tonyo ahh gotcha 20:00
does it expose proprietary software (eg if you're selling a product everyone knows under the hood you're just using FOSS and branding it or something)? 20:01
but you have everything as closed source?
sjn tonyo: yes, though it's the seller's reponsibility to ensure any components they use are rolled into a vulnerability detection regime. Unsure if they have to share an SBOM of their product with downstream/customers, though I guess so if it's something that runs on customer equipment? 20:34
tonyo interesting, what prompted that in the EU? i guess i can just sesarch all of this 20:36
sjn a little unsure of the specifics here, though in any case that doesn't change much from an ecosystem perspective. downstream users still need to know what's going on, and if they can learn this in the form of SBOM files from their upstream providers, it'll be quite a bit easier for them (and us)
tonyo i've done something that should help with this already, it was written initially to make a dependency graph but could help on the sbom side 20:37 <- this can make the graph but you can use it programmatically to just get the dep tree - not sure if it's a good starting point for the EU reqs though 20:39
sjn tonyo: it started with the Log4J vulnerability some years ago, which triggered EO 14028 (Biden's "Improving the Nation’s Cybersecurity" Executive Order), followed by EU updating the NIS directive and then the Cyber Resilience Act (both two are arriving in 2024) 20:40
tonyo wonder if it'll stop car manufacturers from requiring a monthly subscription to fully use the thing you've bought already 20:41
sjn there are a whole lot of consequences coming from these laws, so getting into the material is better done sooner than later 20:42
tonyo gotcha, yea this looks like a massive undertaking
sjn at the CPAN Security Group, we've tried to put together some info on these matters, and (if all goes well) we'll get to do some real progress at the PTS in April 20:43
tonyo: I _think_ a lot can be done with just a few careful changes, actually. It really doesn't have to be a massive undertaking for the language ecosystem providers out there (e.g. the CPAN toolchain folks, and anyone involved in making the Raku ecosystem work) 20:47
happy to have a chat on this matter, btw 20:48
I'm also (ongoing) sharing my findings on the CPAN Security Group website
I, for one, would love to see some of you guys invited to PTS, to work in this stuff 20:49