Remove old SBOM slides from yesterday's talk.
This commit is contained in:
Bradley M. Kuhn
parent
f4e8af208c
commit
4480d19b43
1 changed files with 0 additions and 138 deletions
138
index.html
138
index.html
|
|
@ -82,144 +82,6 @@
|
|||
<!-- NO ONE BUT BKUHN EDIT BELOW YET: -->
|
||||
|
||||
|
||||
|
||||
<section>
|
||||
<h3>Is There Really a Software Supply Chain?</h3>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<h3>Is There Really a Software Supply Chain?</h3>
|
||||
|
||||
<p>Not Really!</p>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<h3>Is There Really a Software Supply Chain?</h3>
|
||||
|
||||
<p>Not Really!</p>
|
||||
|
||||
<ul>
|
||||
<li><s>Shipping containers</s></li>
|
||||
<li><s>Giant cranes</s></li>
|
||||
<li><s>Leakage (literal or figurative)</s></li>
|
||||
<li><s>phone, lights, motor car</s></li>
|
||||
<li><s>any single luxury</s></li>
|
||||
</ul>
|
||||
</section>
|
||||
<section>
|
||||
<h3>Is There Really a Software Supply Chain?</h3>
|
||||
|
||||
<p>The analogy does not fit <strong>for the same reasons that FOSS is a moral
|
||||
imperative</strong>!</p>
|
||||
|
||||
<p>Physical objects are hard to store, move, copy, modify and reinstall.</p>
|
||||
|
||||
<p>FOSS is <em>trivially</em> stored, moved, copied, modified and
|
||||
reinstalled.</p></section>
|
||||
|
||||
<section>
|
||||
<h3>Who Cares about a Software Supply Chain, Then?</h3>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<h3>Who Cares about a Software Supply Chain, Then?</h3>
|
||||
|
||||
<p>Manufacturers and firms who <strong>want to make proprietary
|
||||
software</strong> who seek to punish (for financial gain) any consumers who
|
||||
share their software in the <strong>same way the laws of physics “punish” us
|
||||
by making it hard to move physical items around the
|
||||
world</strong>.</p></section>
|
||||
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<h3>The Bill of Materials Is About Physical Objects</h3>
|
||||
|
||||
<p>SBOM, like any cute marketing term, favors form over function.</p>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<h3>SBOM Has No Formal Definition</h3>
|
||||
|
||||
<p>As a marketing term, SBOM lacks specificity, which we should use to our
|
||||
advantage as activists.</p>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<h3>CRA Does Not Mandate a Format</h3>
|
||||
|
||||
<p>There are competing SBOM format standards.</p>
|
||||
<p>The CRA probably says the most about SBOMs of any regulation in the
|
||||
world …</p>
|
||||
<p>… but it mentions it only a few times and rather vaguely.</p>
|
||||
<p>& CRA implementation regulations are still in flux.</p>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<p>
|
||||
“Market surveillance authorities should be able to request manufacturers
|
||||
… to submit the … SBOMs that they have generated pursuant to
|
||||
this Regulation. In order to protect the confidentiality of SBOMs, market
|
||||
surveillance authorities should submit relevant information about
|
||||
dependencies to ADCO in an anonymised and aggregated manner. ”</p>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<p>
|
||||
“[M]anufacturers should identify and document components contained in the
|
||||
products with digital elements, including by drawing up an SBOM. …
|
||||
Manufacturers should not be obliged to make the SBOM public.”</p></section>
|
||||
|
||||
|
||||
<section>
|
||||
<p>
|
||||
“Implementing powers should be conferred on the Commission to
|
||||
… specify the
|
||||
format and elements of the SBOM … ”
|
||||
</p></section>
|
||||
|
||||
|
||||
<section>
|
||||
<h3>The Biden EO is Moot</h3>
|
||||
|
||||
<p>You may have heard there has been a regime change in my homeland.</p>
|
||||
<p>The Biden EOs are being rescinded and/or ignored.</p>
|
||||
<p>There is <strong>no law in the USA that mandates SBOMs</strong>.</p>
|
||||
<p>At least as long as we remain a Republic, <strong>executive orders
|
||||
do not have the force of law</strong> by themselves.</p>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<h3>We Still Shouldn't Ignore SBOMs</h3>
|
||||
|
||||
<p>Despite there being no actual mandate, we shouldn't ignore SBOMs,
|
||||
because …</p>
|
||||
</section>
|
||||
<section>
|
||||
<h3>A Wise Lawyer Once Said</h3>
|
||||
<p align="center">(heavily paraphrased)</p>
|
||||
<p>Blessed are the list makers, for they shall inherit … <br/>the
|
||||
… <br/>
|
||||
bureaucracy … ?!?</p></section>
|
||||
|
||||
<section>
|
||||
<h3>This Probably Will Happen To You</h3>
|
||||
<p><img align="center" src="Bill_Lumbergh_Office_Space.jpeg"/></p>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<h3>Hopefully You Can Say</h3>
|
||||
<p><img align="center" src="go-away-shell-script.jpg" height="200%"/></p>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<h3>The Only Truly Valuable SBOM is … </h3>
|
||||
<p>The complete, corresponding source code including “scripts used to
|
||||
control compilation and installation of the executable” … and a
|
||||
verifiably reproducible build.</p>
|
||||
<p>Everything after that is just making lists.</p>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<h3 >Follow-Up / Talk License</h3>
|
||||
<p>I have a keynote about another interesting topic tomorrow:
|
||||
|
|
|
|||
Loading…
Reference in a new issue