Відео

What is this for?

Perez George Clark Karen Hall Betty

Great analysis! Evidence for later cases, if any.

The visuals complement the content nicely.

I never really watched yt that much until I found your channel

25:00 end of the FOSDEM context intro 40:20 about "confusion" 51:05 "two competing standards for SBOM... everybody hates that".

Great talk, as expected. Thank you *so much* for taking the time to explain the difficulty of addressing non-packaged software, typically C/C++ in embedded context. I am one of those cave-men in this primitive ecosystem, and I have the outermost difficulties of *convincing* my discussion partners that this is a very real, unsolved problem. Now I have one more "see? don't take my words for granted" example, and from a highly respected industry leader. (Explaining _why_ this is a problem compared to the "easy" use cases is even more difficult, especially when discussing with non deeply technical people.) (BTW, I have _my_ own solution, inspired by a Debian idea, that works well in _my_ C/C++ embedded contexts, but cannot be generalized. So ad-hoc solution *yes*, general *no*.) It starts with the question at 46:27. I took the liberty to transcribe it all: Question about benchmarking the quality of SCA and SBOM tools... especially in the case without a package management toolchain, such as C, C++? Philippe answer: Yes, there was a big discussion on the topic. I didn't bring that as an insight but more as a cultural action, we'll look at that in a second. But generally speaking... yes, there is a problem... which is: when you have packages which are not on main package repositories and registries, and the practical is "everything you put in an embedded device, and whenever you do C/C++ development... these packages are not there. So most of the effort today on the SBOM bench-marking and review that I've seen are really comparing the somewhat *easy stuff* which is the mist of known package managers so... Javascript, npm, maven java, PyPI... these... I'm not saying these are _easy_, but these are not _super hard_ to get right. And, there is a void, for everything that's off these package registries. So did we discuss that? Yes. Is there a solution? At the moment no. And... one way... is... to... workaround things like curation format where these would become somehow a missing manifest for these packages that are not... that don't have a manifest basically. I know... I for instance curated package URL (pURL), and it's a recurring theme of concern: how do we reference a package that doesn't have a package repository and an ecosystem behind it. So I'm just raising questions, I don't have the solution. I think in the end the solution there is to evolve a convention, probably around using pURL as an identifier may be useful for generic identifiers. And the only way you can really do something that works for these, in term of recognizing the package, is either you put something that is explicit, so say a small file that we do like the do with "about code", "about file" which says "ho! this directory the lib 1.2.13, and it's been patched with this and this modifications" (as an example) *OR* you do code matching where you have a tool that can do the matching against a knowledge base, and it will be accurately recognized that this directory contains the lib 1.2.13 and it's been patched. Today, you don't really have a good solution for the latter. Most of the tools that do matching are not really answering this question. They're raising more questions and returning tons of false positives. I have a side project on that, we could discuss that separately, but.... that's an unsolved problem. And if we... if you think there's a... it's important enough to discuss that separately then let's have a discussion on that. OK. Next one...

𝓹𝓻𝓸𝓶𝓸𝓼𝓶

sorry , don't have coin openchain ?