NSSS Spring - Save the date! We are working on the agenda for the conference and the workshops. April 8-10, Stockholm, Sweden

#CRA #NIS2 #SBOM #SBOMFOCUS #NSSS #CYBERSECURITY

wrote:
> I think of SBOMs as a way for us to charge

So does the Compliance Industrial Complex. They've been planning for this. 💰's on the table when make-work becomes mandatory regulation.

I doubt small FOSS business'll get a piece of that pie easily. #SBOM game is already rigged to favor Big Tech.

But, I hope I'm wrong & you make a living from it!

Let's reserve the right to “I told you so” each other when one of us turns out wrong in 5-10 years. ☺

Cc: @msw @lexelas
@jeremiah_

Oh, I agree: confused users will request #SBOM's b/c they think they're useful (… even though they aren't).

My point is: we're still at a moment where we can influence actual implementation of CRA in practice (regulations are being written now).

The best approach? Convince regulators that complete, corresponding source &
@reproducible_builds are *actually* useful to customers for FOSS.

#SBOM's are only useful for proprietary software. SBOMs for FOSS is make-work.

Cc: @msw @lexelas

Thanks for your post & your counter 😆

I'm curious: you characterize the EU #CRA as requiring #SBOM's *specifically*. I know the License Compliance Industrial Complex wants it to be true, but I researched this issue for my #FOSDEM 2025 talk…
fosdem.org/2025/schedule/event…
… & IIUC CRA *doesn't* specify SBOMs specifically.
IMO, if the vendor gives the customer complete, Corresponding Source & a 100% @reproducible_builds they've complied with CRA. No one has shown me anything that disproves that.

FOSDEM 2025 - Is There Really an SBOM Mandate?

^fosdem.org

I chatted with Philippe Ombredanne about Package URLs, or PURLs. He created them, so he knows a thing or two.

We do complain about CPE quite a bit :)

But it's a really hard problem. It feels like a package identifier should be easy, but it's way harder than you think it is. There's nobody better than Philippe to drop some knowledge.

opensourcesecurity.io/2025/202…

#PURL
#CVE
#SBOM

Package URLs with Philippe Ombredanne

I’m joined by Philippe Ombredanne, creator of the Package URL (PURL), to discuss the surprisingly complex and messy problem of simply identifying open source software packages.

^{Josh Bressers (Open Source Security)}

This week many engineering teams are looking for the immensely popular open source library 'curl' in order to get ahead of the CVE-2023-38545 vulnerability. Most of them are NOT going to see it in their SBOM even though they use it.

In this article I walk through why this is, places it might be hiding and questions to ask that can help uncover your use of it.

zebracatzebra.com/oss/curl-is-… #curl #sca #sbom