7 Dec 2023 |
jjatria |
Ah, my bad: we display it in the "tag" page only it seems: raku.land/tags/util |
22:15 |
|
sjn |
that's not at all the same thing as the box of tags in the new page |
|
|
|
yeah, no |
22:16 |
|
|
that's Tags box just as useless (I'm sorry) |
|
|
jjatria |
We try to group some of the author-defined tags into smaller categories, to make them more useful: gitlab.com/raku-land/raku-land/-/b...pping.toml |
|
|
|
sjn: nothing to apologise for, but I disagree. I do think that it can be made more useful, though |
22:17 |
|
sjn |
"How many modules exist, that are tagged with a word that the author thinks is useful" is what it looks like now |
|
|
jjatria |
*distributions |
22:18 |
|
sjn |
(on the tags page you linked) |
|
|
|
yeah, dists* sorry |
|
|
|
I'd probably curate a short-list of useful and information-bearing tags, and list the dists* in order of most common tag to least |
22:19 |
|
jjatria |
I mean, that's what it is: the number of distributions tagged with each of them, and a link to a page that shows you only those distributions |
|
|
sjn |
curate the list |
|
|
jjatria |
You are not the first person to suggest that, but I'm not sure how it would work: gitlab.com/raku-land/raku-land/-/issues/56 |
22:20 |
|
|
To some extent, we _do_ already curate them, like with that mapping I shared |
|
|
|
And we only show the tags that are used by at least two distributions by different authors (I think that was the rule...) |
22:21 |
|
|
sjn commented that issue |
22:33 |
|
11 Jan 2024 |
rcmlz |
FYI: apparently raku.land/ is currently not updated - shows "build 14 hours ago" |
13:28 |
|
lizmat |
jjatria ^^ |
13:29 |
|
jjatria |
Oh, we'll look into it. Thanks for the ping |
17:21 |
|
|
Sorted! A container needed a kick |
17:34 |
|
|
Thanks for the report 🙇♀️ |
|
|
10 Feb 2024 |
sjn |
\o |
21:19 |
|
|
jjatria: ping :) |
|
|
12 Feb 2024 |
jjatria |
sjn: o/ |
09:07 |
|
sjn |
jjatria: I've been (slowly) leaning into the SBOM thing; would you be up for a chat on that topic one of these days? :) |
10:14 |
|
jjatria |
sjn: Sure. I'll be traveling around until mid April, although I'll have several pockets of good internet connectivity in the middle. Maybe it's easier to do this async somehow? |
10:52 |
|
15 Feb 2024 |
tonyo |
sbom? |
04:16 |
|
lizmat |
software bill of materials |
08:25 |
|
sjn |
tonyo: there are a couple of new laws coming in EU in 2024 that require lots of businesses to keep track of exactly what software they use, how it is put together (complete dependency tree) and use this information to regularly check for vulnerabilities |
11:49 |
|
|
to make this work, there are a bunch of SBOM standards and tooling out there |
11:50 |
|
|
but common for almost all of them is that they try to figure out what's installed by basically looking what's there and infer things by filenames, decompiling, looking at compilation artifacts and symbols and whatever they can |
11:52 |
|
|
the result is that very few (if any) can get a real idea of what's actually in use on a system |
11:53 |
|
|
so that's where it's interesting for upstream publishers and package distributers (like #raku-land and the toolchains using it) can help the situation by publishing SBOM files together with the software |
11:54 |
|
|
s/can help/to help/ |
11:59 |
|
18 Feb 2024 |
tonyo |
ahh gotcha |
20:00 |
|
|
does it expose proprietary software (eg if you're selling a product everyone knows under the hood you're just using FOSS and branding it or something)? |
20:01 |
|
|
but you have everything as closed source? |
|
|
sjn |
tonyo: yes, though it's the seller's reponsibility to ensure any components they use are rolled into a vulnerability detection regime. Unsure if they have to share an SBOM of their product with downstream/customers, though I guess so if it's something that runs on customer equipment? |
20:34 |
|
tonyo |
interesting, what prompted that in the EU? i guess i can just sesarch all of this |
20:36 |
|
sjn |
a little unsure of the specifics here, though in any case that doesn't change much from an ecosystem perspective. downstream users still need to know what's going on, and if they can learn this in the form of SBOM files from their upstream providers, it'll be quite a bit easier for them (and us) |
|
|
tonyo |
i've done something that should help with this already, it was written initially to make a dependency graph but could help on the sbom side |
20:37 |
|
|
github.com/tony-o/p6-Uxmal <- this can make the graph but you can use it programmatically to just get the dep tree - not sure if it's a good starting point for the EU reqs though |
20:39 |
|
sjn |
tonyo: it started with the Log4J vulnerability some years ago, which triggered EO 14028 (Biden's "Improving the Nation’s Cybersecurity" Executive Order), followed by EU updating the NIS directive and then the Cyber Resilience Act (both two are arriving in 2024) |
20:40 |
|
tonyo |
wonder if it'll stop car manufacturers from requiring a monthly subscription to fully use the thing you've bought already |
20:41 |
|
sjn |
there are a whole lot of consequences coming from these laws, so getting into the material is better done sooner than later |
20:42 |
|
tonyo |
gotcha, yea this looks like a massive undertaking |
|
|
sjn |
at the CPAN Security Group, we've tried to put together some info on these matters, and (if all goes well) we'll get to do some real progress at the PTS in April |
20:43 |
|
|
tonyo: I _think_ a lot can be done with just a few careful changes, actually. It really doesn't have to be a massive undertaking for the language ecosystem providers out there (e.g. the CPAN toolchain folks, and anyone involved in making the Raku ecosystem work) |
20:47 |
|
|
happy to have a chat on this matter, btw |
20:48 |
|
|
I'm also (ongoing) sharing my findings on the CPAN Security Group website |
|
|
|
I, for one, would love to see some of you guys invited to PTS, to work in this stuff |
20:49 |
|
19 Feb 2024 |
tonyo |
bless, would be fun to go to another pts |
01:28 |
|