• CramHacks
  • Posts
  • [CramHacks] Newsletter #12: Debian is displeased with proposed EU Legislation (CRA & PLD)

[CramHacks] Newsletter #12: Debian is displeased with proposed EU Legislation (CRA & PLD)

CramHacks Chronicles: Key Insights On Software Supply Chain Risks

šŸ„³ Happy Monday! šŸ„³

My Birthday is on Monday šŸ˜€

Software Supply Chain Security

Debian, an open-source project since 1993, published a public statement about the EU Cyber Resilience Act stating, ā€œFree Software has proven to be an asset in our digital age, and the proposed EU Cyber Resilience Act is going to be detrimental to it.ā€

šŸ‘‹ The CRA has to be the most outrageous piece of proposed legislation I have seen. Here are more details.

I recently came across this project, which ā€œprovides an open database of software packages that are affected by known security vulnerabilities,ā€ which users can search by package or vulnerability. Queries can be made via the web app or API.

The project is also fully open-source, so you can host it if preferred. Thereā€™s also conveniently a public instance if you want to jump right in.

ā€œWhat if we had a community-maintained source-of-truth about real examples of organizations using SBOMs (or any type of BOM) to achieve positive outcomes in meaningful ways?ā€

šŸ‘‹ what if? This would be interesting. First and foremost, Iā€™d love to learn practical use cases of SBOMs. Secondly, I want to see more SBOMs to assess them for risk and understand reasonable expectations. Unfortunately, it has been a week, and no examples have been shared.

Nicolas Krischker shares Mercedes-Benzā€™s FOSS Manifesto, which relates to its FOSS Disclosure Portal design, intended to ā€œfacilitate the exchange FOSS information directly & frequently from the CI/CD pipeline for developers, product & application owners, and suppliers.ā€

šŸ‘‹ itā€™s always nice to learn more about how larger institutions tackle supply chain security concerns. Thereā€™s so much talk about producing SBOMs, but honestly, thereā€™s not nearly enough talk about ingesting them and their practical use.

A CNA, or CVE Numbering Authority, reviews and ultimately assigns CVEs. Due to mishaps with invalid CVEs being published, there is a growing trend for open-source organizations, or even projects, to become CNAs. This ideally ensures these mishaps donā€™t impact their hard work. The main benefit, but also perhaps the concerning piece, is that becoming a CNA means you can:

ā€œAssign CVE IDs without needing to share embargoed information with other organizations. This allows the project to determine for themselves who, if anyone, needs or gets pre-disclosure information.ā€

Additionally, this is used as an advantage by commercial tools and services.

šŸ‘‹ If you are curious, the CNA onboarding documentation can be found here.

Until Next Time! šŸ‘‹ 

Hey, you made it to the bottom ā€“ thanks for sticking around!

Questions, ideas, or just want to chat? Slide into my inbox! šŸ’Œ

If you think someone could benefit from this, donā€™t hesitate to forward.

See you next Monday!
-Kyle