| tonyo | sbom? | 04:16 | |
| lizmat | software bill of materials | 08:25 | |
| sjn | tonyo: there are a couple of new laws coming in EU in 2024 that require lots of businesses to keep track of exactly what software they use, how it is put together (complete dependency tree) and use this information to regularly check for vulnerabilities | 11:49 | |
| to make this work, there are a bunch of SBOM standards and tooling out there | 11:50 | ||
| but common for almost all of them is that they try to figure out what's installed by basically looking what's there and infer things by filenames, decompiling, looking at compilation artifacts and symbols and whatever they can | 11:52 | ||
| the result is that very few (if any) can get a real idea of what's actually in use on a system | 11:53 | ||
| so that's where it's interesting for upstream publishers and package distributers (like #raku-land and the toolchains using it) can help the situation by publishing SBOM files together with the software | 11:54 | ||
| s/can help/to help/ | 11:59 |