[
Date Prev][
Date Next][
Thread Prev][
Thread Next][
Date Index][
Thread Index]
[
List Home]
|
Re: [open-regulatory-compliance] Publicness of dependencies of a product
|
> On 28 Oct 2025, at 19:00, Florian Gilcher <florian.gilcher@xxxxxxxxxxxxxxxxxxx> wrote:
> I think we already live in the world where we need to assume that our attackers know our components roughly as well as we do, be they open source or closed.
>
> We can still choose to make the automated form (e.g. SBOM/CSRF) only available to a specific audience - e.g. our customers - but I don’t think that much helps. Code scanners and remote sensing capabilities are good today, so I’d rather operate under the assumption that the attacker will figure out whether we run affected components rather swiftly. Automation enables the defenders to be similarly fast.
Ok, so I guess the only way forward, is making sure we get fewer vulnerabilities. Which of course is what the CRA is all about in the end.
> On 28 Oct 2025, at 18:56, Daniel Thompson-Yvetot <denjell@xxxxxxxxxxxxxx> wrote:
> Well, I don't see it as something we would have to live with, but rather as the "cost of doing business" with open source: It is your legal obligation to cite the reference to the project and the license and the copyright for every piece of open source that your product consumes.
Indeed.
I guess we're now on the same page with regards to this train of thought.
Thanks for the quick heads up!
Elizabeth Mattijsen
