Exploring the AlmaLinux Build System

Package Packer

Testing and Later Steps

The AlmaLinux Test System (ALTS) [8] included with the build environment automates packet testing in realistic conditions. ALTS first launches a clean test environment (for instance, a Docker container) using Terraform to recreate a realistic setting that models actual production conditions. Once the environment is in place, ALTS attempts to install the package, and, if the installation is successful, begins a series of integrity checks predefined by the user.

Results of the tests are then forwarded to the Pulp artifacts store in the form of test logs and reports, and the results are then available to the user through the web interface. Approved packages are then signed and marked for release. The build system lets you define and select specific channels for the software release, and the verification system allows the receiver to trace the authenticity back to the original source code.

Conclusion

The stability and versatility of the AlmaLinux Build System has given the developers a head start on achieving the project's ambitious goals while avoiding much of the wheel spinning that often comes with putting a distribution together. AlmaLinux was recently chosen as a standard Linux distribution for Fermilab and the CERN European laboratory for particle physics. The AlmaLinux project was also the first enterprise Linux to offer a complete Software Bill of Materials (SBOM) for every package (see the box entitled "SBOMs").

SBOMs

On May 12, 2021, the Biden administration released Presidential Executive Order 14028 "Improving the Nation's Cybersecurity" [9]. One of the important features of that order is the stipulation that software packages for software used by the US government should include a bill of materials for all the code provided in the package. This Software Bill of Materials (SBOM) is described as a "list of ingredients" for the software package. The idea is that providing an accurate list of ingredients used for building the package will help investigators identify and trace security risks that might affect the package. If a component used in building the package turns up with a critical vulnerability, it will be easy to spot the problem and to know that the package needs an update.

AlmaLinux was the first Linux distribution to notarize and provide an SBOM for all source and components. The AlmaLinux developers created an SBOM generation utility and integrated it into the AlmaLinux Build System. You can find the alma-sbom utility on GitHub [10].

The AlmaLinux team is busy right now using the AlmaLinux Build System to create, sign, test, and release the next version AlmaLinux, but the developers also want to sure make the system is available to other users and other projects. The user interface makes it easy to incorporate other source code repositories, and the testing, signing, and release components support customization for alternative projects and applications. An API-driven design with support for scripting opens a range of possibilities for adapting the build system for other projects.

This article was made possible by support from AlmaLinux OS Foundation through Linux New Media's Topic Subsidy Program (https://www.linuxnewmedia.com/Topic_Subsidy).

Infos