SFC-Talks/FOSDEM-2025-keynote
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
FOSDEM-2025-keynote/index.html

264 lines
8.9 KiB
HTML
Raw Normal View History

Finished first few slides, some of old stuff is from my talk yesterday, will disappear as I go through
2025-02-02 11:09:15 +00:00
<!doctype html>
<html lang="en">
<html lang="en">
<head>
<meta charset="utf-8">
<title></title>
<meta name="description" content="Is There Really an SBOM Mandate?">
<meta name="author" content="Bradley M. Kuhn">
<meta name="apple-mobile-web-app-capable" content="no">
<meta name="apple-mobile-web-app-status-bar-style" content="black-translucent">
<meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=1.0, user-scalable=no">
<link rel="stylesheet" href="css/reveal.css">
<link rel="stylesheet" href="css/theme/conservancy.css" id="theme">
<!-- Theme used for syntax highlighting of code -->
<link rel="stylesheet" href="lib/css/zenburn.css">
<!-- Printing and PDF exports -->
<script>
var link = document.createElement( 'link' );
link.rel = 'stylesheet';
link.type = 'text/css';
link.href = window.location.search.match( /print-pdf/gi ) ? 'css/print/pdf.css' : 'print/paper.css';
document.getElementsByTagName( 'head' )[0].appendChild( link );
</script>
</head>
<body>
<div id="hidden" style="display:none;">
<div id="header">
<div id="header-left"></div>
<div id="header-right"></div>
<div id="footer-left"></div>
</div>
</div>
<div class="reveal">
<div class="slides">
<section>
<h3><em>The Growing Body of Proprietary Infrastructure for FOSS Development: Repeating Bad History</h3>
<p>Karen M. Sandler, Executive Director, Software Freedom Conservancy SFC</p>
<p>Karen Sandler, Executive Director, Software Freedom Conservancy</p>
<p><s>Bradley M. Kuhn, Policy Fellow &amp; Hacker-in-Residence, SFC</s></p>
<p class="copious">Bradley sends his regrets; he tested positive for
COVID-19 this morning and is quarantined.</p>
<p>FOSDEM 2025, Sunday 2 February 2025</p>
</p>
</section>
<section>
<h3>😷</h3>
<p>Bradley asked us to share the quote below and read this statement:</p>
<blockquote cite="FIXME">
Act only according to that maxim whereby you can at the same time will
that it should become a universal law.
<p align="right"> &mdash; Immanuel Kant</p></blockquote>
<img align="left" src="kant.jpg"/>
</section>
<blockquote cite="FIXME">
History doesn't repeat itself &hellip; but it often rhymes.
<p align="right"> &mdash; Samuel Clemens (nom de plume: Mark Twain)</p></blockquote>
<p><img width="50%" align="right" src="Supply-Chain-Example.png" /></p>
</section>
<section>
<h3>Is There Really a Software Supply Chain?</h3>
</section>
<section>
<h3>Is There Really a Software Supply Chain?</h3>
<p>Not Really!</p>
</section>
<section>
<h3>Is There Really a Software Supply Chain?</h3>
<p>Not Really!</p>
<ul>
<li><s>Shipping containers</s></li>
<li><s>Giant cranes</s></li>
<li><s>Leakage (literal or figurative)</s></li>
<li><s>phone, lights, motor car</s></li>
<li><s>any single luxury</s></li>
</ul>
</section>
<section>
<h3>Is There Really a Software Supply Chain?</h3>
<p>The analogy does not fit <strong>for the same reasons that FOSS is a moral
imperative</strong>!</p>
<p>Physical objects are hard to store, move, copy, modify and reinstall.</p>
<p>FOSS is <em>trivially</em> stored, moved, copied, modified and
reinstalled.</p></section>
<section>
<h3>Who Cares about a Software Supply Chain, Then?</h3>
</section>
<section>
<h3>Who Cares about a Software Supply Chain, Then?</h3>
<p>Manufacturers and firms who <strong>want to make proprietary
software</strong> who seek to punish (for financial gain) any consumers who
share their software in the <strong>same way the laws of physics &ldquo;punish&rdquo; us
by making it hard to move physical items around the
world</strong>.</p></section>
</section>
<section>
<h3>The Bill of Materials Is About Physical Objects</h3>
<p>SBOM, like any cute marketing term, favors form over function.</p>
</section>
<section>
<h3>SBOM Has No Formal Definition</h3>
<p>As a marketing term, SBOM lacks specificity, which we should use to our
advantage as activists.</p>
</section>
<section>
<h3>CRA Does Not Mandate a Format</h3>
<p>There are competing SBOM format standards.</p>
<p>The CRA probably says the most about SBOMs of any regulation in the
world &hellip;</p>
<p>&hellip; but it mentions it only a few times and rather vaguely.</p>
<p>&amp; CRA implementation regulations are still in flux.</p>
</section>
<section>
<p>
&ldquo;Market surveillance authorities should be able to request manufacturers
&hellip; to submit the &hellip; SBOMs that they have generated pursuant to
this Regulation. In order to protect the confidentiality of SBOMs, market
surveillance authorities should submit relevant information about
dependencies to ADCO in an anonymised and aggregated manner. &rdquo;</p>
</section>
<section>
<p>
&ldquo;[M]anufacturers should identify and document components contained in the
products with digital elements, including by drawing up an SBOM. &hellip;
Manufacturers should not be obliged to make the SBOM public.&rdquo;</p></section>
<section>
<p>
&ldquo;Implementing powers should be conferred on the Commission to
&hellip; specify the
format and elements of the SBOM &hellip; &rdquo;
</p></section>
<section>
<h3>The Biden EO is Moot</h3>
<p>You may have heard there has been a regime change in my homeland.</p>
<p>The Biden EOs are being rescinded and/or ignored.</p>
<p>There is <strong>no law in the USA that mandates SBOMs</strong>.</p>
<p>At least as long as we remain a Republic, <strong>executive orders
do not have the force of law</strong> by themselves.</p>
</section>
<section>
<h3>We Still Shouldn't Ignore SBOMs</h3>
<p>Despite there being no actual mandate, we shouldn't ignore SBOMs,
because &hellip;</p>
</section>
<section>
<h3>A Wise Lawyer Once Said</h3>
<p align="center">(heavily paraphrased)</p>
<p>Blessed are the list makers, for they shall inherit &hellip; <br/>the
&hellip; <br/>
bureaucracy &hellip; ?!?</p></section>
<section>
<h3>This Probably Will Happen To You</h3>
<p><img align="center" src="Bill_Lumbergh_Office_Space.jpeg"/></p>
</section>
<section>
<h3>Hopefully You Can Say</h3>
<p><img align="center" src="go-away-shell-script.jpg" height="200%"/></p>
</section>
<section>
<h3>The Only Truly Valuable SBOM is &hellip; </h3>
<p>The complete, corresponding source code including “scripts used to
control compilation and installation of the executable” &hellip; and a
verifiably reproducible build.</p>
<p>Everything after that is just making lists.</p>
</section>
<section>
<h3 >Follow-Up / Talk License</h3>
<p>I have a keynote about another interesting topic tomorrow:
<br/><a href="https://fosdem.org/2025/schedule/event/fosdem-2025-6153-the-growing-body-of-proprietary-infrastructure-for-foss-development-repeating-bad-history/">15:00
in Janson on SUN 2025-02-02</a>
<p>Please donate to become a Conservancy
Sustainer: <a href="https://sfconservancy.org/sustainer/">https://sfconservancy.org/sustainer/</a></p>
<img align="right" src="img/cc-by-sa-4-0_88x31.png" />
<p class="copious">Presentation and slides are: Copyright &copy; 2024, 2025 Bradley M. Kuhn,
and are licensed under the <a rel="license"
href="https://creativecommons.org/licenses/by-sa/4.0/legalcode">Creative
Commons Attribution-Share Alike 4.0 International
License</a>.</p>
<p class="copious"> Some images included herein are ©ed by others. I believe my use of
those images is fair use under USA © law (which I also believe is the
country of 1<sup>st</sup> publication under Berne). However, I suggest you
remove such images if you redistribute these slides.</p>
</section>
</div>
<script src="lib/js/head.js"></script>
<script src="js/reveal.js"></script>
<script>
Reveal.initialize({
controls: true,
progress: true,
history: true,
center: true,
transition: 'convex', // none/fade/slide/convex/concave/zoom
dependencies: [
{ src: 'lib/js/classList.js', condition: function() { return !document.body.classList; } },
{ src: 'plugin/markdown/marked.js', condition: function() { return !!document.querySelector( '[data-markdown]' ); } },
{ src: 'plugin/markdown/markdown.js', condition: function() { return !!document.querySelector( '[data-markdown]' ); } },
{ src: 'plugin/highlight/highlight.js', async: true, callback: function() { hljs.initHighlightingOnLoad(); } },
{ src: 'plugin/zoom-js/zoom.js', async: true },
{ src: 'plugin/notes/notes.js', async: true }
]
});
</script>
<script src="jquery/jquery-2.1.3.js"></script>
<script type="text/javascript">
// 3. On Reveal.js ready event, copy header/footer <div> into each `.slide-background` <div>
var header = $('#header').html();
if ( window.location.search.match( /print-pdf/gi ) ) {
Reveal.addEventListener( 'ready', function( event ) {
$('.slide-background').append(header);
});
}
else {
$('div.reveal').append(header);
}
</script>
</body>
</html>
Reference in a new issue Copy permalink