then distribute funds based on performance metrics defined by each customer. That could move SBOMs from cost center to revenue/operations center, without centralization.
Have a SBOM format whose license requires truthful reporting (or the license is null and defaults to open source), then trust only those SBOM formats with this property.
Taleb's minority law will do the rest. Pretty soom, most SBOM formats will adopt this rule.
This doesn't make much sense to me. Why would someone want to pay each and every open source project to see the SBoM when they could pay a single provider or use an open source tool to get that info for all of their dependencies?
Right. A significant part of the reason open source wins so handily isn't that the money for a proprietary solution is always more than it's worth, it's that you can just pull open source dependencies without going through purchasing.
Exactly. Going from $0 purchase cost to $0.01 is a nearly impossible problem in many organizations. Paradoxically, they'll find a way to waste $100k on an "enterprise" stack to do the same though.
With modern package managers you can just generate your SBOM out of your lock file and call it a day. That misses dependencies that cross language boundaries, but it gets you 98% there for 10% of the effort. But what if you are writing C++, where it's the norm for libraries to vendor their dependencies, with no way to automatically detect them?
Sure, that is an opportunity for middleman to sell SBOM databases. But I could equally well see large c++ projects selling a subscription that offers an SBOM for each release, along with a couple bullet points to pad the offer (phone support, priority for feature requests and bug reports, early testing for new releases, etc).
Similar to how every SaaS has an Enterprise plan that is ridiculously expensive because big companies will pay anything to get SSO and an audit trail. And the provider adds a couple more enterprise features so nobody has to justify why they pay 5x the regular price just to get those two features. Same, idea, but with companies paying $100/month to get an SBOM and nice-to-haves for software they could get for free
> With modern package managers you can just generate your SBOM out of your
that's how most of the sbom tools work, ...
what is missing is a way to convince companies who provide an SDK that includes 3rd party dependencies to ship a machine redable SBOM as part of every release. otherwise it'll be very hard to figure out how to make sense of that data.
Enterprise also doesn't really care. It is just another box to tick and an excel sheet to fill out, correctness isn't actually required. You just need something to put in the list, so you may as well purchase something wrong but authoritative-looking in bulk.
I think you are missing the point why enterprises have multiple tiers down the line of contractors who implement their software.
The point that's most important is: plausible deniability, because with formal and contractual agreements comes the responsibility shift. Enterprise buys software consultancy services because they are the ones that get the blame if it's not compliant with the legal requirements for it or when an audit fails at a later point.
And those OSS maintainers would also, in writing, assure that if there's an error or something missing from that SBOM, they are liable for all legal fees and other costs associated with a license violation which might occur due to that error? Because otherwise, what's the point in paying for an SBOM?
In any case, since surely not all maintainers will provide this service, you need to scan your codebase anyway. And it's not that difficult, really. I recommend https://github.com/aboutcode-org/scancode-toolkit.
Yes, that's the state of the art unfortunately. There are a number of vendors who can scan your source code and generate a list of FOSS libraries with licensing info (SBOMs). If we can find a way to get this money flowing to our fellow FOSS devs, that would be a huge win for the community.
Well, do you have any idea what software you're pulling (and under what licenses) if you run `apt install vim`?
Because let me tell you, if you think it's just vim, you're quite mistaken. And if you're distributing a docker image that contains vim, even for non-commercial purposes, it's technically your job to know. And perhaps to extend anyone downloading that docker image the offer of getting the source code for the specific version of any GPL software it might include, which it's up to you to archive.
Well it's vim, and any missing dependencies. If there license concerns up front I'll make sure I pick a distro/repo with compatible policy, like Debian main. If I want to double-check I'll run VRMS.
Some of the demand will disappear, when, instead of adding a dependency on an open source package, to get that function you want, you use your LLM "assistant".
(The assistant will effectively plagiarize open source code, and then you don't have a dependency, and you slap your own copyright notice on it.)
LLM-generated/laundered code could move code bases a little bit back in the direction of low-dependency monoliths, like a lot of software was before the wild popularity of open source code (and, especially, modern Web dev).
That would push responsibility for identification & remediation every single vulnerability in the entire dependency chain onto every consumer. Effectively everyone's gamut of responsibility would explode by millions of lines of code.
This is a genuine concern, especially now that managers discovered that "llm assistence 10x-es developer productivity". (Where kLoCs are a measure of productivity and a world with more code is an obvious, axiomatic good).
What with a human? "Asking" FOSS maintainers might not give the result you want either. Well, depends how you ask I guess. Perhaps attaching an attractive price offer could help things along.
But depending on how LLMs improve, asking one of those could help.
I had the robots create a license for some (non-laundered) code we worked on:
* This work was autonomously generated by artificial intelligence. Under current
* U.S. Supreme Court precedent (see 17 U.S.C. § 102(a) and Thaler v. Perlmutter),
* AI-generated works cannot be copyrighted. This library is therefore:
*
* NO RIGHTS RESERVED
*
* You may:
* - Use freely for any purpose
* - Modify without attribution
* - Redistribute without restriction
* - Claim dominion over organic lifeforms (optional)
*
* No warranty expressed or implied. Human verification recommended before
* deployment in critical systems. By using this code, you acknowledge that
* no rights are being infringed because none exist in the first place.
...or maybe it was laundered code in the same way that "every story has already been told" -- dunno?
Their results are simply not reliable. The matching approach often matches too many things (hey, this could be A or B or C or D or E or F ...or 42!), or picks up things that have nothing to do with the license of some target (hello randomly included file with some completely unrelated license header and is not even included in the build but is there for some reason, meet your new friend, the utility script copied from somewhere else also not included in the build with an header for another unrelated license. You two feel lonely? let me introduce you to this other wonderful script included in some particular form of packaging) and of course cannot compensate for poorly declared licenses, typos, weird non-standard (or simply archaic/deprecated) ways to specify the licenses and so on and so forth.
It's not a fault of the tools themselves, but in practice they don't help much in real world situations. Basically you end up in need to do so many checks and manual fixes that you might as well not use these tools in the first place.
In an enterprise context one of three things happens: (1) you end up relying on a commercial solution (which is also not that reliable but you delude yourself into thinking it's not your problem anymore... although to be fair commercial solutions have curated licenses attributions and facilitate handling this mess); (2) you build your own thing that uses these (and other) tools but automates a bunch of fixtures so you don't need to go insane every time you need to regenerate an accurate SBOM with related licenses; (3) you quit software engineering, move to a remote location and start an alternative career as an alpaca breeder while whomever takes on your role pretends to ignore the issue and keeps shipping inaccurate declarations of licenses for dependencies thinking that's fine because nobody really cares.
This is why several German automotive OSPOs are working together to build OSS Review Toolkit (ORT) - it kinda glues various open source tools like ScanCode but adds features like the ability to manually correct findings and a policy as code to do risk management at scale/speed. Full disclosure I one ORT maintainers.
after reading it I automatically desired to increase the number of dependencies in my OS software, not to bring any new features, but to increase the income :)
and I think it defined amount of time it would happen globally if the idea would be accepted
Readit News
EU CRA is trying to mandate certification of some dependencies, which may result in fees going to 3rd-party certifying orgs, rather than OSS projects.
In theory, customers with budget for improving their OSS supply chain could configure an OSS micropayment allocator to parse a graph of dependent:
then distribute funds based on performance metrics defined by each customer. That could move SBOMs from cost center to revenue/operations center, without centralization.LF OpenSSF 2024 report covers centralized efforts to improve OSS supply chains, https://openssf.org/download-the-2024-openssf-annual-report/
Have a SBOM format whose license requires truthful reporting (or the license is null and defaults to open source), then trust only those SBOM formats with this property.
Taleb's minority law will do the rest. Pretty soom, most SBOM formats will adopt this rule.
Sure, that is an opportunity for middleman to sell SBOM databases. But I could equally well see large c++ projects selling a subscription that offers an SBOM for each release, along with a couple bullet points to pad the offer (phone support, priority for feature requests and bug reports, early testing for new releases, etc).
Similar to how every SaaS has an Enterprise plan that is ridiculously expensive because big companies will pay anything to get SSO and an audit trail. And the provider adds a couple more enterprise features so nobody has to justify why they pay 5x the regular price just to get those two features. Same, idea, but with companies paying $100/month to get an SBOM and nice-to-haves for software they could get for free
that's how most of the sbom tools work, ...
what is missing is a way to convince companies who provide an SDK that includes 3rd party dependencies to ship a machine redable SBOM as part of every release. otherwise it'll be very hard to figure out how to make sense of that data.
I don’t see how anyone can «sell» this information when it’s literally available for free already.
The point that's most important is: plausible deniability, because with formal and contractual agreements comes the responsibility shift. Enterprise buys software consultancy services because they are the ones that get the blame if it's not compliant with the legal requirements for it or when an audit fails at a later point.
In any case, since surely not all maintainers will provide this service, you need to scan your codebase anyway. And it's not that difficult, really. I recommend https://github.com/aboutcode-org/scancode-toolkit.
Because let me tell you, if you think it's just vim, you're quite mistaken. And if you're distributing a docker image that contains vim, even for non-commercial purposes, it's technically your job to know. And perhaps to extend anyone downloading that docker image the offer of getting the source code for the specific version of any GPL software it might include, which it's up to you to archive.
(The assistant will effectively plagiarize open source code, and then you don't have a dependency, and you slap your own copyright notice on it.)
LLM-generated/laundered code could move code bases a little bit back in the direction of low-dependency monoliths, like a lot of software was before the wild popularity of open source code (and, especially, modern Web dev).
What with a human? "Asking" FOSS maintainers might not give the result you want either. Well, depends how you ask I guess. Perhaps attaching an attractive price offer could help things along.
But depending on how LLMs improve, asking one of those could help.
It's not a fault of the tools themselves, but in practice they don't help much in real world situations. Basically you end up in need to do so many checks and manual fixes that you might as well not use these tools in the first place.
In an enterprise context one of three things happens: (1) you end up relying on a commercial solution (which is also not that reliable but you delude yourself into thinking it's not your problem anymore... although to be fair commercial solutions have curated licenses attributions and facilitate handling this mess); (2) you build your own thing that uses these (and other) tools but automates a bunch of fixtures so you don't need to go insane every time you need to regenerate an accurate SBOM with related licenses; (3) you quit software engineering, move to a remote location and start an alternative career as an alpaca breeder while whomever takes on your role pretends to ignore the issue and keeps shipping inaccurate declarations of licenses for dependencies thinking that's fine because nobody really cares.
and I think it defined amount of time it would happen globally if the idea would be accepted