Discussion
Loading...

Post

  • About
  • Code of conduct
  • Privacy
  • Users
  • Instances
  • About Bonfire
Matt "msw" Wilson
@msw@mstdn.social  ·  activity timestamp 3 months ago
@bkuhn @bwh @bagder @reproducible_builds @lexelas I don’t think I’ve heard any arguments that SBOMs are better than CCS with independently reproducible builds.

But the ages old (unconpelling to me, personally speaking) arguments that producing CCS with build instructions is overly burdensome or impractical remain.

And of course proprietary software vendors would prefer SBOM over CCS with modification permissions in their license.

  • Copy link
  • Flag this post
  • Block
Bradley M. Kuhn
@bkuhn@fedi.copyleft.org replied  ·  activity timestamp 3 months ago
@msw

I've heard it from Compliance Industrial Complex folks many times. There are so many ppl seeking to monetize SBOMs; they were entrenched before CRA & hired lobbyists to confuse Brusselcrats into think SBOMs were the ultimate panacea.

It's a mess, but I have hope that
@lexelas can save us! Alex gets these issues & @fsfe is trying to undo the damage as part of the CRA regs (still being written). Europeans should volunteer to help #FSFE on this.

Cc: @bwh @bagder @reproducible_builds

  • Copy link
  • Flag this comment
  • Block
Matt "msw" Wilson
@msw@mstdn.social replied  ·  activity timestamp 3 months ago
@bkuhn @lexelas @fsfe @bwh @bagder @reproducible_builds all of the focus on SBOMs is troubling if the objective is building resilience in software supply chain risk management.

Even the industry players that are positioned to capitalize on growing regulatory requirements recognize that it is, (at best, IMO) only part of what you need to be thinking about.
https://csrc.nist.gov/csrc/media/Presentations/2023/managing-software-supply-chain-risk/images-media/TMackey-ssca-forum-053123.pdf#page=22

A slide from page 22 of the linked PDF from Synopsis that highlights :SBOM is only part of the “essential elements” of assuring trust in supply chain risk management.
A slide from page 22 of the linked PDF from Synopsis that highlights :SBOM is only part of the “essential elements” of assuring trust in supply chain risk management.
A slide from page 22 of the linked PDF from Synopsis that highlights :SBOM is only part of the “essential elements” of assuring trust in supply chain risk management.
  • Copy link
  • Flag this comment
  • Block
Matt "msw" Wilson
@msw@mstdn.social replied  ·  activity timestamp 3 months ago
@bkuhn @lexelas @fsfe @bwh @bagder @reproducible_builds the over-focus on SBOMs risks a very “checkbox compliance” outcome, where the main objectives of improving resiliency, assurance, and trust are not met.
  • Copy link
  • Flag this comment
  • Block
Bradley M. Kuhn
@bkuhn@fedi.copyleft.org replied  ·  activity timestamp 3 months ago
@msw wrote:
> “focus on SBOMs… [means] … main objectives of improving resiliency, assurance, & trust are not met.”

I agree completely, but sadly that's always been part of the plan. SBOMs are one of the most insidious proprietary software advoacy ideas ever invented, because they are specifically designed to convince customers that they do not need software freedom & rights in their supply chain

The industry is indeed being sold a “bill of goods” .

Cc: @lexelas @fsfe @reproducible_builds

  • Copy link
  • Flag this comment
  • Block
Log in

bonfire.cafe

A space for Bonfire maintainers and contributors to communicate

bonfire.cafe: About · Code of conduct · Privacy · Users · Instances
Bonfire social · 1.0.0-rc.3.1 no JS en
Automatic federation enabled
  • Explore
  • About
  • Members
  • Code of Conduct
Home
Login