Storing and Publishing GitBOMs

# Storing and Publishing GitBOMs This document covers possible ideas for storing and publishing [GitBoms](https://hackmd.io/aZ7czCDvRl2atAxhtYecrA?view) # Storing GitBOMs during builds When a compiler or linker writes out an artifact, it should store the GitBOMs related to the artifact in subdirectory structure of the directory into which the artifact is written: ``` .bom/objects/${first 2 characters of git ref}/${last 38 characters of git ref} ``` When a compiler or linker is utilizing a child artifact, it should inspect the artifact for an embedded GitBOM reference. If it finds one, it should look for a .bom/ subdirectory in the directory containing the child artifact. If a .bom/ subdirectory exists it should copy all descendent GitBoms for the child artifact into the .bom/ subdirectory for the directory into which it is writing the artifact being built. # Storing GitBOMs in a git repo When laying a tag in a git repo corresponding to the release of artifacts, a tree should be constructed containing only a .bom/ directory, and any other metadata files around the bom for artifacts in the release. That tree should be committed with and referenced from ```refs/boms/${tag}```. The parent of the commit should be the commit referred to by ```refs/tags/${tag}```. # Publishing GitBOMs One simple way to publish GitBOMs for a set of released artifacts would be to run: ``` git clone --branch boms/${tag} --depth 1 ${url of git repo} ${bom git repo name} ``` ```--branch boms/${tag}``` - clones starting from ```refs/boms/${tag}``` ```--depth 1``` - only copies the objects related to the commit for ```refs/boms/${tag}``` and the tree that commit points to. In other words, the resulting cloned git repo will only contain the BOM related information, not any of the source code. The resulting ```${bom git repo name}/``` will contain only the BOM information and the commit metadata for that BOM. That commit can be signed. That commit contains a git ref for the commit of the source code that was used to build the artifacts the BOM is referencing. The repo itself will not contain any of that source.