We will continue to post all documentation publicly on our website and our GitHub repositories, and remain fully committed to transparency in all issues. Our project Zoom calls remain open to all, and so do our GitHub Discussions page and issue trackers.

The OmniBOR project now has a Discord server! discord.gg/3xNx4syYpf

Discord was chosen after extensive discussion and a vote.

We want to thank all participants and the OpenSSF for letting us previously have a channel on their Slack workspace despite OmniBOR not being an OpenSSF project.

We also have several in-progress implementations:

Rust: github.com/omnibor/omni...
Go: github.com/omnibor/omni...
C#: github.com/omnibor/omni...
Python: github.com/omnibor/omni...

If that sounds interesting to you, come learn more!

Our website: omnibor.io
Our spec: github.com/omnibor/spec

With both combined you have a beautiful Merkle Tree-like structure. Any change in a build input causes all artifacts derived from it to have new Artifact IDs. With the Input Manifests, you can detect exactly what artifacts changed.

It's a full Artifact Dependency Graph, from some small text files!

Input Manifests are the other half of OmniBOR.

They're short files recording Artifact IDs of build inputs for an artifact, plus Artifact IDs of those inputs' own Input Manifests if they have one.

After you build an artifact, you can embed the Artifact ID of its Input Manifest in it!

Artifact IDs are one half of the OmniBOR spec.

They're short, reproducible identifiers for artifacts like binaries and source files.

An Artifact ID is a Git object identifier, using SHA-256 for hashing, with the "blob" type, and newlines normalized to Unix style.

Is this thing on? This is a new official Bluesky account for the OmniBOR project.

OmniBOR is a spec for reproducible software identifiers and fine-grained dependency tracking. It's an open project anyone can join!

Our website is omnibor.io

Hi Bluesky! 👋