| tonyo | ahh gotcha | 20:00 | |
| does it expose proprietary software (eg if you're selling a product everyone knows under the hood you're just using FOSS and branding it or something)? | 20:01 | ||
| but you have everything as closed source? | |||
| sjn | tonyo: yes, though it's the seller's reponsibility to ensure any components they use are rolled into a vulnerability detection regime. Unsure if they have to share an SBOM of their product with downstream/customers, though I guess so if it's something that runs on customer equipment? | 20:34 | |
| tonyo | interesting, what prompted that in the EU? i guess i can just sesarch all of this | 20:36 | |
| sjn | a little unsure of the specifics here, though in any case that doesn't change much from an ecosystem perspective. downstream users still need to know what's going on, and if they can learn this in the form of SBOM files from their upstream providers, it'll be quite a bit easier for them (and us) | ||
| tonyo | i've done something that should help with this already, it was written initially to make a dependency graph but could help on the sbom side | 20:37 | |
| github.com/tony-o/p6-Uxmal <- this can make the graph but you can use it programmatically to just get the dep tree - not sure if it's a good starting point for the EU reqs though | 20:39 | ||
| sjn | tonyo: it started with the Log4J vulnerability some years ago, which triggered EO 14028 (Biden's "Improving the Nation’s Cybersecurity" Executive Order), followed by EU updating the NIS directive and then the Cyber Resilience Act (both two are arriving in 2024) | 20:40 | |
| tonyo | wonder if it'll stop car manufacturers from requiring a monthly subscription to fully use the thing you've bought already | 20:41 | |
| sjn | there are a whole lot of consequences coming from these laws, so getting into the material is better done sooner than later | 20:42 | |
| tonyo | gotcha, yea this looks like a massive undertaking | ||
| sjn | at the CPAN Security Group, we've tried to put together some info on these matters, and (if all goes well) we'll get to do some real progress at the PTS in April | 20:43 | |
| tonyo: I _think_ a lot can be done with just a few careful changes, actually. It really doesn't have to be a massive undertaking for the language ecosystem providers out there (e.g. the CPAN toolchain folks, and anyone involved in making the Raku ecosystem work) | 20:47 | ||
| happy to have a chat on this matter, btw | 20:48 | ||
| I'm also (ongoing) sharing my findings on the CPAN Security Group website | |||
| I, for one, would love to see some of you guys invited to PTS, to work in this stuff | 20:49 |