WEBVTT

00:00.000 --> 00:16.320
Right, so we have around 20 minutes to fill, so we can have an opposition as they want

00:16.320 --> 00:24.760
that it's planned on the end, or we can have people ask questions, or we can have, I don't

00:24.760 --> 00:35.800
know, we can get it, we can get it.

00:35.800 --> 00:52.440
So does anyone have questions on anything regarding as bombs that there is a room full of experts

00:52.440 --> 00:58.000
people here that they can answer, I'll make sure that, yeah, we'll have, let's start

00:58.000 --> 01:10.640
from there, right, right, so the question is, what's the best tool to do everything, or what

01:10.640 --> 01:17.120
was it, yeah, to do everything with that's bomb, and yes, I'm pretty sure we will have an

01:17.120 --> 01:30.360
answer here, a single answer for everyone, right, another question, is there any update on

01:30.360 --> 01:44.760
the season tests on the S bomb, until he has his own up, there was a briefing for the participants

01:44.760 --> 01:53.600
who had submitted S bombs, they've only looked at the Cyclone DX S bombs to date, which

01:53.600 --> 02:01.720
was the were more S Cyclone DX than SPDX tools or S bomb submitted, they were identifying

02:01.720 --> 02:06.840
some common themes, some languages were better than others, some of the tools were better

02:06.840 --> 02:13.080
than others, I think worst was quite good, there were some challenges, no surprise you

02:13.080 --> 02:26.640
that things like C is a real challenge, there was clearly very few fully met the minimum

02:26.640 --> 02:32.040
requirements, which I think with everybody would recognise that, that's been a challenge

02:32.040 --> 02:39.720
for everybody, there was quite a variety of the level of information that was included

02:39.720 --> 02:48.600
in the S bomb in terms of the richness, some were very minimum, some had a lot of data,

02:48.600 --> 02:57.760
I think it was quite useful exercise, but I think determining what's the source S bomb

02:57.760 --> 03:04.960
and what's the build S bomb, people have different interpretations, the data sets available

03:04.960 --> 03:16.400
there are nine data sets, if people look for S bomb harmonization, then there's a link

03:16.400 --> 03:28.280
to the nine repos, I think the final report will come out at this month or early March,

03:28.280 --> 03:34.040
I think it's how much of it will be redacted, I don't think it's going to identify the

03:34.120 --> 03:39.760
particular tools, but I think it's going to give general themes, but I think each tool vendor

03:39.760 --> 04:01.360
has an opportunity to talk to SAA directly to understand what they, what was found.

04:01.360 --> 04:16.960
So, repeating the question would be, the pretty much question will be like, the outcome

04:16.960 --> 04:22.280
of the result will benefit us to improve what we are doing, or actually if it shows something

04:22.280 --> 04:26.960
that we will screwed up because it will be saw by management first and they'll try to

04:26.960 --> 04:41.960
impose us to change in things that is basically decided by SAA not us, but, yeah, valid, yeah, yeah,

04:41.960 --> 05:04.240
yeah, yes, we know, yeah, you know, somebody else, yeah, please, you should die

05:04.240 --> 05:11.840
there come here, because yeah, you should come here to the mic,

05:11.840 --> 05:21.760
check one, two, okay, I know that some industries, at last the medical device industry,

05:21.760 --> 05:30.640
which I don't work for, has been organizing some plug-fest since five years now, between

05:30.720 --> 05:41.120
producers and consumers of SBAM under NDA, of course, close door, etc, but five years

05:41.120 --> 05:47.720
is quite long, obviously they use different tools to produce and consume SBAM, so that's

05:47.720 --> 05:57.080
interesting, and they published a report, not too long ago, maybe one, two months ago,

05:57.080 --> 06:06.160
if meter, it's public, it's available, it's about 20 pages long, really, it's quite interesting,

06:06.160 --> 06:15.520
but all the pesky details that you can have when actually trying to use or exchange SBAM's

06:15.520 --> 06:22.920
across organization, thank you for that, yes, there have been many efforts of running

06:22.920 --> 06:28.840
intercompatibility tests between the different tools based on the specs of like that,

06:28.840 --> 06:38.440
yeah, we've been running them for a few years or more than a few years, okay, on that one,

06:38.440 --> 06:42.920
anybody else, a question or something, yes, please,

06:42.920 --> 06:49.920
but it's very fun to call it the issue that was mentioned and the database, okay, Augustine,

06:49.920 --> 06:54.160
the question was about the software transparency foundation that was mentioned in the previous

06:54.160 --> 07:00.720
slide, and Augustine is the right person to answer, it's a Spanish foundation, it's

07:00.720 --> 07:07.440
a small one, it has basically one core service at the moment, although this year we will

07:07.440 --> 07:16.800
start hosting the open data sets, the services basically, well, probably you know clearly

07:16.800 --> 07:24.200
the fine, okay, so instead it's something like that, so we are taking advantage of the

07:24.200 --> 07:30.880
a subset of the scan OSS knowledge base and we are providing the service for free to open

07:30.880 --> 07:37.200
source organizations, upstream developers, obviously it's a very expensive service,

07:37.200 --> 07:44.680
so we have some limitations on the amount of scans that you can do as scale, actually

07:44.680 --> 07:49.560
there are several software composition analysis, open source tools that use data as a

07:49.560 --> 08:02.320
backend, I'm going to name three, phosology or T, first slide for instance, and the idea

08:02.320 --> 08:10.520
basically of this service is provide something to upstream developers to be able to create

08:10.520 --> 08:17.080
complete response, so they can detect what is the clear, but also they can detect what is

08:17.120 --> 08:24.800
the open source that is not the clear, the tool is extremely good at that, and then obviously

08:24.800 --> 08:34.040
you have to do your manual creation to decide what you do with that information and then

08:34.040 --> 08:40.280
use whatever tool, you can also use the open source scan OSS tools, and what we are hoping

08:40.280 --> 08:50.360
and aiming is that more tools use as a backend for doing that, and hopefully we will

08:50.360 --> 08:57.640
also get some members to put some money so we can scale up the service because it's the

08:57.640 --> 09:05.480
operational part and the cost system, the main bottleneck at the moment, it's a Spanish foundation

09:05.480 --> 09:20.480
if I didn't say, thank you, it was thin, others, questions, announcements, Thomas,

09:20.480 --> 09:43.880
yeah, I don't, I'm full no, I'm full touch guy, I don't know me, everybody knows, almost

09:43.880 --> 09:48.640
almost everywhere, there are new people in the room, so my name is Thomas Timergan, I am the

09:48.640 --> 09:52.480
do Ospo Ambassador for Europe, so basically we are talking about a lot of the S-bombs I am

09:52.480 --> 09:58.480
involved in this for many years, but I do mostly open source management, so I just had a

09:58.480 --> 10:05.120
question about what S-bombs tool should you use, before you look at an S-bombs tool, we

10:05.120 --> 10:13.280
as open source, Ospo professional say, first right your policy, because all the service

10:13.280 --> 10:16.280
queue, all the laws is all about risk management, so first right your risk management

10:16.280 --> 10:21.800
policy, then you know what your risks are and then start looking at tools, and of course

10:21.800 --> 10:29.440
it doesn't pick it up on the right for some reason, we are working from the open chain

10:29.440 --> 10:36.120
community, we're actually trying to help a lot of people know here, know already how

10:36.120 --> 10:40.880
S-bombs are about our tons of people that don't know, so from the open chain community

10:40.960 --> 10:46.560
we're organizing an event in Stuttgart in a beginning of April, and it's basically meant

10:46.560 --> 10:51.440
to help the people in the sudden half of Germany love S-bombs getting into open source management,

10:51.440 --> 10:55.520
so these are people that probably have never heard about S-bombs, they might have heard

10:55.520 --> 11:04.080
of open source, but they did hear it about S-bombs, it's a really, we're trying to basically

11:04.080 --> 11:07.520
bring various parts, so I actually organize a lot of events, there's also going to be an event

11:07.600 --> 11:11.680
in Amsterdam, as well as people are more reading to Ospos, but this is really meant for open source

11:11.680 --> 11:13.680
management.

11:13.680 --> 11:17.440
Oh yeah, I need to stay out of the, I don't know, you have to smack me.

11:17.440 --> 11:21.680
My, my, my, my, my nice little camera, and the nice thing out is, so we're going to have a

11:21.680 --> 11:28.480
three-day event, we're doing this together with Bonne Lutibuck, and the nice thing is for the

11:28.480 --> 11:32.640
small S-bombs, Bonne Lutibuck will make grants available to help small S-bombs get started

11:32.640 --> 11:37.040
with open source management, so all the questions about S-bombs tools and all the other stuff,

11:37.040 --> 11:40.000
they don't know anything, bottom of everything we like a lot, that's, so that's also the

11:40.000 --> 11:45.920
nice thing, it's actually a collaboration of many different parts of the open source community

11:45.920 --> 11:51.280
basically coming together in a very nice location, Institute Guards, to really try to help

11:51.280 --> 11:55.200
basically the smaller companies that are, and I'm organizing similar events, I can also

11:55.200 --> 11:59.760
let it all over Europe, so we're doing one in March, in Amsterdam, which is basically

11:59.760 --> 12:04.880
most of government focus, and I'm probably going to do one in Paris and in Sofia,

12:05.840 --> 12:10.480
it's pretty good for somebody who's doing an employee and just gets money from open source

12:10.480 --> 12:16.560
friends to do things, so if you have any questions or want to participate, speak a lot, let us know

12:16.560 --> 12:21.760
and we're happy to have the two core organizations, Marseilles here as well, so I'll send

12:21.760 --> 12:25.600
thing, if you have any questions about journal open source management, so I'm not just

12:26.560 --> 12:34.880
you can ask me anything, take your lectures,

12:39.280 --> 12:48.160
other questions or announcements or whatever, or we just relax for the next 10 minutes and

12:48.560 --> 13:15.680
yeah, fuck that, it's an open mic and that's always

13:15.760 --> 13:20.000
Kate, although she's on this poll, she was

13:22.160 --> 13:29.520
grateful enough to bring us lots of nutritious and I also brought around 60 different chocolates

13:29.520 --> 13:40.000
and yeah, so we can survive the day, whoops, considering a get together after this death room

13:40.160 --> 13:46.000
that's the thing, people trying to get together after a while from the vacation, yeah,

13:47.280 --> 13:56.320
okay the question was, is there interesting get together after this, so if you're not bored

13:56.320 --> 14:01.680
or looking at the same phase is for nine hours, if you want to continue that after all,

14:02.880 --> 14:06.800
I think it's free for all, I don't know, I mean, yeah,

14:06.800 --> 14:18.240
yes, Anthony has a question, I will repeat it so yeah, go with it, also there's also

14:18.240 --> 14:24.480
a lot of issues about AI and actually Bill and Monsieur for AI, as part of the transparency

14:24.480 --> 14:33.680
and the ELA AI app, what comes first, and in the goodness of standards we have SPDX and

14:33.680 --> 14:38.880
cycle of the X, both having different viewpoints about the data to be captured in the AI,

14:40.560 --> 14:44.960
what are people thinking about how they're going to address in the funds that the AI

14:44.960 --> 14:52.160
act in terms of providing the transparency, are people already developing tools, are people thinking

14:52.160 --> 14:58.480
well, yeah, is an answer, but what are people starting to be, is that on people's horizons,

14:58.480 --> 15:08.320
really, because when we when I was in SPDX, SPDX was starting to think about the AI fund,

15:10.320 --> 15:16.080
so summarizing this because we were, so yeah, the question is about AI,

15:17.760 --> 15:25.920
modern software, very software that is pertaining to AI, right, and there are regulations that

15:26.000 --> 15:32.560
we have about AI, they have also a regulation about their bombs, there are ways to express

15:32.560 --> 15:38.480
information in different standards, what do people do about it, do they produce new tools,

15:38.480 --> 15:45.360
do they use what these there, that was Anthony questions, anybody wants to offer it inside?

15:45.360 --> 15:54.240
Yeah, yeah, yeah, Helio will provide their insights.

15:58.080 --> 16:04.000
So basically is inevitable, yeah, okay, you are ready seeing the people trying to use,

16:05.920 --> 16:10.480
yep, don't, so you're ready seeing people trying to use an AI and an event in

16:10.480 --> 16:16.320
it, well, we are being seeing that, but we are changing exactly the focus, because people don't

16:16.320 --> 16:23.440
realize that what really happening there is that after-driven results is done, who evaluates

16:23.440 --> 16:29.440
these results? So basically we have two options, are you starting to teach in lawyers,

16:29.440 --> 16:33.840
are you making lawyers become AI, they've evaluated results, so you make it as a completely

16:33.840 --> 16:39.920
full circle, but it's not in another way, we need people that understand what results is done by

16:40.480 --> 16:46.160
AI, so yep, it will happen, we can, we see tools doing that, we see people selling

16:46.160 --> 16:52.000
proper tools with that, but the question now is that how we find people to evaluate these results,

16:52.880 --> 16:56.800
because no one understands anymore, how is this done or the origin of the things, yeah?

17:00.080 --> 17:06.240
Thank you, Helio, just second, yeah, you want to answer, yeah, thank you,

17:07.200 --> 17:20.240
yeah, but yeah, very short times whereby Marcel and would be, not an answer, but an addition to that,

17:20.240 --> 17:26.480
so some of you might know that since last year we're trying to do also some

17:27.760 --> 17:34.400
dummy repositories that we use on the tooling side, right, to also have some reference inputs

17:34.560 --> 17:39.440
to test our tooling to have this central reference, and they are on my wish list that would have

17:39.440 --> 17:45.840
been a dummy for such an AI, so if someone has an idea, it does not need to be a big one, but just

17:45.840 --> 17:52.560
that we, because I'm a hands-on guy, those who know me, I need something to play around, so if someone

17:52.560 --> 17:58.240
has something, you're welcome to contribute with that, and then we can also have a look at it

17:59.200 --> 18:12.880
in practice, thank you, that's a great result, yes, one minute maybe two. Hi, I'm Hank, I have never seen

18:12.880 --> 18:20.160
of any of you I think any day like before, but sometimes you see me in Zoom calls, so I'm coming

18:20.160 --> 18:26.240
from the world of trustworthyness and FPGA's run models, and some people want to understand which model

18:26.240 --> 18:30.960
was activated and take relief stuff and something went wrong, that's for our

18:30.960 --> 18:35.920
continuity, we were talking about lawyers, yes, they are interested in which model made the mistake,

18:35.920 --> 18:40.800
and that's a continuity problem, so what we're doing is we are creating remote attestation

18:40.800 --> 18:47.280
evidence proofs about which model ran on which hardware, which was typically FPGA's arrays,

18:47.280 --> 18:53.120
and then we create evidence about that, in order to make that evidence actually actionable in a

18:53.120 --> 19:00.640
legal sense, we are using e-notaries, which is transparency service, and then we just create a

19:00.640 --> 19:06.320
want to say, a receipt that this has happened, and this receipt will survive the existence of any

19:06.320 --> 19:10.880
other certificate that it lives, that all these have live spends, and they're basically enshrined

19:10.880 --> 19:17.280
and append only ledgers, I'm not allowed to say a mercury, so it's an append only ledger of a certain

19:17.360 --> 19:23.920
constraint, and so what we actually have to put in there is an interesting thing, that is

19:23.920 --> 19:29.120
the association of model to hardware, and if this is a bomb that would be great, if this is a

19:29.120 --> 19:33.120
standardized bomb that would be even greater, but at the moment we are just going with the evidence

19:33.120 --> 19:39.200
that is hardware environment has some software running on it, and that's all, it could be better.

19:41.280 --> 19:46.320
Thank you Hank, so we managed to fill up this empty space,

19:47.280 --> 19:52.960
if we'd like to be able to create a found description of the sequence,

19:53.120 --> 19:57.040
we'd like to open them.