Hi. > [...] > https://youtu.be/iTgTe5HBYvg > [...]
With all due assumptions that it was triggered by the Log4J security vulnerability, the "discussion" gives the impression that the software security problem is more acute with open-source. Towards the end, there was just one (soft) remark,[1] about the situation not being better with proprietary software. But it was preceded by a fairly long comment easily interpreted as if SBoM is particularly needed by open-source; yet all the dependencies are already explicitly listed, or transitively accessible, in fully open-source products. Moreover, I seem to recall (from the material gathered for the meeting with the White House representative IIRC) that Log4J's vulnerability would turn into an actual security breach only (?) within an insecure and unusual configuration setting, whereas some questions (although legitimate) gave the impression to equate "download" with "exploitability". Best regards, Gilles [1] https://youtu.be/iTgTe5HBYvg?t=4916 --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
