KYSW and SBOM are coming …
… and Software Heritage can help!
- it is building and maintaining a neutral, common, shared, open, non-profit, reference knowledge base encompassing all the software source that is publicly available
- it stores all the source code and its development history in a uniform, technology-neutral global Merkle graph, that provides, together with the growing mirror network, a transparent source of trust
- it provides uniform, technology-independent, and cryptographically strong intrinsic identifiers to track source code artifacts at all levels (file, directory, revision, release, snapshot) through cryptographically strong SWHID identifiers which are supported in SPDX 2.2 and mentioned in the NTIA documentation.
- learn more about the SWHID identifiers and use them for designating source code artifacts for traceability
- ensure that the open source components relevant for you are properly archived:
- for projects that are maintained using git, subversion or mercurial on a public code hosting platform, you can simply trigger archival using the Save Code Now functionality, and then get the corresponding SWHID (these guidelines, originally designed for research software, cover the key steps)
- for industrial use, contact us and join the Software Heritage Deposit Interest Group
We are also delighted to welcome contributors willing to build the “listers” and “loaders” needed to fully automatize the archival of a broader spectrum of code hosting platforms, packages and version control system, thanks to a grant from the Sloan Foundation.