Name: Lock the Chef in the Kitchen: Enabling Accurate SBOMs Via Hermetic Builds - Adam Cmiel, Red Hat
Start: 2025-06-23T14:45:00-0600
End: 2025-06-23T15:05:00-0600

June 23 - 25, 2025
Denver, Colorado
View More Details & Registration
Note: The schedule is subject to change.

The Sched app allows you to build your schedule but is not a substitute for your event registration. You must be registered for Open Source Summit North America 2025 to participate in the sessions. If you have not registered but would like to join us, please go to the event registration page to purchase a registration.

This schedule is automatically displayed in Mountain Daylight Time (UTC/GMT -6). To see the schedule in your preferred timezone, please select from the drop-down menu to the right, above "Filter by Date."

IMPORTANT NOTE: Timing of sessions and room locations are subject to change.

Monday June 23, 2025 2:45pm - 3:05pm MDT

Bluebird Ballroom 3B

Imagine your source repository is a kitchen, and the CI task that builds your software is a chef cooking soup. Most attempts to obtain the list of ingredients for the soup will fall into one of two categories.

"Source SBOM" tools gather the list of ingredients by scanning the entire kitchen. There are some recipes and ingredients in the kitchen, but are all of them relevant? Are they correct and complete? What if the chef looks up the recipe online and then orders the missing ingredients?

"Analyzed SBOM" tools try to derive the list of ingredients from the finished soup. This is hard to do well, impossible when the ingredients dissolve completely. And the tool has no chance of knowing where the ingredients came from.

How about we do this: Select the right recipe(s) for the soup. Buy all the ingredients ourselves. Leave them in the kitchen and lock the chef in there until the meal is done. We now have a complete list of ingredients (or a failed soup), and we know where we got them.

Meet Hermeto, a tool that enables your CI pipeline to lock the chef in the kitchen!

Speakers

Adam Cmiel

Senior Software Engineer, Red Hat

I'm a software engineer at Red Hat. I work on Konflux, an open-source CI/CD system focused on supply chain security (that we also use internally at Red Hat to build and release products). I focus on enabling builds to be as secure as possible.

Monday June 23, 2025 2:45pm - 3:05pm MDT
Bluebird Ballroom 3B

cdCon

Audience Experience Level Intermediate

Open Source Summit North America 2025

Adam Cmiel

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!