# `omnibor-rs`
__This project is a work in progress and is not ready for any use beyond experimental.__
[OmniBOR][omnibor] is a draft standard for creating (and optionally embedding
in a binary) a record of cryptographic hashes for all build inputs for a software
artifact. It is intended to serve as a complement to Software Bills of Material
(SBOMs) like SPDX or CycloneDX, by saying not just what dependencies a project has,
but _what exact inputs_ went into an artifact's production.
This repository contains two Rust crates:
- `omnibor`: an implementation of the OmniBOR specification.
- `gitoid`: an implement of Git Object Identifiers (GitOids), the mechanism
OmniBOR uses for hashing inputs.
## Using from Other Languages
The `gitoid` crate exposes a Foreign Function Interface (FFI), and can be used as the
basis for implementing GitOID generation and matching in other languages.
This interface uses [`cbindgen`][cbindgen] to generate the header file, and the
`gitoid` crate is configured to generate a library file suitable for linking from
other languages.
An example of how to build and link with `gitoid` from other languages is given
in `gitoid/Makefile`.
## Contributing
We're happy to accept contributions!
For bug fixes and minor changes to the implementation, feel free to open an issue
in the issue tracker explaining what you'd like to fix, and then open a Pull
Request with the change.
For larger design changes, you may also want to discuss the changes either in the
issue tracker or on the `#omnibor` channel on the [Open Source Security Foundation
(OpenSSF) Slack workspace][ossf_slack].
## License
The `omnibor` and `gitoid` crates are both Apache 2.0 licensed. You can read the
full license text in the `LICENSE` file.
[omnibor]: https://omnibor.io
[cbindgen]: https://github.com/eqrion/cbindgen
[ossf_slack]: https://slack.openssf.org/