Remove old SBOM slides from yesterday's talk.

This commit is contained in:
Bradley M. Kuhn 2025-02-02 12:34:26 +01:00
parent f4e8af208c
commit 4480d19b43

View file

@ -82,144 +82,6 @@
<!-- NO ONE BUT BKUHN EDIT BELOW YET: -->
<section>
<h3>Is There Really a Software Supply Chain?</h3>
</section>
<section>
<h3>Is There Really a Software Supply Chain?</h3>
<p>Not Really!</p>
</section>
<section>
<h3>Is There Really a Software Supply Chain?</h3>
<p>Not Really!</p>
<ul>
<li><s>Shipping containers</s></li>
<li><s>Giant cranes</s></li>
<li><s>Leakage (literal or figurative)</s></li>
<li><s>phone, lights, motor car</s></li>
<li><s>any single luxury</s></li>
</ul>
</section>
<section>
<h3>Is There Really a Software Supply Chain?</h3>
<p>The analogy does not fit <strong>for the same reasons that FOSS is a moral
imperative</strong>!</p>
<p>Physical objects are hard to store, move, copy, modify and reinstall.</p>
<p>FOSS is <em>trivially</em> stored, moved, copied, modified and
reinstalled.</p></section>
<section>
<h3>Who Cares about a Software Supply Chain, Then?</h3>
</section>
<section>
<h3>Who Cares about a Software Supply Chain, Then?</h3>
<p>Manufacturers and firms who <strong>want to make proprietary
software</strong> who seek to punish (for financial gain) any consumers who
share their software in the <strong>same way the laws of physics &ldquo;punish&rdquo; us
by making it hard to move physical items around the
world</strong>.</p></section>
</section>
<section>
<h3>The Bill of Materials Is About Physical Objects</h3>
<p>SBOM, like any cute marketing term, favors form over function.</p>
</section>
<section>
<h3>SBOM Has No Formal Definition</h3>
<p>As a marketing term, SBOM lacks specificity, which we should use to our
advantage as activists.</p>
</section>
<section>
<h3>CRA Does Not Mandate a Format</h3>
<p>There are competing SBOM format standards.</p>
<p>The CRA probably says the most about SBOMs of any regulation in the
world &hellip;</p>
<p>&hellip; but it mentions it only a few times and rather vaguely.</p>
<p>&amp; CRA implementation regulations are still in flux.</p>
</section>
<section>
<p>
&ldquo;Market surveillance authorities should be able to request manufacturers
&hellip; to submit the &hellip; SBOMs that they have generated pursuant to
this Regulation. In order to protect the confidentiality of SBOMs, market
surveillance authorities should submit relevant information about
dependencies to ADCO in an anonymised and aggregated manner. &rdquo;</p>
</section>
<section>
<p>
&ldquo;[M]anufacturers should identify and document components contained in the
products with digital elements, including by drawing up an SBOM. &hellip;
Manufacturers should not be obliged to make the SBOM public.&rdquo;</p></section>
<section>
<p>
&ldquo;Implementing powers should be conferred on the Commission to
&hellip; specify the
format and elements of the SBOM &hellip; &rdquo;
</p></section>
<section>
<h3>The Biden EO is Moot</h3>
<p>You may have heard there has been a regime change in my homeland.</p>
<p>The Biden EOs are being rescinded and/or ignored.</p>
<p>There is <strong>no law in the USA that mandates SBOMs</strong>.</p>
<p>At least as long as we remain a Republic, <strong>executive orders
do not have the force of law</strong> by themselves.</p>
</section>
<section>
<h3>We Still Shouldn't Ignore SBOMs</h3>
<p>Despite there being no actual mandate, we shouldn't ignore SBOMs,
because &hellip;</p>
</section>
<section>
<h3>A Wise Lawyer Once Said</h3>
<p align="center">(heavily paraphrased)</p>
<p>Blessed are the list makers, for they shall inherit &hellip; <br/>the
&hellip; <br/>
bureaucracy &hellip; ?!?</p></section>
<section>
<h3>This Probably Will Happen To You</h3>
<p><img align="center" src="Bill_Lumbergh_Office_Space.jpeg"/></p>
</section>
<section>
<h3>Hopefully You Can Say</h3>
<p><img align="center" src="go-away-shell-script.jpg" height="200%"/></p>
</section>
<section>
<h3>The Only Truly Valuable SBOM is &hellip; </h3>
<p>The complete, corresponding source code including “scripts used to
control compilation and installation of the executable” &hellip; and a
verifiably reproducible build.</p>
<p>Everything after that is just making lists.</p>
</section>
<section>
<h3 >Follow-Up / Talk License</h3>
<p>I have a keynote about another interesting topic tomorrow: