All right. I think we know Open Source developers tend to be anti-establishment by definition, which means efforts like SWID are almost guaranteed not to be adopted within that community. SPDX also has been around for a long time, not really adopted within the Open Source community, but what's interesting is almost all of the modern components that we are talking about these days come with a native package manager. Maven, NuGet, NPM, Ruby has one, PiePie [PHONETIC] [INAUDIBLE] Docker. They all have a native coordinate system.
- From the transcript of NTIA Software Component Transparency Multistakeholder Kickoff (Part 1)
There are a few more videos under the July webcast archive, specifically NTIA Software Component Transparency Multistakeholder Kickoff (Part 2) and Overview of Commerce Department Botnet Report and Roadmap.
Understanding Key Vocab and Concepts:
Software Identification Tags SWID Tags
The information in a SWID tag provides software asset management and security tools with valuable information needed to automate the management of a software install across the software's deployment lifecycle.Software Package Data Exchange® (SPDX®)
Software Package Data Exchange® (SPDX®) is an open standard for communicating software bill of material information (including components, licenses, copyrights, and security references).
SPDX reduces redundant work by providing a common format for companies and communities to share important data about software licenses, copyrights, and security references, thereby streamlining and improving compliancePackage manager
A package manager or package management system is a collection of software tools that automate the process of installing, upgrading, configuring, and removing computer programs for a computer's operating system in a consistent manner.[1]
[...] Package managers are designed to eliminate the need for manual installs and updates. This can be particularly useful for large enterprises whose operating systems are based on Linux and other Unix-like systems, typically consisting of hundreds or even tens of thousands of distinct software packages.
No comments:
Post a Comment