[comment]: # (Compile this presentation with the command below) [comment]: # (mdslides fosdem2024-sbom-in-open-source-ecosystems-talk.md --include ../media) [comment]: # (...or by running the Makefile with "make") [comment]: # (mdslides can be installed from https://github.com/dadoomer/markdown-slides/) ### Can SBOMs become first-class citizens in Open Source ecosystems? Salve J. Nilsen Software Bill of Materials devroom – FOSDEM 2024 Note:
### Who am I? * Salve J. Nilsen, from Oslo, Norway * **CPAN Security Working Group** * My offer: **Open Source Supply Chain perspective**
### "Supply-chain" Developers say… "Why should I care about SBOMs?" "This is not my problem" "Maybe if you pay me"
## Reality arrives…
- End users are **obliged** comply to new regulation and demands - …or get fined - They **require authoritative + up-to-date metadata**, to… - Do all the good things! (Pedigree, provenance, etc. etc.)
### What does SW development look like?
![](media/Software-supply-chain-NIST-Appendix-F-Figure-2.png) Source: [NIST Software Supply Chain Security Guidance](https://www.nist.gov/itl/executive-order-14028-improving-nations-cybersecurity/software-security-supply-chains-software-1)
### What's wrong? * No supply chain! * "Third party software" * No FOSS **Communities** or **Processes**
### A simplified supply chain
![](media/supply-chain-1.png)
![](media/supply-chain-1b.png)
![](media/supply-chain-2.png)
![](media/supply-chain-2b.png)
![](media/supply-chain-2c.png)
![](media/supply-chain-3.png)
![](media/supply-chain-3b.png)
![](media/Software-supply-chain-NIST-Appendix-F-Figure-2.png)
![](media/Software-supply-chain-NIST-Appendix-F-Figure-2b.png)
### Second-party software
![Group picture showing PTS 2023 participants](media/pts-group-picture-PTS2023.jpeg)
### Who are these people?
### Who are these people? * Your Open Source **Colleagues**
### Who are these people? * Your **Unpaid** Open Source **Colleagues**
### How to make SBOMs become first-class citizens in Open Source ecosystems
### Make Open Source ecosystems first-class citizens in the SBOM communities!
* Do NOT relegate them to the "Third party software" category — They are your **partners**, caring about **your** Open Source infrastructure and foundation!
* Become a partner that teaches downstream users how Open Source works, without "simplifying away" people * Upstream devs are your partners, colleagues and friends – if you treat them so!
## Questions & Comments
## Thanks! * Salve J. Nilsen * Mastodon: @sjn@chaos.social 🦆 https://security.metacpan.org