WEBVTT 00:00.000 --> 00:11.880 Please introduce our next speaker, who is Bradley Coon, who will be speaking about, is there 00:11.880 --> 00:21.120 really an espon mandate? 00:21.120 --> 00:25.840 This is the talk that the espon devroom does not want you to hear. 00:25.840 --> 00:28.920 They rejected it saying, well, everybody in the 00:28.920 --> 00:32.360 espon devroom really already wants to work on espon. 00:32.360 --> 00:35.880 So they don't want to hear about how they might not have to work on espon's. 00:35.880 --> 00:40.800 So you should talk in a legal policy, devil instead. 00:40.800 --> 00:48.240 The fact of the matter is the analogy that has been used for way too long to describe 00:48.240 --> 00:52.560 how software works is fundamentally flawed. 00:52.560 --> 00:57.120 We have this idea that there is a software supply chain. 00:57.120 --> 01:02.560 The term supply chain, of course, comes from physical supply chains. 01:02.560 --> 01:09.360 Real hardware things in the world be the electronics or not. 01:09.360 --> 01:14.280 So we first should ask the question, is there really a thing called the software supply 01:14.280 --> 01:15.280 chain? 01:15.280 --> 01:25.760 I don't think there actually is, and the reason why is the things that happen in a supply chain 01:25.760 --> 01:32.080 and the physical activity required by human beings to operate a supply chain is immense. 01:32.080 --> 01:33.760 There are shipping containers. 01:33.760 --> 01:36.280 There are giant cranes that lift those shipping containers. 01:36.280 --> 01:40.720 There are standards that every shipping container has to be exactly the same configuration 01:40.720 --> 01:41.720 all over the world. 01:41.720 --> 01:46.600 So it fits on every barge and fits on every dock and can be unloaded by the same equipment 01:46.600 --> 01:49.720 in every place around the world. 01:49.720 --> 01:56.200 And there is a thing called leakage, both literal and figurative, literal of course, 01:56.200 --> 02:00.320 like things can flood if you travel across an ocean. 02:00.320 --> 02:08.520 And figuratively, the physical item industry talks about employees stealing stuff, which 02:08.520 --> 02:17.960 happens, and dock workers steal stuff, and everyone steals sadly, there are in software, 02:17.960 --> 02:22.040 no phones, no lights, no motor cars, there's not even a single luxury from my point 02:22.040 --> 02:23.040 of view. 02:23.040 --> 02:29.480 The analogy does not fit, and the main reason it doesn't fit is because open source and free 02:29.480 --> 02:38.120 software, fast, has always been designed to reject the idea that software should be treated 02:38.120 --> 02:40.000 like a physical object. 02:40.000 --> 02:46.040 We have always believed that you should have the right and freedom to copy, share, modify, 02:46.040 --> 02:48.480 redistribute, and reinstall software. 02:48.480 --> 02:51.720 That's what philosophy is all about in the first place. 02:51.720 --> 02:57.000 The proprietary software industry has desperately tried for decades to convince the world 02:57.000 --> 03:00.800 that software is a scarce resource, just like physical objects. 03:00.800 --> 03:06.360 They want it to be hard to copy, share, modify, redistribute, and store. 03:06.360 --> 03:10.680 They want it to disappear if your license expires, all those sorts of things. 03:10.680 --> 03:16.320 But we've been rejecting for a very long time, basically since the 1980s, that this notion 03:16.320 --> 03:21.120 should apply to software, because we don't believe digital goods should have the same 03:21.120 --> 03:26.760 scarcity requirements falsely applied from physical goods, the digital goods. 03:26.760 --> 03:33.000 And as such, the supply chain analogy makes absolutely no sense. 03:33.000 --> 03:36.400 So who is it that wants a software supply chain? 03:36.400 --> 03:40.600 Well, people who make proprietary software, they want to make it difficult to 03:40.600 --> 03:41.600 acquire software. 03:41.600 --> 03:47.120 They want you to pay huge amounts of money just to get a copy of that amazing proprietary 03:47.120 --> 03:52.960 software that's so much better than open source, because it's from a firm that developed 03:52.960 --> 03:58.960 it and tailored it so carefully for you, and you can have that one copy, but not another 03:58.960 --> 03:59.960 one. 03:59.960 --> 04:00.960 Well, you could pay us again, have another copy. 04:00.960 --> 04:01.960 We give you a sight license. 04:01.960 --> 04:05.640 That's a couple million, but that one of your employees could have it. 04:05.640 --> 04:12.040 So from my point of view, the entire idea of software supply chain, and therefore 04:12.040 --> 04:17.880 S-bombs as well, is an imposition by the proprietary software industry on the open source 04:17.880 --> 04:20.760 and free software community. 04:20.760 --> 04:25.560 And if it weren't mandate, which I'm going to hopefully show you it is not, it would 04:25.560 --> 04:30.720 be an unfunded mandate on upstream developers to require them to do things that are 04:30.720 --> 04:34.600 not needed to do if your source is 100% false. 04:34.600 --> 04:37.880 There are only needed if you're incorporating proprietary components, something to talk 04:37.880 --> 04:40.920 about that in a few minutes. 04:40.920 --> 04:46.120 This whole idea of the bill of materials, of course, comes from the supply chain analogy. 04:46.120 --> 04:52.440 And the bill of materials is a list of physical things that are in places and in products 04:52.440 --> 04:56.120 as they work their way through the physical supply chain. 04:56.120 --> 05:01.200 So if the analogy doesn't really work for false, there's no way the S-bombs make any 05:01.200 --> 05:03.200 sense for false. 05:03.200 --> 05:04.200 Maybe they do proprietary software. 05:04.200 --> 05:05.200 I don't know. 05:05.200 --> 05:07.000 I don't do proprietary software. 05:07.000 --> 05:14.400 But this has become this cute little marketing term that has convinced people that they 05:14.400 --> 05:15.640 need this thing. 05:15.640 --> 05:21.560 And people are like addicts to like, oh, you have this, bombs, bombs, you want a spombs? 05:21.560 --> 05:27.080 So when you ask somebody, well, what is an S-bomb that is no formal definition? 05:27.080 --> 05:29.840 There are two competing file formats. 05:29.840 --> 05:36.280 But everyone admits that just having a file in that format is not necessarily an S-bomb. 05:36.280 --> 05:39.080 And you're saying, well, what constitutes an S-bomb then? 05:39.080 --> 05:42.960 And they said, we have to have those files in a certain configuration, in a certain order, 05:42.960 --> 05:48.400 in certain requirements, which have not been written down yet by anyone as far as I can 05:48.400 --> 05:49.400 tell. 05:49.400 --> 05:54.840 It's just a thing that people are excited about because marketers told them to be excited 05:54.840 --> 05:56.960 about it. 05:56.960 --> 06:04.160 Now, most S-bomb enthusiasts will tell you that the EU Cybersecurity Act mandates S-bombs. 06:04.160 --> 06:09.800 I have begged people to show me where and how it mandates S-bombs, and no one actually 06:09.800 --> 06:11.600 can. 06:11.600 --> 06:12.600 S-bombs are mentioned. 06:12.600 --> 06:16.000 I'm going to show you a couple of places where it's mentioned in the CRA. 06:16.000 --> 06:23.200 But to me, it is not describing the thing that people in the S-bomb community are talking 06:23.200 --> 06:24.200 about. 06:24.440 --> 06:27.240 So here's the first place that appears. 06:27.240 --> 06:30.840 This is pretty vague. 06:30.840 --> 06:35.120 I think that there is a lot of interpretation that will still come out about this particular 06:35.120 --> 06:36.120 clause. 06:36.120 --> 06:42.400 And it's pretty interesting to note that the S-bombs themselves under the CRA are admitted 06:42.400 --> 06:46.120 to be something that can be proprietary. 06:46.120 --> 06:50.560 And in fact, you can anonymize what your software sources actually are. 06:50.560 --> 06:53.680 So all these folks in the S-bomb community are saying, well, S-bomb will tell you exactly what's 06:53.680 --> 06:54.680 in your software. 06:54.680 --> 06:57.040 Well, no one, because it can be anonymized. 06:57.040 --> 06:59.040 So then you'll be like, well, what software is that? 06:59.040 --> 07:03.480 It has a different name that's some code name that I don't have to beg the company to 07:03.480 --> 07:10.960 tell me what the code name means so I can really figure out who my true upstream is. 07:10.960 --> 07:17.440 This is in the place in the CRA where it says that somebody has to write an S-bomb. 07:17.440 --> 07:21.560 Note that it says they don't have to be public, which means they are by default going to 07:21.560 --> 07:27.520 be proprietary, the least under the CRA, because we know that proprietary offer companies 07:27.520 --> 07:32.600 do not release software unless they're forced to buy a license or require under something 07:32.600 --> 07:33.600 else. 07:33.600 --> 07:34.880 They want to proprietaryize. 07:34.880 --> 07:37.920 So we're going to have lots of proprietary S-bombs that some people will get that will 07:37.920 --> 07:39.920 be anonymized. 07:39.920 --> 07:44.520 So we won't actually know what's in the supply chain, if such a supply chain even exists. 07:44.520 --> 07:49.400 But the best and most interesting part about the CRA is discussion of S-bombs is this 07:49.400 --> 07:54.800 sentence, which says the commission will at some point specify the format and elements 07:54.800 --> 07:55.800 of S-bombs. 07:55.800 --> 07:58.440 To my knowledge, I'm not a CRA expert, there are some in the room and they can jump 07:58.440 --> 08:02.920 up right now and tell me the commission is not so yet defined that. 08:02.920 --> 08:09.400 And as such, even if this were to turn into an S-bomb mandate, we as a community have an 08:09.400 --> 08:16.520 opportunity to decide what the format and elements of S-bombs should be and advocate for it 08:16.520 --> 08:24.040 in a lobbying process to explain to the commission what exactly an S-bomb should look 08:24.040 --> 08:25.880 like for open source and free software. 08:25.880 --> 08:28.280 I will be questions, time for questions at the end. 08:28.280 --> 08:31.480 If you want to sound completely wrong about the CRA, what's that? 08:31.480 --> 08:33.480 And I'm proud of this question. 08:33.480 --> 08:34.480 Yeah. 08:34.480 --> 08:35.480 I appreciate it. 08:35.480 --> 08:39.000 So I hope you'll listen real carefully if I want to say I would love for you to do what 08:39.000 --> 08:40.000 I'm about to say. 08:40.000 --> 08:42.440 So the first thing I'm going to just talk about the U.S. side. 08:42.440 --> 08:47.400 So there was a lot of obsession in the United States about this executive order that President 08:47.400 --> 08:48.840 Biden implemented. 08:48.840 --> 08:55.160 You may have heard we had major regime change in my home land recently and the biggest 08:55.160 --> 08:58.360 thing that's happening right now is executive order being resented and new ones are being 08:58.360 --> 09:01.960 issued every five to ten minutes. 09:01.960 --> 09:06.200 So from my point of view, anything in the Biden executive order, even though it's technically 09:06.200 --> 09:11.200 still an executive order, because it hasn't been resented yet, is very unlikely to be implemented. 09:11.200 --> 09:19.400 And I also don't think any of the NIST documents, which I've read all of, have any requirement 09:19.400 --> 09:20.760 to do anything. 09:20.760 --> 09:25.280 They're just recommendations to study various things, and this is doing a very good job 09:25.280 --> 09:29.320 studying the question, but they have not, to my knowledge, come forward and said, this 09:29.320 --> 09:32.360 is what industry has to do. 09:32.360 --> 09:38.240 So I don't think we should actually ignore us, even though I don't think they really, 09:38.240 --> 09:43.500 even though I think it's a marketing term, but I think there's another way we can 09:43.500 --> 09:49.640 post this in a way that will help free software. 09:49.640 --> 09:52.760 There's a wise lawyer, a colleague of somebody in this room, this lawyer is not retired. 09:52.760 --> 09:55.480 They work for a major software company. 09:55.480 --> 09:59.200 And right when the S-bomb stuff was starting, I had conversation with this person, I don't 09:59.200 --> 10:02.880 know if he wants me to quote this publicly, so I won't, he didn't exactly say it this 10:02.880 --> 10:08.160 way, but he said, well, I've had a really long career as a software industry lawyer, 10:08.160 --> 10:12.400 and he said, sometimes I need colleagues who just want to make lists. 10:12.400 --> 10:16.040 They love making lists, and they make lists, and they make lists of things, and they publish 10:16.040 --> 10:17.040 lists. 10:17.040 --> 10:21.260 And I've seen a lot of lists in my career, but they haven't made any of the software 10:21.260 --> 10:23.080 industry, all that better. 10:23.080 --> 10:27.200 So I've tended not to be a list maker, I've just got to ignore the list makers, my whole 10:27.200 --> 10:28.200 career. 10:28.200 --> 10:31.040 S-bomb is the ultimate and list making. 10:31.040 --> 10:34.600 It's used to make lists sometimes, but it's a tool to get something else done from 10:34.600 --> 10:36.400 my point of view. 10:36.400 --> 10:40.880 Now, I am quite sure you will face the S-bomb problem. 10:40.880 --> 10:46.120 All of you who work in industry as a software developer engineer, at some point a boss 10:46.120 --> 10:52.800 is going to come up to you and say, yeah, so Peter, we have to have a conversation. 10:52.800 --> 11:00.480 We're putting all the S-bombs on the cover sheets of our source code now, and you filed 11:00.480 --> 11:03.600 your last source release with out an S-bombs. 11:03.680 --> 11:09.080 I'm going to make sure you get another copy of the CRA, and then you can put your S-bomb 11:09.080 --> 11:12.520 on the next release that you do there. 11:12.520 --> 11:19.480 And what I'm going to encourage you to say is, say, yeah, so long-berg, I think maybe you 11:19.480 --> 11:23.640 should go ahead and go away, I have been meeting with the bobs in a few minutes, and we're 11:23.640 --> 11:29.840 going to talk about how my build is reproducible, that I have all the complete corresponding 11:29.840 --> 11:30.840 source code. 11:30.840 --> 11:39.040 For copy left license, it will be shipped to the customer, and with a full and complete 11:39.040 --> 11:43.920 copy left release, with a complete corresponding source code, including the scripts used 11:43.920 --> 11:51.120 and control compilation, and installation is executable, and a fully, verifiably reproducible 11:51.120 --> 11:52.120 build. 11:52.120 --> 12:00.520 I argue that this is a better format for an S-bomb than any list, because that entire source 12:00.520 --> 12:06.760 release tells everyone in the so-called supply chain exactly what is in the software, because 12:06.760 --> 12:12.600 it's all there in source code, which is the standard and common operating way that people 12:12.600 --> 12:15.080 communicate about software. 12:15.080 --> 12:20.080 And if the build is verifiably reproducible, it means they can prove that the binaries that 12:20.080 --> 12:25.080 are in the product that we're built from that source code. 12:25.080 --> 12:29.080 In fact, that's where it's good, and all the things that CRA and all the regulations 12:29.080 --> 12:33.720 are trying to address, like, very dangerous things about cybersecurity and so forth, can very 12:33.720 --> 12:34.720 easily be fixed. 12:34.720 --> 12:41.440 And if you really want the list, if you have all of this, I argue that indeed can replace 12:41.440 --> 12:44.800 the S-bomb generation with a very small show script. 12:44.800 --> 12:52.040 So the only people who actually need S-bombs are proprietary software manufacturers, from 12:52.040 --> 12:53.040 my point of view. 12:53.040 --> 12:57.360 I don't know what they need them for, I don't really understand proprietary software, but 12:57.360 --> 13:01.400 if you want a world where all software is free software, which I do, I'm not just 13:01.400 --> 13:04.680 been a lot of time helping people make proprietary software better. 13:04.680 --> 13:11.020 I agree that S-bombs are likely to make proprietary software much better, but I don't want 13:11.020 --> 13:12.320 proprietary software to get better. 13:12.320 --> 13:15.240 I want it to get worse, and I want free software to get better. 13:15.240 --> 13:21.440 So this is why I don't think of the S-bomb mandate, and even if there is, we should advocate 13:21.440 --> 13:26.680 strongly that the S-bomb format should be complete corresponding source code with verifiable 13:26.680 --> 13:28.680 reproducible builds. 13:28.680 --> 13:33.680 Thank you. 13:33.680 --> 13:49.520 Isn't the idea of, you talk about the analogy not being appropriate, because it's not 13:49.520 --> 13:55.640 we're not moving physical stuff, granted, but isn't a lot of the idea of understanding 13:55.640 --> 14:02.640 the origin of a particular piece of software, and where it came from, and particularly for 14:02.640 --> 14:09.880 security type reasons, and things like that, knowing that the famous XKCD comic that 14:09.880 --> 14:15.560 here's all software, and then here's this little thing, the Libna Braska, right? 14:15.560 --> 14:20.000 Understanding, hey, I've got Libna Braska in there, and it goes all the way down to the 14:20.000 --> 14:25.600 free software developer in Nebraska, and it's been repackaged all through this chain. 14:25.840 --> 14:32.240 Isn't that the core of the idea of a software supply chain, and the value that you get 14:32.240 --> 14:35.720 by making the list of an S-bomb? 14:35.720 --> 14:41.520 So if I included Libna Braska in my product, and when I delivered the source code for the 14:41.520 --> 14:47.160 product to you, I gave you entire get history of Libna Braska, which of course includes 14:47.160 --> 14:52.440 all contact information of the original developer in Nebraska, as well as any changes 14:52.440 --> 14:58.200 that I made, and I proved to you that the version I gave you, that get commit, builds 14:58.200 --> 15:00.840 reproducibly into the binary I also gave you. 15:00.840 --> 15:07.520 I cannot imagine what else a list could give you, that isn't already available in that 15:07.520 --> 15:09.640 information that I already gave you. 15:09.640 --> 15:13.360 I agree, maybe you might want to build an automated list from that, it might be helpful, 15:13.360 --> 15:18.040 summary information is useful, but it is in the end just summary information of the complete 15:18.040 --> 15:19.360 corresponding source code. 15:19.360 --> 15:24.720 Now, if I have proprietary Libna Braska, I've said a hot, it's not under a copy of 15:24.720 --> 15:29.000 a license, I want to give you any source code, thank your screw, but you've unscrewed 15:29.000 --> 15:32.480 anyway, because my pride here software is designed to screw you. 15:32.480 --> 15:37.560 So from my point of view, if the pride here software does you need these S-bombs to screw 15:37.560 --> 15:42.000 you a little bit less, they can go play with them if they want to, but I would rather 15:42.000 --> 15:46.560 not screw you at all and give you all the right to deserve. 15:46.560 --> 15:53.560 Then small request, so if you want to ask a question, please keep the hand up, that's 15:53.560 --> 15:59.320 a bit easier for me to see where the people are, I will do my best to somehow do it in 15:59.320 --> 16:05.760 the order and also make sure that I don't have to run all the time, but yeah, I'll try 16:05.760 --> 16:07.760 it. 16:07.760 --> 16:12.000 So in the spirit of S-bombs are they mandatory? 16:12.000 --> 16:17.480 There is one scenario where they are mandatory with a legal construct behind that, and 16:17.480 --> 16:25.560 that's in the US medical device manufacturers, and from a lists perspective, the thing 16:25.560 --> 16:31.280 that they're trying to address is does the creator of the software that is going to somehow 16:31.280 --> 16:35.680 be impacting patient life? 16:35.680 --> 16:40.240 Do they know who supports this and who is maintaining the software, whether it be commercial 16:40.240 --> 16:42.640 software, open source or otherwise? 16:42.640 --> 16:47.800 So it gets very, very complicated quickly, but excellent presentation, I agree completely 16:47.800 --> 16:51.280 that executive orders are not the way to do things. 16:51.280 --> 16:57.480 Well, I think that in the medical devices' contacts, I think patients should have the right 16:57.480 --> 17:00.320 to the complete corresponding source code of their device. 17:00.320 --> 17:03.000 Karen, did you get an S-bombs for your heart device? 17:03.000 --> 17:05.640 They did it well so apparently the man they saw followed, because Karen's got an implied 17:05.640 --> 17:09.680 available high device that has proprietary software, and she didn't get an S-bombs for. 17:09.680 --> 17:14.000 It's a question of when, so it went into effect in October of last year. 17:14.000 --> 17:20.360 Well, again, they shouldn't be making a proprietary anyway, they are harming patients 17:20.360 --> 17:25.520 by making a proprietary, as I already said, if it turns out that the proprietary software 17:25.520 --> 17:30.200 industry wants to trick patients, users, everybody else into thinking, you're safe because 17:30.200 --> 17:34.880 we have an S-bombs, even though you can't examine the source code, that's an unfortunate 17:34.920 --> 17:37.480 outcome, and it's one of the reasons why I'm against S-bombs, right, because they're 17:37.480 --> 17:42.080 designed to trick you into thinking you have something that you don't, which is the ability 17:42.080 --> 17:44.800 to repruce, verify and understand your software. 17:44.800 --> 17:47.200 S-bombs, do not give you that. 17:47.200 --> 17:53.480 Bradley, I apologize if you already mentioned this because I was doing room duty, some 17:53.480 --> 17:54.480 degree. 17:54.480 --> 18:01.320 Have you found, as I have that this obsession with S-bombs has had a deleterious effect 18:01.400 --> 18:07.960 on open source license compliance because increasingly companies seem to have reconceptualized 18:07.960 --> 18:10.880 compliance as making these lists. 18:10.880 --> 18:14.040 I have certainly found that in my work. 18:14.040 --> 18:15.880 Oh, I think that has happened. 18:15.880 --> 18:20.880 I think the most interesting use case of S-bombs, which literally there was a appliance 18:20.880 --> 18:25.560 tools summit yesterday, and multiple people were saying, well, you know, what I really 18:25.560 --> 18:29.720 want is the ability to make sure I don't have any copyrighted software my product because 18:29.800 --> 18:31.880 I don't want to make any free software. 18:31.880 --> 18:36.360 So while I want to consume all the non-copy-lefted stuff into my product, I want to turn 18:36.360 --> 18:37.880 that into proprietary software. 18:37.880 --> 18:43.280 As I have S-bombs, I can find every little copyrighted component throw it away. 18:43.280 --> 18:49.160 So it's actually even worse than what you're saying because not only is it affecting the 18:49.160 --> 18:56.040 compliance industrial complex to turn into an S-bomb generating system, but also the 18:56.120 --> 19:00.520 extent which S-bombs are useful, they're designed to take away software freedom. 19:00.520 --> 19:07.320 Just as a reminder, I will just if hands go down again, they are out of the list because 19:07.320 --> 19:08.520 else it's difficult for me. 19:08.520 --> 19:14.040 I know it's kind of discriminating and exosomely in the minutes later, thank you. 19:14.040 --> 19:17.040 Oh, five. 19:17.040 --> 19:19.040 What's my question? 19:19.120 --> 19:26.400 Yeah, the question really is, is there a better word for supply chain? 19:26.400 --> 19:35.040 Because that seems to be kind of the problem that the supply chain goes between companies 19:35.040 --> 19:41.600 and doesn't reach the end-user and that is why it feels weird. 19:41.600 --> 19:42.640 Yeah, I agree with you. 19:42.640 --> 19:47.280 I mean, I thought as I started my talk, I think the analogy is the wrong analogy. 19:47.360 --> 19:50.880 We used to talk just about upstream and downstream, like the entire software processes of 19:50.880 --> 19:55.760 river, that's a better analogy, I think, than supply chain for sure. 19:55.760 --> 20:01.040 In part, because supply chain is this corporate way of thinking and it ignores consumers. 20:01.040 --> 20:04.560 Consumers never thought about supply chains until the pandemic, basically, and they stopped 20:04.560 --> 20:07.200 thinking about them as soon as they were fixed. 20:07.200 --> 20:11.520 So to apply that to software, in that case, I'm at physical supply chains. 20:11.520 --> 20:16.320 To find out to software, it's like, well, that's you're totally right, it writes the consumer, 20:16.320 --> 20:18.640 writes the end-user out of the picture, they're not important. 20:18.640 --> 20:22.640 And we see that in the CRA, where it's saying, well, consumers in the public have no 20:22.640 --> 20:24.240 right to see these S-bombs. 20:24.240 --> 20:27.920 So it's already kind of baked into the thinking around what they're going to be, 20:27.920 --> 20:31.360 is that they're just for company A to give the company B. 20:31.360 --> 20:33.360 And I don't really care what happens between company A and company B. 20:33.360 --> 20:35.360 I care what happens to the consumer in the end-user. 20:41.360 --> 20:43.600 I'll talk to you later, Michael, close my mind. 20:44.480 --> 20:48.240 Okay, very challenging, because I'm in the S-bombed every month tomorrow. 20:50.240 --> 20:54.320 I'm not allowed to be, so I'm going to kick me out like, why can't you work on that? 20:54.320 --> 20:57.120 So let's look at what S-bombs could be. 20:57.120 --> 21:00.880 S-bombs are a vehicle to help this management to help software be called 21:00.880 --> 21:02.800 more secure and resilient for the consumers. 21:04.000 --> 21:09.200 So therefore, maybe S-bombs on their own might not be sufficient, 21:09.280 --> 21:14.000 but S-bombs are clearly a vehicle to help people become transparent and prove 21:14.000 --> 21:16.240 improve the software to be more secure and resilient. 21:16.960 --> 21:19.680 I agree with everything you said, if you say proprietary software. 21:19.680 --> 21:22.320 There's no question, I don't make a difference between A and R software. 21:22.320 --> 21:23.360 It's all software. 21:23.360 --> 21:27.680 It makes a world of difference, because if you have the complete corresponding source code 21:27.680 --> 21:31.680 and reproducible build, you have a very different situation than a proprietary system. 21:31.680 --> 21:35.840 I agree with you, the S-bombs will probably increase security in proprietary software. 21:36.640 --> 21:41.760 I don't think they will do much for truly open source and free software that's under 21:41.760 --> 21:44.240 a copy left license that has very beautiful build. 21:47.760 --> 21:55.120 Hi, so I am an engineer, wooded of caution, and but also a logistics specialist, 21:55.120 --> 21:56.240 information logistics. 21:57.040 --> 22:02.880 And I understand as an engineer, I don't need S-bombs, I can just go around and 22:02.880 --> 22:12.880 the code and analyze, but the soon I have to place it in rapid to be deployed elsewhere. 22:12.880 --> 22:18.720 I need something to tag along so that people that unfortunately are not engineers can 22:19.280 --> 22:23.920 have a way of saying what's inside without trying to learn count. 22:25.840 --> 22:30.480 S-bombs are not completely evil on that sense, it's a way to tag something. 22:31.440 --> 22:36.160 Could be S-bombs or any other of the different kinds of things. 22:37.840 --> 22:47.840 So my question is more about how can we use this as not as a way to go back and say, 22:47.840 --> 22:54.240 oh, you don't need to be free because we know have all the descriptions, but on the other hand, 22:54.240 --> 23:01.680 as to say, to use the S-bombs as the way to say, this is a proof that what I'm delivering to 23:01.680 --> 23:12.000 you was made completely through open and free licenses, and this has this thing inside it's 23:12.000 --> 23:18.240 actually proprietary, like a firmware blob or something, and so I warning, this is a warning 23:18.240 --> 23:24.400 label saying that there is a toxic component here that we don't know about. 23:24.400 --> 23:29.120 And so, could we think about the S-bombs in that way? 23:29.920 --> 23:33.600 So a part of what you said is actually reproducible builds, not S-bombs, right? 23:33.600 --> 23:37.360 Because I don't think an S-bombs actually gives you that thing you were saying in the middle 23:37.360 --> 23:41.680 there that the verifiable that this software was built from this thing, you can't do that with an 23:41.680 --> 23:47.200 S-bombs. You could do that with a reproducible build, and I would be thrilled if the S-bombs 23:47.920 --> 23:50.480 were inviting the reproducible builds people to come like speak in their 23:50.480 --> 23:53.840 devrim about finding ways to integrate S-bombs with reproducible builds. 23:53.840 --> 23:57.680 That doesn't seem to be very much of interest to the industry, and I also didn't say, 23:57.680 --> 24:02.080 you said, well, I said that S-bombs were evil. I did not say that. What I said was, 24:02.080 --> 24:07.440 S-bombs are lists, and that list making is a useful exercise when it's a tool to another 24:08.320 --> 24:13.280 goal, but just making lists for the sake of making lists, which a lot of the S-bomb rhetoric 24:13.360 --> 24:19.760 is about, in the end, that I've seen, then I don't really think a list for a list sake is that good, 24:19.760 --> 24:22.720 and is there something better you should get? I think there's something better you should get, 24:22.720 --> 24:27.440 is the complete corresponding source code, and that should, if you even want to call it supply chain, 24:27.440 --> 24:33.120 it should travel all the way along the supply chain. It's an entire reproducible build source code, 24:33.120 --> 24:39.360 is not traveling along the security risk is huge, and maybe in S-bombs can mitigate that sometimes, 24:39.360 --> 24:43.120 but it would be much better if you had the complete corresponding source code in a reproducible build. 24:44.160 --> 24:49.840 But in open source packages, you have to code if you have to release that is defined in the S-bomb. 24:49.840 --> 24:55.280 I think I'm out of time, so I just was told, so I don't think, yeah, it's just an 24:56.560 --> 25:01.840 annotation. The thing you criticize was to supply chain, but what we have in open source software, 25:01.840 --> 25:07.840 as well, are dependencies, which are included into software, we write, so there doesn't have to 25:07.840 --> 25:13.520 be a proprietary component in it, we benefit from transparency in our supply chain and our 25:13.520 --> 25:19.200 dependencies and open source as well. And S-bombs is a standardized format, as well as all lockfights, 25:19.200 --> 25:24.800 in all the languages we use. So, S-bombs, I think I should get the last word. 25:24.800 --> 25:32.480 The Ns-bombs is, in fact, not transparent. It's opaque by its nature, specifically because it is 25:32.480 --> 25:36.160 hiding the source code, because we have the source code, the S-bombs is really just a summary 25:36.160 --> 25:38.160 information of the source code that you have.