable from build to deployment. -### Universal Delivery +### Deploy Anywhere, Even Air-Gapped You can **deliver across boundaries** and **deploy anywhere — public cloud, on-premises, or air-gapped environments**. OCM separates the identity of software artifacts from their location. Identities remain stable while locations can change as needed. You can store software artifacts in local registries, move them between systems, and work in environments with limited or no internet access — all without losing integrity or traceability. -### Technology-Neutral and Extensible +### Works with Your Existing Tools -OCM **works with your current tools**. It is compatible with any implementation technology, whether container images, NPM packages, or binaries. You can manage both cloud-native and legacy software without rewriting existing tools or processes. +OCM seamlessly integrates with your current ecosystem. It is **compatible with any implementation technology**, whether container images, NPM packages, or binaries. You can manage both cloud-native and legacy software without rewriting existing tools or processes. -The **extensible design** of OCM makes it easy to adapt to emerging technologies, keeping your software supply chain future-proof. +### Adapts to Your Needs -### Community-Driven Approach +OCM is built for flexibility. Its **plugin system** lets you extend functionality without changing the core. You can integrate new technologies, customize workflows, and scale from small teams to enterprise environments. OCM ensures that your supply chain remains agile and future-proof. -OCM is **committed to open source** and **welcomes contributions of any kind**. We work to keep OCM in line with the changing needs of the community. The design of OCM makes it easy to add new features, so anyone can suggest, review, and merge improvements in a transparent way. +### Committed to Open Source -## Who is it for +OCM has open development and transparent governance. We welcome contributions of any kind. The design of OCM makes it easy to add new features, so anyone can suggest, review, and merge improvements in a transparent way. -- +Our commitment to open source goes beyond OCM. We are active members of the open-source community and have maintainers in projects such as [kro](https://kro.run/), [Flux](https://fluxcd.io/), and [External Secrets Operator](https://external-secrets.io/latest/). We believe in open source and work to shape its future. + +## Try OCM Out + +Does OCM sound like the right fit for your project? Check out our [Getting Started]({{}}) guides to see how easy a secure delivery can be. From 1955d6b3629fc9d8628f8dfa523c383f7bb25c4a Mon Sep 17 00:00:00 2001 From: Bozhidara Hristova Date: Mon, 24 Nov 2025 16:01:44 +0100 Subject: [PATCH 3/5] update benefits on landing page Signed-off-by: Bozhidara Hristova --- content/_index.md | 25 ++++++++++++++----------- 1 file changed, 14 insertions(+), 11 deletions(-) diff --git a/content/_index.md b/content/_index.md index 2b7522691..1ca4603b3 100644 --- a/content/_index.md +++ b/content/_index.md @@ -32,18 +32,21 @@ how_ocm_works: benefits_title: "Why Choose OCM?" benefits: - emoji: "📦" - title: "One Model for All Artifacts" - description: "A unified, machine-readable format for everything you deliver." + title: "Create a Software Bill of Delivery" + description: "Gain visibility into everything you deliver — from container images to configuration files." - emoji: "🔒" - title: "Security & Integrity" - description: "Component-level signatures that verify everything. Ironclad provenance at every step." + title: "Protect Your Supply Chain" + description: "Secure the integrity and provenance of your software with built-in signing and verification." - emoji: "🌐" - title: "Universal Delivery" - description: "Deploy anywhere: public, on-prem, air-gapped. Cross-boundary transfers without compromise." - - emoji: "🔗" - title: "End-to-End Traceability" - description: "OCM Coordinates connect all lifecycle phases. One global view for visibility from build to deployment." + title: "Deploy Anywhere, Even Air-Gapped" + description: "Deliver across any system or environment without loosing traceability." - emoji: "⚙️" - title: "GitOps-Ready Automation" - description: "Integrate your pipelines through OCM tooling. Zero custom code needed — just plug and play" + title: "Works with Your Existing Tools" + description: "OCM fits seamlessly into your current ecosystem and workflows." + - emoji: "🔧" + title: "Adapts to Your Needs" + description: "OCM's functionality is easy to extend. Just plug in what you need." + - emoji: "🤝" + title: "Committed to Open Source" + description: "We champion open innovation — in OCM and across the community." --- From cb9b93e4e227437252b72c0bfb8169ce60e12a59 Mon Sep 17 00:00:00 2001 From: Bozhidara Hristova Date: Mon, 24 Nov 2025 16:28:23 +0100 Subject: [PATCH 4/5] remove multiple blank lines Signed-off-by: Bozhidara Hristova --- content/docs/overview/benefits.md | 1 - 1 file changed, 1 deletion(-) diff --git a/content/docs/overview/benefits.md b/content/docs/overview/benefits.md index e113cddc2..c09787f86 100644 --- a/content/docs/overview/benefits.md +++ b/content/docs/overview/benefits.md @@ -26,7 +26,6 @@ Security is built into OCM. You can **cryptographically sign and verify** every Beyond signatures, OCM uses [**immutable, globally unique component identities**]({{}}). These act like tracking IDs, linking all lifecycle phases. They make compliance checks, audits, and vulnerability scans easier and more reliable. With OCM, your software is fully traceable from build to deployment. - ### Deploy Anywhere, Even Air-Gapped You can **deliver across boundaries** and **deploy anywhere — public cloud, on-premises, or air-gapped environments**. OCM separates the identity of software artifacts from their location. Identities remain stable while locations can change as needed. You can store software artifacts in local registries, move them between systems, and work in environments with limited or no internet access — all without losing integrity or traceability. From 8653a2c470975108677fb3ff1c3280716858cd99 Mon Sep 17 00:00:00 2001 From: Bozhidara Hristova Date: Mon, 24 Nov 2025 16:31:00 +0100 Subject: [PATCH 5/5] update word list Signed-off-by: Bozhidara Hristova --- .github/config/wordlist.txt | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/config/wordlist.txt b/.github/config/wordlist.txt index c2e9ffb53..958b30ab1 100644 --- a/.github/config/wordlist.txt +++ b/.github/config/wordlist.txt @@ -77,6 +77,7 @@ creds crossplatform crypto cryptographic +cryptographically cta ctf ctfs