7 Dec 2023
jjatria Ah, my bad: we display it in the "tag" page only it seems: raku.land/tags/util 22:15
sjn that's not at all the same thing as the box of tags in the new page
yeah, no 22:16
that's Tags box just as useless (I'm sorry)
jjatria We try to group some of the author-defined tags into smaller categories, to make them more useful: gitlab.com/raku-land/raku-land/-/b...pping.toml
sjn: nothing to apologise for, but I disagree. I do think that it can be made more useful, though 22:17
sjn "How many modules exist, that are tagged with a word that the author thinks is useful" is what it looks like now
jjatria *distributions 22:18
sjn (on the tags page you linked)
yeah, dists* sorry
I'd probably curate a short-list of useful and information-bearing tags, and list the dists* in order of most common tag to least 22:19
jjatria I mean, that's what it is: the number of distributions tagged with each of them, and a link to a page that shows you only those distributions
sjn curate the list
jjatria You are not the first person to suggest that, but I'm not sure how it would work: gitlab.com/raku-land/raku-land/-/issues/56 22:20
To some extent, we _do_ already curate them, like with that mapping I shared
And we only show the tags that are used by at least two distributions by different authors (I think that was the rule...) 22:21
sjn commented that issue 22:33
11 Jan 2024
rcmlz FYI: apparently raku.land/ is currently not updated - shows "build 14 hours ago" 13:28
lizmat jjatria ^^ 13:29
jjatria Oh, we'll look into it. Thanks for the ping 17:21
Sorted! A container needed a kick 17:34
Thanks for the report 🙇‍♀️
10 Feb 2024
sjn \o 21:19
jjatria: ping :)
12 Feb 2024
jjatria sjn: o/ 09:07
sjn jjatria: I've been (slowly) leaning into the SBOM thing; would you be up for a chat on that topic one of these days? :) 10:14
jjatria sjn: Sure. I'll be traveling around until mid April, although I'll have several pockets of good internet connectivity in the middle. Maybe it's easier to do this async somehow? 10:52
15 Feb 2024
tonyo sbom? 04:16
lizmat software bill of materials 08:25
sjn tonyo: there are a couple of new laws coming in EU in 2024 that require lots of businesses to keep track of exactly what software they use, how it is put together (complete dependency tree) and use this information to regularly check for vulnerabilities 11:49
to make this work, there are a bunch of SBOM standards and tooling out there 11:50
but common for almost all of them is that they try to figure out what's installed by basically looking what's there and infer things by filenames, decompiling, looking at compilation artifacts and symbols and whatever they can 11:52
the result is that very few (if any) can get a real idea of what's actually in use on a system 11:53
so that's where it's interesting for upstream publishers and package distributers (like #raku-land and the toolchains using it) can help the situation by publishing SBOM files together with the software 11:54
s/can help/to help/ 11:59
18 Feb 2024
tonyo ahh gotcha 20:00
does it expose proprietary software (eg if you're selling a product everyone knows under the hood you're just using FOSS and branding it or something)? 20:01
but you have everything as closed source?
sjn tonyo: yes, though it's the seller's reponsibility to ensure any components they use are rolled into a vulnerability detection regime. Unsure if they have to share an SBOM of their product with downstream/customers, though I guess so if it's something that runs on customer equipment? 20:34
tonyo interesting, what prompted that in the EU? i guess i can just sesarch all of this 20:36
sjn a little unsure of the specifics here, though in any case that doesn't change much from an ecosystem perspective. downstream users still need to know what's going on, and if they can learn this in the form of SBOM files from their upstream providers, it'll be quite a bit easier for them (and us)
tonyo i've done something that should help with this already, it was written initially to make a dependency graph but could help on the sbom side 20:37
github.com/tony-o/p6-Uxmal <- this can make the graph but you can use it programmatically to just get the dep tree - not sure if it's a good starting point for the EU reqs though 20:39
sjn tonyo: it started with the Log4J vulnerability some years ago, which triggered EO 14028 (Biden's "Improving the Nation’s Cybersecurity" Executive Order), followed by EU updating the NIS directive and then the Cyber Resilience Act (both two are arriving in 2024) 20:40
tonyo wonder if it'll stop car manufacturers from requiring a monthly subscription to fully use the thing you've bought already 20:41
sjn there are a whole lot of consequences coming from these laws, so getting into the material is better done sooner than later 20:42
tonyo gotcha, yea this looks like a massive undertaking
sjn at the CPAN Security Group, we've tried to put together some info on these matters, and (if all goes well) we'll get to do some real progress at the PTS in April 20:43
tonyo: I _think_ a lot can be done with just a few careful changes, actually. It really doesn't have to be a massive undertaking for the language ecosystem providers out there (e.g. the CPAN toolchain folks, and anyone involved in making the Raku ecosystem work) 20:47
happy to have a chat on this matter, btw 20:48
I'm also (ongoing) sharing my findings on the CPAN Security Group website
I, for one, would love to see some of you guys invited to PTS, to work in this stuff 20:49
19 Feb 2024
tonyo bless, would be fun to go to another pts 01:28