[
Date Prev][
Date Next][
Thread Prev][
Thread Next][
Date Index][
Thread Index]
[
List Home]
|
[open-regulatory-compliance] Publicness of dependencies of a product
|
Hi all,
so this is probably been discussed at length in some places already.
My question: how public will the dependencies of a product be?
For instance, I love what Nginx has done here:
https://docs.nginx.com/nginx/open-source-components/
Will manufacturers be required to produce such an overview for each of their products? And would that have to be machine readable?
If either of these answers is "yes", then we've also made it easier for bad people to find out where a compromised piece of software is being used. And thus be able to focus their ill deeds on just those products much quicker.
FWIW, I'm not so much worried *if* a vulnerability has been reported through the proper channels, as ideally those vulnerabilities will be fixed within a small timeframe. I'm more worried about the vulnerabilities that have *not* (yet) been reported.
Is this something we would have to live with?
Elizabeth Mattijsen
