Skip to main content
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [open-regulatory-compliance] Publicness of dependencies of a product
On Tue, Oct 28, 2025, at 19:06, Elizabeth Mattijsen via open-regulatory-compliance wrote:
> On 28 Oct 2025, at 19:00, Florian Gilcher <florian.gilcher@ferrous-systems.com> wrote:
> I think  we already live in the world where we need to assume that our attackers know our components roughly as well as we do, be they open source or closed.
> We can still choose to make the automated form (e.g. SBOM/CSRF) only available to a specific audience - e.g. our customers - but I don’t think that much helps. Code scanners and remote sensing capabilities are good today, so I’d rather operate under the assumption that the attacker will figure out whether we run affected components rather swiftly. Automation enables the defenders to be similarly fast.

Ok, so I guess the only way forward, is making sure we get fewer vulnerabilities.  Which of course is what the CRA is all about in the end.

I agree with Florian that reverse engineering tools are so good today that we must assume sophisticated attackers can already determine which components are in use - both for open source and proprietary software. 

I would like to see the CRA requirements (and general security best practices) grow towards requiring manufacturers to disclose such information in a public, complete and machine-readable way. I expect in the first years these might not yet be public and/or just so bad that they're as good as useless, but I'm optimistic our tools and expectations will improve with time.

That said, I think it's helpful to keep in mind that the fact that an advisory exists for a dependency of a project, doesn't mean that that project itself has a vulnerability: more often than not the dependency is used in a way that does not suffer from the issue described in the advisory. There's of course already companies that have a "zero advisories above severity X for dependencies" policy and we can expect more to adopt one. For open source, we should definitely encourage those to actually contribute to updating dependencies rather than just complaining about them.


Kind regards,

Arnout


> On 28 Oct 2025, at 18:56, Daniel Thompson-Yvetot <denjell@xxxxxxxxxxxxxx> wrote:
> Well, I don't see it as something we would have to live with, but rather as the "cost of doing business" with open source: It is your legal obligation to cite the reference to the project and the license and the copyright for every piece of open source that your product consumes.

Indeed.


I guess we're now on the same page with regards to this train of thought.


Thanks for the quick heads up!



Elizabeth Mattijsen
_______________________________________________
open-regulatory-compliance mailing list
open-regulatory-compliance@xxxxxxxxxxx
To unsubscribe from this list, visit https://accounts.eclipse.org


Back to the top