fosdem2024-sbom-in-open-source-ecosystems-talk.md

Can SBOMs become first-class citizens in Open Source ecosystems?

Salve J. Nilsen

Software Bill of Materials devroom – FOSDEM 2024

Note:

Who am I?

• Salve J. Nilsen, from Oslo, Norway

• CPAN Security Working Group

• My offer: Open Source Supply Chain perspective

"Supply-chain" Developers say…

"Why should I care about SBOMs?"

"This is not my problem"

"Maybe if you pay me"

Reality arrives…

• End users are obliged comply to new regulation and demands

  • …or get fined

• They require authoritative + up-to-date metadata, to…

  • Do all the good things! (Pedigree, provenance, etc. etc.)

What does SW development look like?

Source: NIST Software Supply Chain Security Guidance

What's wrong?

• No supply chain!
• "Third party software"
• No FOSS Communities or Processes

A simplified supply chain

Second-party software

Who are these people?

Who are these people?

• Your Open Source Colleagues

Who are these people?

• Your Unpaid Open Source Colleagues

How to make SBOMs become first-class citizens in Open Source ecosystems

Make Open Source ecosystems first-class citizens in the SBOM communities!

• Do NOT relegate them to the "Third party software" category — They are your partners, caring about your Open Source infrastructure and foundation!

• Become a partner that teaches downstream users how Open Source works, without "simplifying away" people

• Upstream devs are your partners, colleagues and friends – if you treat them so!

Questions & Comments

Thanks!

• Salve J. Nilsen
• Mastodon: @[email protected]

🦆 https://security.metacpan.org