fosstodon.org is one of the many independent Mastodon servers you can use to participate in the fediverse.
Fosstodon is an invite only Mastodon instance that is open to those who are interested in technology; particularly free & open source software. If you wish to join, contact us for an invite.

Administered by:

Server stats:

11K
active users

@sethmlarson I had to do this at a previous company. We ended up investigating third party solutions and went with Black Duck though I have nothing but good things to say about TideLift.

The problem with a language specific SBOM tool is that people who want an SBOM want it for every piece of code at your whole company. That said, having a tool we could use instead of needing to use an expensive third party service would have been awesome.

@sethmlarson One thing to note is that a big area beyond just security/CVEs is license compliance, being able to exclude specific licenses. Compliance risk is just as real a concern as Security risks!

@EMR The overall theme is empowerment, I don't want to create new tools.

Today there isn't a place to put information about other bundled software in Python packages. Because there is no place for this information, downstream SBOM tools cannot accurately detect or describe the bundled software. It also means projects aren't able to receive contributions from motivated users wanting to contribute SBOM data to projects.

@sethmlarson Ahh, yeah, that's painful stuff. I usually see it in the form of "in order to install this python package you must also install this OS package." Postgres is one that's caused pain in that regard pretty frequently. Even if it's not in the package it's still a dependency and still getting missed in the SBOM.

@EMR That's a great specific case for me to test out. I'll add that to my list of projects to survey.

@sethmlarson Oh, this is very cool. How can I support you as a person who would like to utilize this in the future?

@CodenameTim Happy to hear you're interested :) Best way to help is to share information about your use-cases, if you know about projects that might be affected or have exotic build setups that aren't yet mentioned it's great to know about those too. If you have time you can read the proposal in the GitHub repository and let me know what you think, too! :)

@sethmlarson Hmm, the most exotic package I've come across is the Scout APM python agent where it had a cpython component.

My usecase is trying to communicate the SBOM to other devs as a part of Django Commons. I think there's a reasonable amount of trust we could establish in those community run packages and having a SBOM would be a step in that direction.