Comment by halJordan

Comment by halJordan 6 days ago

2 replies

View on Hacker News

It shouldn't be a "get the foreigners!" situation. Sure that is a method of solving the symptoms. But what you're really asking for is ... a software bill of materials. Why dont we have that yet? Bc it's cheaper to get ripped off than it is to pay for a bom. Thats the real problem

c0balt 6 days ago

SBOMs exist. You can get them generated for most software via package managers in standard forms like cyclonedx.

It's just not that effective when the SBOM becomes unmanageable. For example, our JS project at $work has 2.3k dependencies just from npm. I can give you that SBOM (and even include the system deps with nix) but that won't really help you.

They are only really effective when the size is reasonable.

Reply View 0 replies
Ekaros 5 days ago

SBOM really doesn't do much when compromise happens before or while you are building it. It really is orthogonal to these types of attacks. Best you can do is to find that you were compromise afterwards.

Reply View 0 replies