Re: [open-regulatory-compliance] Publicness of dependencies of a product

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]

Re: [open-regulatory-compliance] Publicness of dependencies of a product

From: Florian Gilcher <florian.gilcher@xxxxxxxxxxxxxxxxxxx>
Date: Tue, 28 Oct 2025 18:00:40 +0000
Accept-language: en-US
Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ferrous-systems.com; dmarc=pass action=none header.from=ferrous-systems.com; dkim=pass header.d=ferrous-systems.com; arc=none
Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=BFRbJBW5TUY8Ki3evRldFyLFICT1IIaxfPwqKdnThso=; b=aH787+1TxF2TjpuT65GZOXI8T8N250e3WZGBFTMcNCPbt/yHLEGVvm1MxGi9EotOmBBRAOaeuWwwTkrV5kdFRLyPFWpSSgTASHc8TioYPvHmzwymVxBWelt2dSbfc8gdBNSOsuPFfBAD+1p8xlEApnbzuok6KsbQ4Ce85+tLd1zifIStK64SpgXuJx1t3XF7xJwT7Rv7WkxeJunLl0E2TAvBmkGWJKfSxElbn71SY8M/BomoWrSLDdiK2BgV/JHz70RTt/hPLZWqp1c6qmCXDWYn8VHox6ibrRUvQdOBP9dpRbhOSf5n8ZU8x0lIC/+IskOnsg9bhX140iLg3pjPuA==
Arc-seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=iSx6ydpjbIxAYJJN/YneUkfpEtNR/4In+JoAj2NQQON+voAoRJNPZ9+nNbf/FBqRw1uExBfnX1ybUFkE1CFGt7rUpQHqkDpyO3lILofSJNaLje8ODz1M6rGWjV5r8fIC0ZluEMdHAf38J4haoQl8ntZhqBxhr3Uwmbfgz5iGlNtBrioCz6h3sOaYHfnr5wmzzG/W2LzQefr3N2tS84IPlGgfaJkkU8NOh2eX1Xu+7R72YZ6D+dKpVllslIiqxZXmDhLCUWl5Y+271aoze+KcjL4isWiAuSeNEZ5PQhms9HTZHY7lPQhjqXZkWfJLwFHD/ahlvmr066xx0d/tOu7z4g==
Delivered-to: open-regulatory-compliance@xxxxxxxxxxx
List-archive: <https://www.eclipse.org/mailman/private/open-regulatory-compliance/>
List-help: <mailto:open-regulatory-compliance-request@eclipse.org?subject=help>
List-subscribe: <https://www.eclipse.org/mailman/listinfo/open-regulatory-compliance>, <mailto:open-regulatory-compliance-request@eclipse.org?subject=subscribe>
List-unsubscribe: <https://www.eclipse.org/mailman/options/open-regulatory-compliance>, <mailto:open-regulatory-compliance-request@eclipse.org?subject=unsubscribe>
Thread-index: AQHcSDEUHhmaFOlRdk695EsByQZSr7TX0/qv
Thread-topic: [open-regulatory-compliance] Publicness of dependencies of a product

Hello Elizabeth,

I think we already live in the world where we need to assume that our attackers know our components roughly as well as we do, be they open source or closed.

We can still choose to make the automated form (e.g. SBOM/CSRF) only available to a specific audience - e.g. our customers - but I don’t think that much helps. Code scanners and remote sensing capabilities are good today, so I’d rather operate under the assumption that the attacker will figure out whether we run affected components rather swiftly. Automation enables the defenders to be similarly fast.

Greetings from Berlin,

Florian

--

Florian Gilcher

Managing Director

m. +49 172 8122469

Ferrous Systems GmbH

Wallstraße 58/59

D-10179 Berlin

AG Charlottenburg, HRB 200196

Geschäftsführung: Felix Gilcher, Florian Gilcher

Prokura: Sina Krause

From: open-regulatory-compliance <open-regulatory-compliance-bounces@xxxxxxxxxxx> on behalf of Elizabeth Mattijsen via open-regulatory-compliance <open-regulatory-compliance@xxxxxxxxxxx>
Date: Tuesday, 28. October 2025 at 18:34
To: Open Regulatory Compliance Working Group <open-regulatory-compliance@xxxxxxxxxxx>
Cc: Elizabeth Mattijsen <eclipse@xxxxxx>
Subject: [open-regulatory-compliance] Publicness of dependencies of a product

Hi all,

so this is probably been discussed at length in some places already.

My question: how public will the dependencies of a product be?

For instance, I love what Nginx has done here:

https://docs.nginx.com/nginx/open-source-components/

Will manufacturers be required to produce such an overview for each of their products? And would that have to be machine readable?

If either of these answers is "yes", then we've also made it easier for bad people to find out where a compromised piece of software is being used. And thus be able to focus their ill deeds on just those products much quicker.

FWIW, I'm not so much worried *if* a vulnerability has been reported through the proper channels, as ideally those vulnerabilities will be fixed within a small timeframe. I'm more worried about the vulnerabilities that have *not* (yet) been reported.

Is this something we would have to live with?

Elizabeth Mattijsen
_______________________________________________
open-regulatory-compliance mailing list
open-regulatory-compliance@xxxxxxxxxxx
To unsubscribe from this list, visit https://accounts.eclipse.org

Follow-Ups:
- Re: [open-regulatory-compliance] Publicness of dependencies of a product
  - From: Elizabeth Mattijsen

References:
- [open-regulatory-compliance] Publicness of dependencies of a product
  - From: Elizabeth Mattijsen

Prev by Date: Re: [open-regulatory-compliance] Publicness of dependencies of a product
Next by Date: Re: [open-regulatory-compliance] Publicness of dependencies of a product
Previous by thread: Re: [open-regulatory-compliance] Publicness of dependencies of a product
Next by thread: Re: [open-regulatory-compliance] Publicness of dependencies of a product
Index(es):
- Date
- Thread

Breadcrumbs