Open-source News

Author: Kate Stewart, VP of Dependable Systems, The Linux Foundation

In a previous Linux Foundation blog, David A. Wheeler, director of LF Supply Chain Security, discussed how capabilities built by Linux Foundation communities can be used to address the software supply chain security requirements set by the US Executive Order on Cybersecurity. 

One of those capabilities, SPDX, completely addresses the Executive Order 4(e) and 4(f) and 10(j) requirements for a Software Bill of Materials (SBOM). The SPDX specification is implemented as a file format that identifies the software components within a larger piece of computer software and metadata such as the licenses of those components. 

SPDX is an open standard for communicating software bill of material (SBOM) information, including components, licenses, copyrights, and security references. It has a rich ecosystem of existing tools that provides a common format for companies and communities to share important data to streamline and improve the identification and monitoring of software.

SBOMs have numerous use cases. They have frequently been used in areas such as license compliance but are equally useful in security, export control, and broader processes such as mergers and acquisitions (M&A) processes or venture capital investments. SDPX maintains an active community to support various uses, modeling its governance and activity on the same format that has successfully supported open source software projects over the past three decades.

The LF has been developing and refining SPDX for over ten years and has seen extensive uptake by companies and projects in the software industry.  Notable recent examples are the contributions by companies such as Hitachi, Fujitsu, and Toshiba in furthering the standard via optional profiles like “SPDX Lite” in the SPDX 2.2 specification release and in support of the SPDX SBOMs in proprietary and open source automation solutions. 

This de facto standard has been submitted to ISO via the Joint Development Foundation using the PAS Transposition process of Joint Technical Committee 1 (JTC1). It is currently in the enquiry phase of the process and can be reviewed on the ISO website as ISO/IEC DIS 5962.

There is a wide range of open source tooling, as well as commercial tool options emerging as well as options available today.  Companies such as FOSSID and Synopsys have been working with the SPDX format for several years. Open Source tools like FOSSology (source code Analysis),  OSS Review Toolkit (Generation from CI & Build infrastructure), Tern (container content analysis), Quartermaster (build extensions), ScanCode (source code analysis) in addition to the SPDX-tools project have also standardized on using SPDX for the interchange are also participating in Automated Compliance Tooling (ACT) Project Umbrella.  ACT has been discussed as community-driven solutions for software supply chain security remediation as part of our synopsis of the findings in the Vulnerabilities in the Core study, which was published by the Linux Foundation and Harvard University LISH in February of 2020.   

One thing is clear: A software bill of materials that can be shared without friction between different teams and companies will be a core part of software development and deployment in this coming decade. The sharing of software metadata will take different forms, including manual and automated reviews, but the core structures will remain the same. 

Standardization in this field, as in others, is the key to success. This domain has an advantage in that we are benefiting from an entire decade of prior work in SPDX. Therefore the process becomes the implementation of this standard to the various domains rather than the creation, expansion, or additional refinement of new or budding approaches to the matter.

Start using the SPDX specification here:https://spdx.github.io/spdx-spec/. Development of the next revision is underway, so If there’s a use case you can’t represent with the current specification, open an issue, this is the right window for input.   

To learn more about the many facets of the SPDX project see: https://spdx.dev/

The post SPDX: It’s Already in Use for Global Software Bill of Materials (SBOM) and Supply Chain Security appeared first on Linux Foundation.

Google Fuchsia OS finally rolls out  ZDNet

Google has released Chrome 91 as a rather exciting feature update to their open-source, cross-platform web browser...

Linux 5.14 to debut later in the summer will allow for hot unplugging of AMD Radeon graphics cards such as when using an external GPU enclosure or passing back a GPU from a virtual machine to the host. Up until now the AMDGPU kernel driver hasn't cooperated nicely with the Radeon GPU for hot unplug events...

Feeling Overwhelmed With Vim? Try Micro Text Editor Instead  MUO - MakeUseOf

Microsoft: Windows 10 Insiders can now can run Linux GUI apps  BleepingComputer

The Rowhammer security exploit affecting DRAM memory modules has a new chapter with Google now detailing "half-double" as a new technique for exploit of system memory...

CSGO Devs Fix Trust Factor Issues for Linux Users  TalkEsport

How to transfer files between Android and Linux with Warpinator  TechRepublic

IBM WebSphere App Server Now Available on Azure Linux VMs  Redmondmag.com

Microsoft, the Linux Foundation, and others team up to make software sustainable  Yahoo Tech

Green software development: Microsoft, Linux Foundation want to make coding carbon-free  ZDNet

Linux GUI app support now shipping as part of the Windows Subsystem for Linux  Windows Central

1. How to add Linux apps to Windows in just one easy step  PCWorld
2. Microsoft support for Linux GUI apps on Windows 10 coming later this year  ZDNet
3. Linux GUI app support now shipping as part of the Windows Subsystem for Linux  Windows Central
4. Microsoft: Windows 10 Insiders can now can run Linux GUI apps  BleepingComputer
5. You can now run Linux GUI apps in Windows 10 [Update]  Neowin
6. View Full Coverage on Google News

Microsoft makes support for Linux GUI apps on Windows 10 coming later this year  ZDNet

Microsoft, the Linux Foundation, and others team up to make software sustainable  Engadget

DragonFlyBSD 6.0 Is Performing Very Well Against Ubuntu Linux, FreeBSD 13.0  Phoronix

Earlier this month in our initial benchmarking of DragonFlyBSD 6.0 we found DragonFlyBSD 6.0 performing much better than DragonFlyBSD 5.8, but how does that put its performance up against FreeBSD 13.0 and Ubuntu Linux for reference? Here are such benchmarks in our latest benchmarking of DragonFlyBSD 6.0, FreeBSD 13.0 (with both GCC and Clang), and Ubuntu Linux.

With the Linux 5.14 cycle this summer the Flash-Friendly File-System (F2FS) should land its new "RO" feature read-only mode...

Arm today announced the Cortex-X2 as their new flagship Armv9 processor design...