Coming Soon: OpenChain Mini-Summit at Open Source Summit Europe – 2023-09-18
During Open Source Summit North America (OSS NA), we had two talks on automation for security and compliance, and it was clear that this topic resonated. The Q&A ran long, and our agenda has to be shortened to reflect this.
To address this obvious market interest, we will again return to automation for OSS EU, and we will invite some of our European colleagues to do deep dives into the current state of the market. We want to ensure this is a practical event focused on the implementation of processes that support our standards for license compliance and security assurance in organizations.
Check out the Mini-Summit listing for the event:
https://events.linuxfoundation.org/open-source-summit-europe/features/co-located-events/#openchain-project-mini-summit
The (virtual) OS Summit for North America was awesome. I attended many sessions and took copious notes that I will share with my team. The likelihood of being able attend in person is very slim. For the NA summit, I looked for a recording for the Open Chain mini-summit but there isn't one. Do you know if this will be remedied?
Mary
I am afraid that because the event was fully integrated into Open Source Summit North America, it was officially being delivered via their stream, and that was live-only.
There was an OpenChain zoom dial in, but honestly the capture was really only on the speakers, and really only mediocre. I did not have access to or control over room audio, and it was a big room. I can publish that Zoom recording but it will be low quality. Meanwhile, the slides are all here:
https://www.openchainproject.org/news/2023/05/10/openchain-mini-summit-2023-oss-na
I would like to work out a way to make our future summits fully recorded and released, even when they are co-located in the official tracks of major events, and therefore audio/visual is not necessarily in my hands.
Regards
Shane
On May 19, 2023, at 21:33, Mattran, Mary <mary.mattran@...> wrote:
Hi Shane,
The (virtual) OS Summit for North America was awesome. I attended many sessions and took copious notes that I will share with my team. The likelihood of being able attend in person is very slim. For the NA summit, I looked for a recording for the Open Chain mini-summit but there isn't one. Do you know if this will be remedied?
Mary
Hi Mary,
Here are my notes from the OpenChain mini-summary (or, at least, the sections where I can read my own handwriting…) – I'd particularly welcome comments / corrections from the presenters.
- Expecting the Security Spec to graduate from ISO/IEC at end of July.
- Shane has produced 8 case studies using ChatGPT.
- Helio on "State of Tooling in Open Source Automation" (Helio can probably share his slides, if they're not already on the LF platform)
- Tools, Trends, Insights.
- Previous trend was license compliance.
- Current trend is security.
- Few can consume SBOMs.
- Lots of gaps for license compliance automation.
- We need open data, avoiding control of that data by one entity.
- Binary analysis will displace source-only scans.
- I think this point here is that, current binary scans aren't sufficient, but as we move up SLSA levels, we'll have more attestations from the build, and those will be sufficient.
- Poor data quality, especially vulnerability databases.
- PURLs prevent vendor lock-in to a given DB.
- We need unique identifiers for software.
- We need to share the data of package review and curation, but need to overcome concerns from legal departments.
- Should we share scanner output first? (ahead of curations?)
- We should try to fix upstream (to have better compliance info / metadata)
- Helio wants data to be standardised; I was unclear whether Helio was saying data should be centralised or de-centralised (sorry, Helio). I wasn't clear whether the call was for a federated network of standard servers.
- Licensing isn't the same as security. Lots in common, but different use-cases, with different audiences, so have different docs to explain your systems and tools.
- License compatibility: Multiple tools / matrices in use, but they're all legally subjective and dependent on jurisdiction.
- Snippet matching
- V. expensive in terms of time (and, therefore, money)
- Weirdly, Helio argued that Synopsys has given up on Snippet matching, as they've all but abandoned Protex. Hub has snippet-matching – we use it all the time at ADI.
- Suggests that ChatGPT et al. will make snippet matching more relevant and useless, at the same time, because it'll generate new boilerplate from everyone's code.
- Note to self: Look into MatchCode, which Helio mentioned.
- SBOMs
- Not good, don't have all the data.
- Often can't read them anyway.
- Tools do not integrate them well.
- SBOMs need to be validated – but even a valid SBOM can contain junk data, if the data is wrong in the first place.
- Collaboration opportunities
- "Live inventory of FOSS tools and their capabilities" – which sounds like the capability map / tooling landscape the OpenChain Automation WG was working on last year.
- FossLight presentation from LG (fosslight.org)
- Scans with ScanOSS and ScanCode.
- Bunch of package managers supported.
- Has a built-in workflow – SBOM management?
- Has a Jenkins CI for the prechecker.
- Mails vulnerability notices to the dev team.
- Has a Supply Chain Management section, for third-party code.
- Unclear how many of the features being mentioned are part of the OSS product, and how many are still internal-only for LG.
- I didn't spot where the clearing/curation decision feeds back into a later scan.
- Sounds like developers can only upload single packages at a time to be scanned; bulk upload is an internal-only package at the moment.
- Shane mentioned a cautionary tale on automation from a Chinese company. They asked their OSPO to set up Fossology and (some other tool I didn't catch). The OSPO budgeted three hours to do the job. They spent a week on it, then gave up and bought Black Duck. So we have a way to go on making tooling easier to set up.
From:
main@... <main@...> on behalf of Shane Coughlan <scoughlan@...>
Date: Monday, 22 May 2023 at 20:25
To: OpenChain Main <main@...>
Subject: Re: [openchain] Coming Soon: OpenChain Mini-Summit at Open Source Summit Europe – 2023-09-18
[External]
Hi Mary!
I am afraid that because the event was fully integrated into Open Source Summit North America, it was officially being delivered via their stream, and that was live-only.
There was an OpenChain zoom dial in, but honestly the capture was really only on the speakers, and really only mediocre. I did not have access to or control over room audio, and it was a big room. I can publish that Zoom recording but it will be low quality.
Meanwhile, the slides are all here:
https://urldefense.com/v3/__https://www.openchainproject.org/news/2023/05/10/openchain-mini-summit-2023-oss-na__;!!A3Ni8CS0y2Y!6Uh5UhK1fbSHQljX0zJe5z7cor4awpgDGCJHlTTvHzmmvRl3ztYmXxuDThe70j4Kaq9tTp05dTRbWJHqUgYQFSdrMkQkoDk$
I would like to work out a way to make our future summits fully recorded and released, even when they are co-located in the official tracks of major events, and therefore audio/visual is not necessarily in my hands.
Regards
Shane
> On May 19, 2023, at 21:33, Mattran, Mary <mary.mattran@...> wrote:
>
> Hi Shane,
>
> The (virtual) OS Summit for North America was awesome. I attended many sessions and took copious notes that I will share with my team. The likelihood of being able attend in person is very slim. For the NA summit, I looked for a recording for the Open
Chain mini-summit but there isn't one. Do you know if this will be remedied?
>
> Mary
>
On May 23, 2023, at 4:45 AM, Steve Kilbane <stephen.kilbane@...> wrote:
Hi Mary,
Here are my notes from the OpenChain mini-summary (or, at least, the sections where I can read my own handwriting…) – I'd particularly welcome comments / corrections from the presenters.
- Expecting the Security Spec to graduate from ISO/IEC at end of July.
- Shane has produced 8 case studies using ChatGPT.
- Helio on "State of Tooling in Open Source Automation" (Helio can probably share his slides, if they're not already on the LF platform)
- Tools, Trends, Insights.
- Previous trend was license compliance.
- Current trend is security.
- Few can consume SBOMs.
- Lots of gaps for license compliance automation.
- We need open data, avoiding control of that data by one entity.
- Binary analysis will displace source-only scans.
- I think this point here is that, current binary scans aren't sufficient, but as we move up SLSA levels, we'll have more attestations from the build, and those will be sufficient.
- Poor data quality, especially vulnerability databases.
- PURLs prevent vendor lock-in to a given DB.
- We need unique identifiers for software.
- We need to share the data of package review and curation, but need to overcome concerns from legal departments.
- Should we share scanner output first? (ahead of curations?)
- We should try to fix upstream (to have better compliance info / metadata)
- Helio wants data to be standardised; I was unclear whether Helio was saying data should be centralised or de-centralised (sorry, Helio). I wasn't clear whether the call was for a federated network of standard servers.
- Licensing isn't the same as security. Lots in common, but different use-cases, with different audiences, so have different docs to explain your systems and tools.
- License compatibility: Multiple tools / matrices in use, but they're all legally subjective and dependent on jurisdiction.
- Snippet matching
- V. expensive in terms of time (and, therefore, money)
- Weirdly, Helio argued that Synopsys has given up on Snippet matching, as they've all but abandoned Protex. Hub has snippet-matching – we use it all the time at ADI.
- Suggests that ChatGPT et al. will make snippet matching more relevant and useless, at the same time, because it'll generate new boilerplate from everyone's code.
- Note to self: Look into MatchCode, which Helio mentioned.
- SBOMs
- Not good, don't have all the data.
- Often can't read them anyway.
- Tools do not integrate them well.
- SBOMs need to be validated – but even a valid SBOM can contain junk data, if the data is wrong in the first place.
- Collaboration opportunities
- "Live inventory of FOSS tools and their capabilities" – which sounds like the capability map / tooling landscape the OpenChain Automation WG was working on last year.
- FossLight presentation from LG (fosslight.org)
- Scans with ScanOSS and ScanCode.
- Bunch of package managers supported.
- Has a built-in workflow – SBOM management?
- Has a Jenkins CI for the prechecker.
- Mails vulnerability notices to the dev team.
- Has a Supply Chain Management section, for third-party code.
- Unclear how many of the features being mentioned are part of the OSS product, and how many are still internal-only for LG.
- I didn't spot where the clearing/curation decision feeds back into a later scan.
- Sounds like developers can only upload single packages at a time to be scanned; bulk upload is an internal-only package at the moment.
- Shane mentioned a cautionary tale on automation from a Chinese company. They asked their OSPO to set up Fossology and (some other tool I didn't catch). The OSPO budgeted three hours to do the job. They spent a week on it, then gave up and bought Black Duck. So we have a way to go on making tooling easier to set up.
From: main@... <main@...> on behalf of Shane Coughlan <scoughlan@...>
Date: Monday, 22 May 2023 at 20:25
To: OpenChain Main <main@...>
Subject: Re: [openchain] Coming Soon: OpenChain Mini-Summit at Open Source Summit Europe – 2023-09-18[External]
Hi Mary!
I am afraid that because the event was fully integrated into Open Source Summit North America, it was officially being delivered via their stream, and that was live-only.
There was an OpenChain zoom dial in, but honestly the capture was really only on the speakers, and really only mediocre. I did not have access to or control over room audio, and it was a big room. I can publish that Zoom recording but it will be low quality. Meanwhile, the slides are all here:
https://urldefense.com/v3/__https://www.openchainproject.org/news/2023/05/10/openchain-mini-summit-2023-oss-na__;!!A3Ni8CS0y2Y!6Uh5UhK1fbSHQljX0zJe5z7cor4awpgDGCJHlTTvHzmmvRl3ztYmXxuDThe70j4Kaq9tTp05dTRbWJHqUgYQFSdrMkQkoDk$
I would like to work out a way to make our future summits fully recorded and released, even when they are co-located in the official tracks of major events, and therefore audio/visual is not necessarily in my hands.
Regards
Shane
> On May 19, 2023, at 21:33, Mattran, Mary <mary.mattran@...> wrote:
>
> Hi Shane,
>
> The (virtual) OS Summit for North America was awesome. I attended many sessions and took copious notes that I will share with my team. The likelihood of being able attend in person is very slim. For the NA summit, I looked for a recording for the Open Chain mini-summit but there isn't one. Do you know if this will be remedied?
>
> Mary
>
https://www.openchainproject.org/news/2023/05/10/openchain-mini-summit-2023-oss-na
About the final point:
cautionary tale on automation from a Chinese company. They asked their OSPO to set up Fossology and (some other tool I didn't catch)It was FOSSology and sw360.
regards
Shane
On May 23, 2023, at 18:45, Steve Kilbane <stephen.kilbane@...> wrote:
Hi Mary,
Here are my notes from the OpenChain mini-summary (or, at least, the sections where I can read my own handwriting…) – I'd particularly welcome comments / corrections from the presenters.
• Expecting the Security Spec to graduate from ISO/IEC at end of July.
• Shane has produced 8 case studies using ChatGPT.
• Helio on "State of Tooling in Open Source Automation" (Helio can probably share his slides, if they're not already on the LF platform)
• Tools, Trends, Insights.
• Previous trend was license compliance.
• Current trend is security.
• Few can consume SBOMs.
• Lots of gaps for license compliance automation.
• We need open data, avoiding control of that data by one entity.
• Binary analysis will displace source-only scans.
• I think this point here is that, current binary scans aren't sufficient, but as we move up SLSA levels, we'll have more attestations from the build, and those will be sufficient.
• Poor data quality, especially vulnerability databases.
• PURLs prevent vendor lock-in to a given DB.
• We need unique identifiers for software.
• We need to share the data of package review and curation, but need to overcome concerns from legal departments.
• Should we share scanner output first? (ahead of curations?)
• We should try to fix upstream (to have better compliance info / metadata)
• Helio wants data to be standardised; I was unclear whether Helio was saying data should be centralised or de-centralised (sorry, Helio). I wasn't clear whether the call was for a federated network of standard servers.
• Licensing isn't the same as security. Lots in common, but different use-cases, with different audiences, so have different docs to explain your systems and tools.
• License compatibility: Multiple tools / matrices in use, but they're all legally subjective and dependent on jurisdiction.
• Snippet matching
• V. expensive in terms of time (and, therefore, money)
• Weirdly, Helio argued that Synopsys has given up on Snippet matching, as they've all but abandoned Protex. Hub has snippet-matching – we use it all the time at ADI.
• Suggests that ChatGPT et al. will make snippet matching more relevant and useless, at the same time, because it'll generate new boilerplate from everyone's code.
• Note to self: Look into MatchCode, which Helio mentioned.
• SBOMs
• Not good, don't have all the data.
• Often can't read them anyway.
• Tools do not integrate them well.
• SBOMs need to be validated – but even a valid SBOM can contain junk data, if the data is wrong in the first place.
• Collaboration opportunities
• "Live inventory of FOSS tools and their capabilities" – which sounds like the capability map / tooling landscape the OpenChain Automation WG was working on last year.
• FossLight presentation from LG (fosslight.org)
• Scans with ScanOSS and ScanCode.
• Bunch of package managers supported.
• Has a built-in workflow – SBOM management?
• Has a Jenkins CI for the prechecker.
• Mails vulnerability notices to the dev team.
• Has a Supply Chain Management section, for third-party code.
• Unclear how many of the features being mentioned are part of the OSS product, and how many are still internal-only for LG.
• I didn't spot where the clearing/curation decision feeds back into a later scan.
• Sounds like developers can only upload single packages at a time to be scanned; bulk upload is an internal-only package at the moment.
• Shane mentioned a cautionary tale on automation from a Chinese company. They asked their OSPO to set up Fossology and (some other tool I didn't catch). The OSPO budgeted three hours to do the job. They spent a week on it, then gave up and bought Black Duck. So we have a way to go on making tooling easier to set up.
From: main@... <main@...> on behalf of Shane Coughlan <scoughlan@...>
Date: Monday, 22 May 2023 at 20:25
To: OpenChain Main <main@...>
Subject: Re: [openchain] Coming Soon: OpenChain Mini-Summit at Open Source Summit Europe – 2023-09-18
[External]
Hi Mary!
I am afraid that because the event was fully integrated into Open Source Summit North America, it was officially being delivered via their stream, and that was live-only.
There was an OpenChain zoom dial in, but honestly the capture was really only on the speakers, and really only mediocre. I did not have access to or control over room audio, and it was a big room. I can publish that Zoom recording but it will be low quality. Meanwhile, the slides are all here:
https://urldefense.com/v3/__https://www.openchainproject.org/news/2023/05/10/openchain-mini-summit-2023-oss-na__;!!A3Ni8CS0y2Y!6Uh5UhK1fbSHQljX0zJe5z7cor4awpgDGCJHlTTvHzmmvRl3ztYmXxuDThe70j4Kaq9tTp05dTRbWJHqUgYQFSdrMkQkoDk$
I would like to work out a way to make our future summits fully recorded and released, even when they are co-located in the official tracks of major events, and therefore audio/visual is not necessarily in my hands.
Regards
ShaneOn May 19, 2023, at 21:33, Mattran, Mary <mary.mattran@...> wrote:
Hi Shane,
The (virtual) OS Summit for North America was awesome. I attended many sessions and took copious notes that I will share with my team. The likelihood of being able attend in person is very slim. For the NA summit, I looked for a recording for the Open Chain mini-summit but there isn't one. Do you know if this will be remedied?
Mary
Please feel free. And my apologies to the LG presenter, too – I didn't manage to catch your name. ☹
From:
main@... <main@...> on behalf of Shane Coughlan <scoughlan@...>
Date: Wednesday, 24 May 2023 at 07:42
To: OpenChain Main <main@...>
Subject: Re: [openchain] Coming Soon: OpenChain Mini-Summit at Open Source Summit Europe – 2023-09-18
[External]
Steve, your notes are *amazing.* Thank you so much. With your permission, I am going to add them to our blog post containing the slides:
https://urldefense.com/v3/__https://www.openchainproject.org/news/2023/05/10/openchain-mini-summit-2023-oss-na__;!!A3Ni8CS0y2Y!7zaDSKm9LZSzzRsnv6o22oavPRpHSFwxfILT8ad_NdOwH3Jh8BD1c9ZTdOuwxEiX_HZMYCI1wnAh345uUNNIab5UdjKQibc$
About the final point:
> cautionary tale on automation from a Chinese company. They asked their OSPO to set up Fossology and (some other tool I didn't catch)
It was FOSSology and sw360.
regards
Shane
> On May 23, 2023, at 18:45, Steve Kilbane <stephen.kilbane@...> wrote:
>
> Hi Mary,
> Here are my notes from the OpenChain mini-summary (or, at least, the sections where I can read my own handwriting…) – I'd particularly welcome comments / corrections from the presenters.
>
> • Expecting the Security Spec to graduate from ISO/IEC at end of July.
> • Shane has produced 8 case studies using ChatGPT.
> • Helio on "State of Tooling in Open Source Automation" (Helio can probably share his slides, if they're not already on the LF platform)
> • Tools, Trends, Insights.
> • Previous trend was license compliance.
> • Current trend is security.
> • Few can consume SBOMs.
> • Lots of gaps for license compliance automation.
> • We need open data, avoiding control of that data by one entity.
> • Binary analysis will displace source-only scans.
> • I think this point here is that, current binary scans aren't sufficient, but as we move up SLSA levels, we'll have more attestations from the build, and those will be sufficient.
> • Poor data quality, especially vulnerability databases.
> • PURLs prevent vendor lock-in to a given DB.
> • We need unique identifiers for software.
> • We need to share the data of package review and curation, but need to overcome concerns from legal departments.
> • Should we share scanner output first? (ahead of curations?)
> • We should try to fix upstream (to have better compliance info / metadata)
> • Helio wants data to be standardised; I was unclear whether Helio was saying data should be centralised or de-centralised (sorry, Helio). I wasn't clear whether the call was for a federated network of standard servers.
> • Licensing isn't the same as security. Lots in common, but different use-cases, with different audiences, so have different docs to explain your systems and tools.
> • License compatibility: Multiple tools / matrices in use, but they're all legally subjective and dependent on jurisdiction.
> • Snippet matching
> • V. expensive in terms of time (and, therefore, money)
> • Weirdly, Helio argued that Synopsys has given up on Snippet matching, as they've all but abandoned Protex. Hub has snippet-matching – we use it all the time at ADI.
> • Suggests that ChatGPT et al. will make snippet matching more relevant and useless, at the same time, because it'll generate new boilerplate from everyone's code.
> • Note to self: Look into MatchCode, which Helio mentioned.
> • SBOMs
> • Not good, don't have all the data.
> • Often can't read them anyway.
> • Tools do not integrate them well.
> • SBOMs need to be validated – but even a valid SBOM can contain junk data, if the data is wrong in the first place.
> • Collaboration opportunities
> • "Live inventory of FOSS tools and their capabilities" – which sounds like the capability map / tooling landscape the OpenChain Automation WG was working on last year.
> • FossLight presentation from LG (fosslight.org)
> • Scans with ScanOSS and ScanCode.
> • Bunch of package managers supported.
> • Has a built-in workflow – SBOM management?
> • Has a Jenkins CI for the prechecker.
> • Mails vulnerability notices to the dev team.
> • Has a Supply Chain Management section, for third-party code.
> • Unclear how many of the features being mentioned are part of the OSS product, and how many are still internal-only for LG.
> • I didn't spot where the clearing/curation decision feeds back into a later scan.
> • Sounds like developers can only upload single packages at a time to be scanned; bulk upload is an internal-only package at the moment.
> • Shane mentioned a cautionary tale on automation from a Chinese company. They asked their OSPO to set up Fossology and (some other tool I didn't catch). The OSPO budgeted three hours to do the job. They spent a week on it, then gave up and bought Black
Duck. So we have a way to go on making tooling easier to set up.
> From: main@... <main@...> on behalf of Shane Coughlan <scoughlan@...>
> Date: Monday, 22 May 2023 at 20:25
> To: OpenChain Main <main@...>
> Subject: Re: [openchain] Coming Soon: OpenChain Mini-Summit at Open Source Summit Europe – 2023-09-18
> [External]
>
> Hi Mary!
>
> I am afraid that because the event was fully integrated into Open Source Summit North America, it was officially being delivered via their stream, and that was live-only.
>
> There was an OpenChain zoom dial in, but honestly the capture was really only on the speakers, and really only mediocre. I did not have access to or control over room audio, and it was a big room. I can publish that Zoom recording but it will be low quality.
Meanwhile, the slides are all here:
>
https://urldefense.com/v3/__https://www.openchainproject.org/news/2023/05/10/openchain-mini-summit-2023-oss-na__;!!A3Ni8CS0y2Y!6Uh5UhK1fbSHQljX0zJe5z7cor4awpgDGCJHlTTvHzmmvRl3ztYmXxuDThe70j4Kaq9tTp05dTRbWJHqUgYQFSdrMkQkoDk$
>
> I would like to work out a way to make our future summits fully recorded and released, even when they are co-located in the official tracks of major events, and therefore audio/visual is not necessarily in my hands.
>
> Regards
>
> Shane
>
> > On May 19, 2023, at 21:33, Mattran, Mary <mary.mattran@...> wrote:
> >
> > Hi Shane,
> >
> > The (virtual) OS Summit for North America was awesome. I attended many sessions and took copious notes that I will share with my team. The likelihood of being able attend in person is very slim. For the NA summit, I looked for a recording for the Open
Chain mini-summit but there isn't one. Do you know if this will be remedied?
> >
> > Mary
> >
>
>
>
>
>
>