Package Managers, Software Security and Functional Safety | PackagingCon 2023

Talk at PackagingCon 2023 by Maximilian Huber and Gary O'Neall.

The software supply chain has been an increasingly vulnerable target due to the downstream users of open source software not being aware that they are using compromised or vulnerable components. Log4Shell and SolarWinds are just two prominent examples of supply chain attacks causing significant damage to a large population of downstream users.
Package Managers already provide critical information through package metadata, however most software developed crosses several package manager boundaries (e.g. using Gradle in the back-end and NPM in the front-end). To really provide a solution to supply chain vulnerabilities, an integrated view of software dependencies need to be provided.
In this talk, we will provide practical advice to package manager software developers on how they can provide critical information in a manner that can be integrated across different package manager ecosystems resulting in greatly improved security across the entire software supply chain. We will also cover how that same information can improve open source license compliance and software product safety.

Based on over 10 years of experience producing Software Bills of Materials (SBOMs), consuming SBOMs, and maintaining open source tools for SBOMs, we will present what information needs to be provided, formats that support the information, open source tools that can be used and how the consumers use those tools.
By the end of the presentation, package manager developers, maintainers and contributors should have a clear understanding of how to improve the overall security and safety for those using their package manager systems.
_____________________

Maximilian Huber is a open source compliance nerd and principal consultant at TNG Technology Consulting, where he is specialized on building and integrating Open Source compliance solutions from Open Source.

He is a commiter and maintainer in several Open Source projects like FOSSology, SW360, LDBcollector, yacp and the license-compliance-toolbox. His activity can be found on https://github.com/maxhbr.

Maximilian other most prominent interests are functional programming languages like Haskell and functional package managing with NixOS.

Gary is a contributor to the Software Package Data Exchange® (SPDX™) - an open standard for communicating software bill of material information, including components, licenses, copyrights, and security references. Gary has contributed several open source tools including the SPDX Java Libraries and Tools which can be found at https://spdx.dev/spdx-tools/.

Gary O’Neall is responsible for product development and technology for Source Auditor Inc., a software and service company helping software companies manage the technical and legal risks of open-source software.