Lightning Talks Day 2 & Closing session | PackagingCon 2023

Devbox: reproducible project-based environments or why global packages considered harmful – Mike Landau

We’ll talk about the tradeoffs of global vs project based package managers and introduce Devbox by jetpack.io, a powerful open-source tool that leverages nix to create portable, reproducible environments.

Package management analysis in the OSS Review Toolkit – Sebastian Schuberth

Analyzing the dependencies as declared by package managers is the first step towards creating SBOMs or to query known vulnerabilities for software projects. This talk gives an overview over the abstractions done in the OSS Review Toolkit to support more than 25 package managers and the challenges in modelling their different behaviors and resolution processes.

Poetry's dependency resolver and its environment-independent lockfile – Randy Döring

Poetry is a quite popular tool for dependency management and packaging of Python projects. A prominent feature of Poetry is the generation of an environment-independent lockfile. This means that it does not matter if the lockfile has been created on Linux or Windows, with Python 3.8 or Python 3.11 and so on, it will be the same and suitable for each possible environment.

Reverse Engineering Package Registries In The Middle Of Nowhere – Samuel Cochran

There are many different package registries in different ecosystems. We rely on them so much now that we take them for granted. But how do they work, and what’s inside? This talk explores what makes package registries tick, and how to mirror them with integrity. We'll focus on Rubygems, but touch on NPM (JavaScript/Node), Hex (Elixir), Homebrew (macOS), Ubuntu (Debian) and Fedora (RPM).

Untangling Software Supply Chain sBO(O)M – Daniel Liszka

Software Bill Of Materials (SBOMs) are booming (or sBO(O)Ming) today, becoming a backbone of many Software Supply Chain security and compliance efforts. This session will cover the speakers' real-world experiences when they created their own SBOM format and put it in production long before SBOM became a thing. We will talk about SBOM basics, formats, and industry standards, showcase three stages for SBOM management (collection/producers, distribution/storage, and analysis/consumers), walk you through various rapidly growing tools from each category, and discuss strategies for building your own built-to-your-spec solution.