These counts come from countme, a privacy-respecting feature built into Fedora's package manager. Once a week, each device sends a single anonymous check-in β no personal data, no IP addresses stored, just a count of how many devices are actively using each image. Think of it like a headcount: it tells us how many devices checked in this week, not who they are or what they did.
These checks measure OCI image build best practices adopted across the bootc ecosystem. Signing and SBOM rates are computed from CI workflow step detection over the last 30 days. zstd:chunked, chunking mode, and SLSA provenance are sourced from OCI image supply-chain snapshots.
| Image | Cosign Signing | SBOM | zstd:chunked | chunked (chunka) | SLSA |
|---|---|---|---|---|---|
| Bluefin | Yes | Yes | No | β οΈ | β |
| Aurora | Yes | Yes | No | β οΈ | β |
| Bazzite | Yes | Yes | No | β | β |
| ublue-os | Yes | No | Not tracked | β | β |
| uCore | Yes | No | No | β | β |
| Zirconium | Yes | No | No | β | β |
| bootcrew | Yes | No | No | β | β |
| secureblue | Not tracked | Not tracked | No | β | β |
| BlueBuild | Yes | No | Not tracked | β | β |
Scores from OpenSSF Scorecard. Click a card to view the full report.