Skip to content

Glossary

Short definitions of terms used throughout this catalog. Alphabetical.

AMI (Amazon Machine Image) — A snapshot used to boot EC2 instances on AWS; one way to ship a pre-baked bundle as a cloud image.

Authenticode — Microsoft's code-signing technology for Windows executables and installers (.exe/.msi), verified with a code-signing certificate.

BOM (Bill of Materials) — A list of the parts that make up a product; see SBOM for the software-specific form.

Channel — A named release stream (e.g. stable, beta, nightly) that a user subscribes to; typically a moving alias that resolves to a fixed version.

Confinement (snap) — The sandboxing mode of a Snap package (strict, classic, or devmode) controlling how much of the host it may access.

console_script / entry point — A Python packaging mechanism that installs a named command-line executable wired to a function in the package.

cosign / Sigstore — Tooling for signing and verifying artifacts (images, blobs) using short-lived, identity-bound certificates instead of long-lived keys.

Digest — A content hash (e.g. @sha256:…) that names the exact bytes of an image or blob; immutable, unlike a tag.

distroless — A minimal container base image containing only the application and its runtime — no shell, no package manager. Can't RUN apt at build time.

Formula — A Homebrew package definition (a Ruby file) describing how to download, build, and install a piece of software.

Gatekeeper — The macOS security feature that checks an app is signed and notarized before allowing it to run.

GPG — GNU Privacy Guard; used here to create and verify detached signatures over release artifacts and to sign package repositories.

host.docker.internal — A special DNS name that lets a container reach a service running on the host machine; used by the case study's companion containers to connect to a database running on the host.

Idempotent — A property of an operation that produces the same result no matter how many times it runs; an idempotent installer is safe to re-run.

Lockfile — A file pinning the exact resolved versions of every (transitive) dependency, e.g. package-lock.json, Cargo.lock, uv.lock, poetry.lock.

Manifest — A metadata file describing a package or deployment (e.g. a Winget manifest, a Kubernetes manifest, a container image manifest).

notarization — Apple's process of uploading software to its notary service for an automated malware scan, required for distribution outside the App Store.

nuspec — The XML manifest describing a NuGet/Chocolatey package (id, version, dependencies, files).

OIDC (OpenID Connect) — An identity layer over OAuth2; used in keyless signing so a CI job or user can authenticate to obtain a short-lived signing certificate.

OpenTofu / Terraform — Infrastructure-as-code tools that provision cloud resources from declarative configuration; one way to deploy a bundle to the cloud.

Portal (flatpak) — A sandboxed interface that lets a Flatpak app request specific host resources (files, devices) without broad access.

Provenance — Verifiable metadata describing how, where, and from what inputs an artifact was built; the basis of supply-chain trust (see SLSA).

SBOM (Software Bill of Materials) — A machine-readable inventory of every component and version in a piece of software; common formats are CycloneDX and SPDX.

Sidecar — A secondary container that runs alongside a main one to provide supporting functionality (proxy, adapter, helper).

SLSASupply-chain Levels for Software Artifacts; a framework grading the trustworthiness of build provenance (Build track levels L0–L3).

Tag — A human-readable, mutable pointer to an image or git commit (e.g. :latest, :8.34.0, v1.2.0); a publisher can re-point it, unlike a digest.

Tap — A third-party Homebrew repository of formulae you can add with brew tap, letting a project ship via Homebrew without upstream review.

Wheel — A pre-built Python distribution format (.whl) that installs without a build step; absent a wheel, pip may need a compiler or source toolchain.