25 Source Management #

OBS is adding information to each created package about the origin of the sources. This information is stored in the DISTURL tag of an rpm, which can be displayed as follows:

rpm -q --queryformat '%{DISTURL}\n' glibc
rpm -q --queryformat '%{DISTURL}\n' -p glibc-2.1.0-1.i586.rpm

The disturl can look like this: obs://build.opensuse.org/openSUSE:Factory/standard/80d21fdd2299302358246d757b4d8c4f-glibc It always starts with obs://. The second part is the name of the build instance, which usually also hosts the Web UI. Next comes the project name and the repository name where the binary got built. Last part is the source md5 sum and the package name.

The disturl can also be entered in the search field of the web interface of the build service.

rpm packages managed via the scmsync mechanic may have also the VCS tag. It provides the git repository URL when the project is build using the

BuildFlags: setvcs

flag in the build config.

OBS 2.11 can produce and publish additional SLSA provenance attestation files. This files are currently following the v0.2 Alpha spec, which is suspect to change. We will change the code to follow the specification, so the files might change in an incompatible way until a stable version has been released.

This can be enabled via the BSConfig.pm file only. The reason behind is that the functionality is expensive in regards of disk space. All old binaries used for build are kept. You may want to enable it nevertheless by setting the slsaprovenance variable in BSConfig.pm with a list of projects to enable it.

OBS 2.11 can produce and publish additional SPDX data for certain build types. This is controlled via the project configuration. For details, refer to Section 4.2, “Configuration File Syntax” for sbom:FORMAT (under BuildFlags).