[
Date Prev][
Date Next][
Thread Prev][
Thread Next][
Date Index][
Thread Index]
[
List Home]
|
Re: [open-regulatory-compliance] Publicness of dependencies of a product
|
> On 30 Oct 2025, at 13:54, Arnout Engelen <eclipse@xxxxxxxx> wrote:
> I would like to see the CRA requirements (and general security best practices) grow towards requiring manufacturers to disclose such information in a public, complete and machine-readable way. I expect in the first years these might not yet be public and/or just so bad that they're as good as useless, but I'm optimistic our tools and expectations will improve with time.
Taking the idea of a central registry to a more distributed approach: what about having the manufacturers need to provide a public endpoint on a (web) server that speaks some (REST) API to provide the necessary attestation information for a specific product / version / possibly serial number (which would presumably map to a product / version).
The software for handling this type of service, could (of cource) be open source.
And then have that endpoint be published by a DNS record.
> That said, I think it's helpful to keep in mind that the fact that an advisory exists for a dependency of a project, doesn't mean that that project itself has a vulnerability: more often than not the dependency is used in a way that does not suffer from the issue described in the advisory. There's of course already companies that have a "zero advisories above severity X for dependencies" policy and we can expect more to adopt one. For open source, we should definitely encourage those to actually contribute to updating dependencies rather than just complaining about them.
Agree.
Elizabeth Mattijsen
