fsebugoutzone.org:9999

       Post AVbtGRTuCgYtcBfcbA by yojimbo@hackers.town
 (DIR) More posts by yojimbo@hackers.town
 (DIR) Post #AVFcibUC8uYdUIEyky by vagrantc@floss.social
       2023-05-02T01:16:36Z
       
       1 likes, 1 repeats
       
       I am growing increasingly concerned that while all the discussion and excitement around #SBOM is definitely an prerequisite for software #SupplyChain security...It still seems to just be a marginal improvement over #JustTrustUs because there is no way to verify the software claimed in the SBOM is the software used... or is there?With #ReproducibleBuilds you get everything an SBOM has, but also the ability to independently verify it, by rebuilding and getting bit-for-bit identical results!
       
 (DIR) Post #AVbtGRTuCgYtcBfcbA by yojimbo@hackers.town
       2023-05-02T02:30:33Z
       
       0 likes, 0 repeats
       
       @vagrantc It&#39;s still far more likely to be helpful than closed source software that doesn&#39;t even know what its own components are, and therefore can&#39;t communicate potential vulnerabilities.It&#39;s a decent way to address a log4j situation, which was notified out-of-band from the software distribution model.But I don&#39;t see a direct link between SBOM and Reproducible Builds, in terms of the relationship between a software supplier and their customers.
       
 (DIR) Post #AVbtGSCZWcI5qiZIDg by vagrantc@floss.social
       2023-05-02T15:50:17Z
       
       0 likes, 1 repeats
       
       @yojimbo In simple terms, an SBOM is a list of dependencies for some software project, product, etc.Knowing what was used to build your software is a precondition for reproducible builds, so reproducible builds projects have been doing SBOM-like things (often called .buildinfo files) since before 2016... ...with the added benefit of also providing the information necessary to prove the sources used are sufficient to produce a given software artifact. In other words, a verifyable SBOM.
       
 (DIR) Post #AVbtGSlfQ8MbbYzJvE by vagrantc@floss.social
       2023-05-02T15:55:02Z
       
       0 likes, 0 repeats
       
       @yojimbo I guess it seems like a pretty low bar to simply list the dependencies of a software project, and yet it is somehow exciting for the industry at large?I worry that it will stop at some weak and unverifiable compliance checklist and go no further. We can do so much better!
       
 (DIR) Post #AVbtGTQ4zsgpcttaue by strypey@mastodon.nzoss.nz
       2023-05-13T11:01:22Z
       
       0 likes, 0 repeats
       
       @vagrantc SBOM would be useful for  a educational project ideas I call Software Burger, which visualises a package as a burger, with its direct dependencies as ingredients. The idea is that you can click on an ingredient to get its software burger and so on, until you get right down to irreducible components.@yojimbo