Anyone who thought computer security problems were some abstract trouble that had little to do with their daily life was rudely awakened recently. The Colonial Pipeline ransomware attack[1] saw gas and oil deliveries shut down throughout the southeast. Cybersecurity failures had already become a major problem with the SolarWinds software supply chain attack[2] and the FBI having to step in to fix broken Microsoft Exchange servers[3]. So, on May 12th President Joe Biden signed an executive order[4] to boost the federal government cyber defense and to warn all of America that technology security must be job one now. The Linux Foundation and its related organizations are stepping up to better Linux and open-source security[5].
The executive order recognized the vital importance of open-source software. It reads in part: "Within 90 days of publication of the preliminary guidelines … shall issue guidance identifying practices that enhance the security of the software supply chain." Open-source software is specifically named.
The government must ensure "to the extent practicable, to the integrity and provenance of open-source software used within any portion of a product." Specifically, it must try to provide a Software Bill of Materials (SBOM). "This is a formal record containing the details and supply chain relationships of various components used in building software." It's an especially important issue with open-source software because:
Software developers and vendors often create products by assembling existing open source and commercial software components. The SBOM enumerates these components in a product. It is analogous to a list of ingredients on food packaging. An SBOM is useful to those who develop or manufacture software, those who select or purchase software, and those who operate software. Developers often use available