support generation of an SBOM file describing the running system
A frequent request I have gotten lately is that Alpine should support generating an SBOM file. An SBOM file is an emergent standard being pushed forward by the NTIA, which is designed to help auditors check for licensing compliance and remediation compliance.
An SBOM file describes a system as a set of facts about each package (component), such as the package name, the hashes of every file belonging to it, the license and copyright declarations, the supplier (package maintainer), and any upstream contacts for the package. The NTIA have a report of what they consider to be baseline.
Excluding the upstream contact information and copyright declarations, which really need to be done anyway for licensing compliance reasons, we already have all of the necessary information to construct a baseline SBOM.
The most common format for SBOMs is the SPDX format, I suggest we would want to implement this format.
The value to Alpine users should be obvious: we already have all the necessary information for them to generate this data, but right now, Alpine users needing to generate SBOMs have to use non-free software to do it.