Do any of you have suggestions for managing SBOM and license compliance with OSS solutions? I've looked into DejaCode and ScanCode[.]io. DejaCode makes a good first impression but has some serious limitations when it comes to SBOM processing (supported format versions, handling of hierarchies). I would like to use something that allows a review process and handling of more complex licensing (e.g. dual licensing, SPDX expressions) before generating the final SBOM. Basically what DejaCode does but with better SBOM handling. #sbom #cra #compliance #license #foss
=> More informations about this toot | View the thread
After the XZ backdoor incident Lasse Collin shows surprisingly good humor in the commits and commit messages that fix the mess that "Jia Tan" has caused.
Update to the authors of XZ:
"Special author: Jia Tan was a co-maintainer in 2022-2024. He and the team behind him inserted a backdoor (CVE-2024-3094) into XZ Utils 5.6.0 and 5.6.1 releases. He suddenly disappeared when this was discovered."
On why the backdoor was removed:
"- On machines that see lots bots poking at the SSH port, the backdoor noticeably increased CPU load, resulting in degraded user experience and thus overwhelmingly negative user feedback. - The maintainer who added the backdoor has disappeared. - Backdoors are bad for security. "
https://github.com/tukaani-project/xz/commit/77a294d98a9d2d48f7e4ac273711518bf689f5c4
https://github.com/tukaani-project/xz/commit/e93e13c8b3bec925c56e0c0b675d8000a0f7f754
=> More informations about this toot | View the thread
=> This profile with reblog | Go to thepwnicorn@infosec.exchange account This content has been proxied by September (ba2dc).Proxy Information
text/gemini