Supply chain & Open source

Notes from talk of George Links

• OSS Strategies to build trust are organized in three pillars
  • License
  • Security
  • Resilience

So what are the indicators for the software for resilience?

• Community Activity
  • 85% of OSS project are inactive.
    • comment: is it noise? or a needed thing for emergence.
    • this situation lead to have attackers that inject malicious code inside packages. It's called Solarwind attacks

Metrics:

• SBOMs: https://about.gitlab.com/blog/2022/10/25/the-ultimate-guide-to-sboms/
  • Expiration date: if a package do not receive updates for X time, label it
  • as Deps uses deps, we need to have an Inventory, a SBOM
  • It's a MUST HAVE to have an inventory Exec. Order in US and Cyber sercurity act in EU

Note on the contributor absence: indicate if there is many people changing the code. It's about differences btw number of contributions.

Example of software

https://csrc.nist.gov/projects/Software-Identification-SWID

https://bitbom.dev/

https://github.com/chaoss/grimoirelab

Example of results:

https://report.mozilla.community/

Getting Started