Introduction¶
Short Description¶
Tracking all the different sub components used to construct a modern day device software can be challenging especially if components are contributed by multiple different suppliers. When we talk about devices think IoT things i.e., Internet of Things (IoT). The Software Parts initiative delivers a Sawtooth-based ledger that provides both access and accountability for relevant information for software parts exchanged among manufacturing supply chain participants. A software part is any software component that could be represented as one or more files. (e.g., binary library, source code package, application, container or an entire operating system runtime). Examples of the types of information tracked for a given software part include (but is not limited to) :
- open source compliance artifacts - The lion share of software today is comprised of some percentage of open source and therefore, legally, a software part needs to be accompanied by collection of required compliance artifacts (e.g., source code, notices, an open source bill of materials, SPDX documents and so forth). Providing access to and accountability over the required compliance artifacts is necessary to ensure one obtains the right to legally distribute their products. The ledger enables the tracking and assertion of who included what open source code, how and when.
- certification evidence - The objective of functional safety software is to create and present evidence that a software part has been certified (i.e., rigorously reviewed and tested) such that it mitigates unacceptable risk with respect to human physical injury or death. Providing access and accountability to the certification evidence is a necessary step in establishment trust among supply chain participants (e.g., autonomous vehicles, aircraft, medical devices, elevators, factory robots and so forth). The ledger enables the tracking and assertion of who included what evidence, how it was included and when.
- cryptography usage - Many governments (e.g., United States, France, UK, Russian, China to name a few) place restrictions of exporting software parts based on the implementation and/or usage of cryptography methods. Adhering to these restrictions and obtaining the appropriate export licenses is mission critical when exchanging software among international supply chain participants . The ledger enables the tracking and assertion of who included what cryptography code, how it was included and when.