Reply to post: Re: I'm not so sure...

SBOM is a 'massive galaxy of mess' for supply chain security

Anonymous Coward
Anonymous Coward

Re: I'm not so sure...

+1 to mirroring but an approval process is also mandatory - with and without mirroring.

Every included module in code should also be vetted and approved to clarify if: the package is actively maintained, has a compatible license, we have purchased a support contract (give back people), has no CVE's, has no insecure secrets, etc, etc.

I work for a security vendor that does code scanning (so anon) and SBOM is coming but remembering 'leftpad' breaking the Internet, local mirrors are a no-brainer.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon