- Can SBOMs become first-class citizens in Open Source ecosystems?
- Who am I?
- “Supply-chain” Developers say…
- What does SW development look like?
- What’s wrong?
- A simplified supply chain
- Second-party software
- Who are these people?
- Who are these people?
- Who are these people?
- How to make SBOMs become first-class citizens in Open Source ecosystems
- Make Open Source ecosystems first-class citizens in the SBOM communities!
comment: # (…or by running the Makefile with “make”) comment: # (mdslides can be installed from https://github.com/dadoomer/markdown-slides/)
comment: # (width: “960”) comment: # (height: “700”) comment: # (help: true) comment: # (progress: true) comment: # (controlsBackArrows: “true”)
Can SBOMs become first-class citizens in Open Source ecosystems?
Salve J. Nilsen
Software Bill of Materials devroom – FOSDEM 2024
Note:
Who am I?
-
Salve J. Nilsen, from Oslo, Norway
-
CPAN Security Working Group
-
My offer: Open Source Supply Chain perspective
“Supply-chain” Developers say…
“Why should I care about SBOMs?”
“This is not my problem”
“Maybe if you pay me”
Reality arrives…
- End users are obliged comply to new regulation and demands
- …or get fined
- They require authoritative + up-to-date metadata, to…
- Do all the good things! (Pedigree, provenance, etc. etc.)
What does SW development look like?
Source: NIST Software Supply Chain Security Guidance
What’s wrong?
- No supply chain!
- “Third party software”
- No FOSS Communities or Processes
A simplified supply chain
| comment: # ( | Â | Â | ) |
| comment: # ( |  |  | data-transition=”fade-out”) |
| comment: # ( |  |  | data-transition=”fade-in slide-out”) |
| comment: # ( |  |  | data-transition=”slide-in none-out”) |
| comment: # ( |  |  | data-transition=”fade-in none-out”) |
| comment: # ( |  |  | data-transition=”fade-in slide-out”) |
| comment: # ( |  |  | data-transition=”slide-in fade-out”) |
Second-party software
Who are these people?
Who are these people?
- Your Open Source Colleagues
Who are these people?
- Your Unpaid Open Source Colleagues
How to make SBOMs become first-class citizens in Open Source ecosystems
Make Open Source ecosystems first-class citizens in the SBOM communities!
- Do NOT relegate them to the “Third party software” category — They are your partners, caring about your Open Source infrastructure and foundation!
-
Become a partner that teaches downstream users how Open Source works, without “simplifying away” people
-
Upstream devs are your partners, colleagues and friends – if you treat them so!
Questions & Comments
Thanks!
- Salve J. Nilsen
- Mastodon: @sjn@chaos.social
🦆 https://security.metacpan.org