Provide taxonomy specific to highly regulated industries that will help with supply chain management

Metadata - inclusive of community health metadata, risk-based rubrics

• Also includes data on drift and provenance, and change over time
  

• when and where was it created externally, when was it introduced internally
  

• state of the systems when software is used - OS, runtimes, etc - see eg. solarwinds
  

• signatures
  

• "build profiles" part of SPDX 3.0 (now in RC2)
  

• Can we standardize metadata gathering sources and methodologies
  

• Metadata: static or dynamic? Should not be "just" a snapshot
  

• "deployment BOMs"? Defining data interchanges?
  

• "hardware BOM" - also part of working groups
  

See also: package management ecosystem, registries, and protections

@johnmark during todays working call the focus was for ingesting vendor products into financial organization. Most of our experience is helping organizations build automated governance / policy as code for their own in house development. We are happy to share our experience and some reference architecture. I can't imagine there would be a chasm of difference as to what would be expected from product companies providing binaries or SaaS offerings. cc: @alexashley

Here is our perspective:

• https://github.com/liatrio/gh-trusted-builds-app?tab=readme-ov-file#gh-trusted-builds-app
• https://www.youtube.com/watch?v=63XD4j5BCYE