[
Date Prev][
Date Next][
Thread Prev][
Thread Next][
Date Index][
Thread Index]
[
List Home]
|
Re: [open-regulatory-compliance] Publicness of dependencies of a product
|
I'll take that as a:
"This something we would have to live with"
correct?
> On 28 Oct 2025, at 18:35, Daniel Thompson-Yvetot <denjell@xxxxxxxxxxxxxx> wrote:
>
> I am just going to cite a section of the MIT license:
>
> > The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
>
>
>
> On Tue, Oct 28, 2025 at 6:34 PM Elizabeth Mattijsen via open-regulatory-compliance <open-regulatory-compliance@xxxxxxxxxxx> wrote:
> Hi all,
>
> so this is probably been discussed at length in some places already.
>
> My question: how public will the dependencies of a product be?
>
>
> For instance, I love what Nginx has done here:
>
> https://docs.nginx.com/nginx/open-source-components/
>
> Will manufacturers be required to produce such an overview for each of their products? And would that have to be machine readable?
>
>
> If either of these answers is "yes", then we've also made it easier for bad people to find out where a compromised piece of software is being used. And thus be able to focus their ill deeds on just those products much quicker.
>
>
> FWIW, I'm not so much worried *if* a vulnerability has been reported through the proper channels, as ideally those vulnerabilities will be fixed within a small timeframe. I'm more worried about the vulnerabilities that have *not* (yet) been reported.
>
>
> Is this something we would have to live with?
>
>
>
> Elizabeth Mattijsen
> _______________________________________________
> open-regulatory-compliance mailing list
> open-regulatory-compliance@xxxxxxxxxxx
> To unsubscribe from this list, visit https://accounts.eclipse.org
