Ever wonder what CPython is made of? 🤔 SBOMs are like a list of ingredients for software which lets Python users track vulnerabilities in the runtime and its dependencies with confidence instead of guesswork.
Watching the #FOSDEM#SBOM devroom, somewhat disappointed that Bradley Kuhn can come back into this devroom and crusade against SBOMs again and completely ignore that SBOMs have use cases beyond licensing. I understand that people get tunnel vision but even if we did live in the utopia he wants (and I would love to see it as well) there would still be massive value in SBOMs.
The #FOSDEM fringe event #FOSS#license and #security#compliance tools yesterday was great! The room was filled with energy and knowledge and the willingness to improve things. Many concrete ideas to follow up on. #SBOM all the things!
One thing with the EU Cyber Resilience Act is that manufacturers and Open Source projects are enforced to be more open about the cyber security of their platforms. Manufacturers are supposed to publish all CVEs in their products publicly - not only in their own code, but also in all dependencies (commercial and open source).
For many, publishing a CVE for a security issue is just part of the normal process. Reports come in from research, users or other parties and are processed, verified and published when proved correct. For others, it may feel hurtful, like a personal failure, so CVEs are not filed. In worst case, security issues are fixed without public comments. This way, users may not update their platforms and are exposed to cyber criminals.
We need to make sure that an open vulnerability handling process is a benefit for everyone and that we change the climate to make an open process in an open ecosystem a good thing. What do you think?
TL;DR: CISA did a REALLY Interesting thought experiment about 4 possible outcomes and you should probably read the paper they produced talking about them.
@kurtseifried@joshbressers Do you think we need to solve identifiers and locators at the same time? I think this gets mixed up quite often talking about #SBOM. I would be glad if we had a strong identifier that we can use to map vulnerabilities and retrieve additional information. Locators would be great but not that useful considering the complexity. E.g. what it the location is a internal repository I can't access from the internet.
New to me: the CPAN Security Working Group, started April 2023. https://security.metacpan.org The draft WG scope incl distributions published by CPAN, and supply chain security.
At the #CPAN#Security WG, we care a lot about what happens downstream of CPAN, and with the recent developments around metadata demands (think #SBOM) and cross-ecosystem package references (where PackageURLs are a proposed solution), we're very interested in finding good places to find solutions...
Happy to join the Discord server to see what's going on there!
Do you know of other forums where topics like these are discussed?
#SBOM: The NSA, #CISA, ODNI and the CyberSecurity industry partners have released a cybersecurity technical report: “Securing the Software Supply Chain: Recommended Practices for Managing #OpenSource Software and Software Bill of Materials (SBOM):
[PDF]👇
I just wrote a script to use GraphViz to visualise the dependencies of one of my composer-based #PHP projects, and now I’m wishing I hadn't #sbom#nightmare