Terminology

Software supply chain (or SSC)

the series of actions performed to create a software product. These steps usually begin with users committing to a version control system and end with the software product's installation on a client's system.

Layout

a signed file that dictates the series of steps that need to be carried out in the SCC to create a final product. The layout includes ordered segments and steps, requirements for the steps, and the list of actors (or functionaries) in charge of carrying out every step. The steps within the supply chain are laid out by a project owner.

Layout Segment

a natural clustering of steps within a component of the Supply Chain. As an example all steps in a Jenkins pipeline are clustered in 1 segment with 1 run id.

Step

a single action in a Layout Segment, performed by a functionary.

Link

Information gathered while performing a step, signed by the functionary that performed the step. This includes information such as materials and products.

Materials

the elements used (e.g., files) to perform a step in the supply chain. Files generated by one step (e.g., .o files) can be materials for a step further down the chain (e.g., linking). Materials are recorded as part of the link data

Products

the result of carrying out a step. Products are usually persistent (e.g,. files), and are often meant to be used as materials on subsequent steps. Products are recorded as part of link data.

Artifact

a material or a product, as described above. An artifact has a file path and a sha256 hash of this file.

Run Id

An as uniquely as possible chosen identifier for a set of links, belonging to 1 segment, created during a run of the SSC. This id is used to collect link objects belonging to this run.

End Products

the files which are delivered by the SSC and which are installed on the client's system.

Release

the process by which data and metadata included in the end products is used to ensure its correctness. After this correctness is established the Layout, Links and metadata is stored in a Release Dossier which is used for later verifications.

Verification

Verification is performed by the client by requesting a verification of a set of end products in a deployable unit for availabillity of a Release Dossier with this same set of hashes on the Argos Notary Service.

Project Owner

the authoritative figure within a project. The project owner will dictate which steps are to be carried out in the supply chain, and who is authorized to carry out each step (i.e., define the layout).

Functionary

an actor that will perform an action within the supply chain. For example, the actor in charge of compiling a project's source code is a functionary.

Edit this page