wrote:
> I think of SBOMs as a way for us to charge
So does the Compliance Industrial Complex. They've been planning for this. 💰's on the table when make-work becomes mandatory regulation.
I doubt small FOSS business'll get a piece of that pie easily. #SBOM game is already rigged to favor Big Tech.
But, I hope I'm wrong & you make a living from it!
Let's reserve the right to “I told you so” each other when one of us turns out wrong in 5-10 years. ☺
Oh, I agree: confused users will request #SBOM's b/c they think they're useful (… even though they aren't).
My point is: we're still at a moment where we can influence actual implementation of CRA in practice (regulations are being written now).
The best approach? Convince regulators that complete, corresponding source &
@reproducible_builds are *actually* useful to customers for FOSS.
#SBOM's are only useful for proprietary software. SBOMs for FOSS is make-work.
Thanks for your post & your counter 😆
I'm curious: you characterize the EU #CRA as requiring #SBOM's *specifically*. I know the License Compliance Industrial Complex wants it to be true, but I researched this issue for my #FOSDEM 2025 talk…
fosdem.org/2025/schedule/event…
… & IIUC CRA *doesn't* specify SBOMs specifically.
IMO, if the vendor gives the customer complete, Corresponding Source & a 100% @reproducible_builds they've complied with CRA. No one has shown me anything that disproves that.
I chatted with Philippe Ombredanne about Package URLs, or PURLs. He created them, so he knows a thing or two.
We do complain about CPE quite a bit :)
But it's a really hard problem. It feels like a package identifier should be easy, but it's way harder than you think it is. There's nobody better than Philippe to drop some knowledge.
opensourcesecurity.io/2025/202…
I’m joined by Philippe Ombredanne, creator of the Package URL (PURL), to discuss the surprisingly complex and messy problem of simply identifying open source software packages.Josh Bressers (Open Source Security)
This week many engineering teams are looking for the immensely popular open source library 'curl' in order to get ahead of the CVE-2023-38545 vulnerability. Most of them are NOT going to see it in their SBOM even though they use it.
In this article I walk through why this is, places it might be hiding and questions to ask that can help uncover your use of it.
zebracatzebra.com/oss/curl-is-… #curl #sca #sbom
What is curl? curl is an open source command line tool and embeddable library for transferring data over a network.Zebra Cat Zebra
Learn to identify the minimum elements for a Software Bill of Materials (SBOM) and how they can be coded up, and get an overview of some of the open source tooling that is available to support the generation and consumption of an SBOM.Linux Foundation - Training
