On 2025-04-04 16:50, Guy Harris via tz wrote:
The software bills of materials for tzdata2025b and tzcode2025b would be the result of running "tar tf" on the corresponding tarballs (possibly after decompressing if the version of the tar command on your platform doesn't handle gzipped files).
Software Bills of Material (SBOMs) are more complicated than that these days, unfortunately. They come in multiple flavors (CycloneDX, SPDX, SWID) with different audiences, and they are associated with other standards (ISO 27001, NIST, CIS Controls) that are rarely heard of outside of the relevant specialties.
Since Sahil didn't specify a context, it's hard to know what's exactly being asked for. That being said, I expect that we don't supply anything that would conform to any of the more-formal SBOM definitions Sahil is probably thinking of. Our closest approximations to SBOMs are the release announcements[1].
Although most of what we ship is edited by hand, some of it is generated by programs. I typically use GNU Tar and Gawk as packaged by recent Ubuntu, and I don't bother to specify these programs' versions or provenances. The philosophy has been that you can use any POSIX-conforming 'awk' implementation, and any sufficiently-recent GNU Tar, to generate the same output byte-for-byte, and to some extent this is the opposite of the SBOM philosophy since we're saying the provenance should not matter.
Perhaps we should add something about SBOMs to theory.html, if only to say something along the lines of the above.
[1]: https://lists.iana.org/hyperkitty/list/tz-annou...@iana.org/latest
