WEBVTT 00:00.000 --> 00:10.000 Thank you. 00:10.000 --> 00:13.000 Sorry for the delay. 00:13.000 --> 00:17.000 There's always technical issues. 00:17.000 --> 00:19.000 My name is Salvin Wilson. 00:19.000 --> 00:24.000 I'm involved in a group called the CPAN Security Group. 00:24.000 --> 00:29.000 I'm a new person, a new member of the ESPOM community. 00:29.000 --> 00:31.000 And I'm going to talk to share some interesting stuff with you. 00:31.000 --> 00:36.000 I was hoping the technical stuff here would become a little bit easy to handle, 00:36.000 --> 00:39.000 but everything is going wrong today. 00:39.000 --> 00:42.000 So we'll see how we manage. 00:42.000 --> 00:44.000 A little bit about myself. 00:44.000 --> 00:49.000 Let's see if we can get connection to the screen here. 00:49.000 --> 00:51.000 The real topic should really be, 00:51.000 --> 00:55.000 whether it's in all of the supply chain should make the data come from. 00:55.000 --> 00:59.000 But attributes and make the data, 00:59.000 --> 01:01.000 then it's like key in value pair. 01:01.000 --> 01:05.000 So it's just assumed I mean both. 01:05.000 --> 01:10.000 So why should we even ask about where our metadata comes from? 01:10.000 --> 01:13.000 There's one major reason for us in Europe, 01:13.000 --> 01:17.000 and that comes from the European Union and the cyber-sinsactive, 01:17.000 --> 01:21.000 which says supplying incorrect and complete or misleading information, 01:21.000 --> 01:26.000 may be find up to 5 million euros or 1% of global turnover. 01:26.000 --> 01:31.000 So somebody is threatening us. 01:31.000 --> 01:34.000 And the references are in the slides. 01:34.000 --> 01:40.000 I'll make them available through the organizers later on on the foster website. 01:40.000 --> 01:42.000 So this is awesome. 01:42.000 --> 01:46.000 But now that I've showed you some texts from the cyber-sinsactive, 01:46.000 --> 01:48.000 I have to point out I'm not a lawyer. 01:48.000 --> 01:52.000 I'm actually not even an authority of any kind. I'm just a volunteer. 01:52.000 --> 01:56.000 So I'm at the lowest rank in the open source community, 01:56.000 --> 02:00.000 and anything you should take everything with a pinch of salt, 02:00.000 --> 02:04.000 but I hope it's still useful though. 02:04.000 --> 02:09.000 And what I'm showing you is my own studies over the last year or so. 02:09.000 --> 02:12.000 It's a working progress. If you find something wrong, 02:12.000 --> 02:14.000 it's okay, because tell me about this. 02:14.000 --> 02:18.000 I can improve it, so this can be a useful resource for everybody. 02:18.000 --> 02:21.000 And yes, contributions are appreciated. 02:21.000 --> 02:24.000 This is based on basically open sources, 02:24.000 --> 02:29.000 attribution share light published on the CPAN security group website, 02:29.000 --> 02:32.000 and I would love to hear some feedback. 02:32.000 --> 02:37.000 So I'm bringing an ecosystem perspective. 02:37.000 --> 02:41.000 What you see on the left here is an open source ecosystem 02:41.000 --> 02:45.000 and an idealized way with the different roles 02:45.000 --> 02:49.000 that do something hidden behind the bunch of names here. 02:49.000 --> 02:52.000 Maintainer, Colabi persistent would be the GitHub. 02:52.000 --> 02:55.000 Language ecosystem would be PIPA, CPAN, 02:55.000 --> 02:58.000 that on package ecosystem would be the debions 02:58.000 --> 03:03.000 and the container registry is out there. 03:03.000 --> 03:06.000 There's a new thing called the Stuart. 03:06.000 --> 03:08.000 There are contributors in here, of course, 03:09.000 --> 03:11.000 and the manufacturer would be an integrator, 03:11.000 --> 03:13.000 somebody who writes applications and makes something 03:13.000 --> 03:16.000 valuable, that's somebody's willing to pay for. 03:16.000 --> 03:18.000 At the bottom, you have a customer who cares, 03:18.000 --> 03:23.000 or a market authority who wants to check if the metadata is correct. 03:23.000 --> 03:26.000 I won't try to quickly go through all these. 03:26.000 --> 03:29.000 I think that we have a short time, so I'll have to rush a bit 03:29.000 --> 03:34.000 that I hope this doesn't make this horrible talk, 03:34.000 --> 03:37.000 but we'll see what we're going to do. 03:37.000 --> 03:40.000 Might also cover a few more points. 03:40.000 --> 03:43.000 So just for the colors here, 03:43.000 --> 03:45.000 these are things we do with metadata. 03:45.000 --> 03:47.000 We create them, we contribute to the metadata, 03:47.000 --> 03:51.000 we distribute them, we verify them, and we censor the metadata. 03:51.000 --> 03:54.000 And each of these different roles throughout the ecosystem 03:54.000 --> 03:58.000 will be doing something with the metadata. 03:58.000 --> 04:02.000 Here are a few of the actors you can find throughout the ecosystem. 04:02.000 --> 04:04.000 These are not all of them. 04:04.000 --> 04:06.000 I've found in my research. 04:06.000 --> 04:08.000 I've tried to figure out, and naming some of them 04:08.000 --> 04:11.000 as they will be in a struggle. 04:11.000 --> 04:15.000 A custodian, for example, is an actual role. 04:15.000 --> 04:18.000 You can find that work on the half an open-source project 04:18.000 --> 04:23.000 to take care of it if the original author or maintainer 04:23.000 --> 04:25.000 is not available anymore. 04:25.000 --> 04:29.000 He left or she was driven over by a time 04:29.000 --> 04:31.000 or it could be anything. 04:31.000 --> 04:34.000 Somebody takes care of it because the code needs to exist 04:34.000 --> 04:38.000 and if there's a security issue, somebody has to take care of it, 04:38.000 --> 04:42.000 but they don't own it or they cannot take full responsibility. 04:42.000 --> 04:46.000 These are a lot of them that's simplified a bit. 04:46.000 --> 04:50.000 Here are the ones that are significant when it comes to metadata 04:50.000 --> 04:52.000 and it's ordered them a little bit. 04:52.000 --> 04:58.000 This is the order that are from the top of the two of the bottom. 04:58.000 --> 05:00.000 The author and the maintainers are the top. 05:00.000 --> 05:02.000 You have a custodian, so all the contributors. 05:02.000 --> 05:04.000 Somebody builds the packages. 05:04.000 --> 05:07.000 Somebody's a curator, decides where it's published. 05:07.000 --> 05:10.000 There's a student there coming soon. 05:10.000 --> 05:13.000 Somebody patches the packages. 05:13.000 --> 05:15.000 Somebody packages the packages. 05:15.000 --> 05:17.000 Some of the symbols the containers. 05:17.000 --> 05:19.000 We do all the packages in it. 05:19.000 --> 05:21.000 Some want to integrate something. 05:21.000 --> 05:22.000 Something is being deployed. 05:22.000 --> 05:24.000 And each of those steps will influence the response 05:24.000 --> 05:27.000 that the metadata that are being produced. 05:27.000 --> 05:32.000 And all of these are sources potential or actual sources 05:32.000 --> 05:36.000 of the required metadata that we have threatened with the final. 05:36.000 --> 05:42.000 So that's already one of the questions that I asked in the talk description. 05:42.000 --> 05:43.000 There you have it. 05:43.000 --> 05:45.000 These are some of the people. 05:45.000 --> 05:47.000 We should know about them. 05:47.000 --> 05:51.000 And while they have to probably also talk with them. 05:51.000 --> 05:54.000 Because they have information we need. 05:55.000 --> 05:56.000 So those are the actors. 05:56.000 --> 05:58.000 We have a bunch of attributes. 05:58.000 --> 06:00.000 We want to care about them. 06:00.000 --> 06:03.000 We have some metadata about the metadata. 06:03.000 --> 06:06.000 Of course, you guys probably know this by heart. 06:06.000 --> 06:10.000 Some of those who are on the other side of the camera might not be. 06:10.000 --> 06:13.000 I'll be sharing some of these. 06:13.000 --> 06:15.000 These are the basic ones from S-bombs. 06:15.000 --> 06:17.000 The antenna and the IA's. 06:17.000 --> 06:19.000 The minimum elements should be known. 06:19.000 --> 06:22.000 A few more here in bold from them. 06:23.000 --> 06:28.000 Caesar added a few more metadata with a framing document. 06:28.000 --> 06:31.000 Sarah adding more data. 06:31.000 --> 06:36.000 Because they want to make things work in their regime. 06:36.000 --> 06:41.000 The German design. 06:41.000 --> 06:46.000 The information technology regulators. 06:46.000 --> 06:49.000 They added a few more hidden in there. 06:49.000 --> 06:51.000 They are in bold. 06:51.000 --> 06:53.000 Please trust me. 06:53.000 --> 06:56.000 There's a reference there if you want in blue. 06:56.000 --> 07:01.000 And the security change bureau in India wants also a bunch of stuff. 07:01.000 --> 07:04.000 And I'm trying to give you here a point here. 07:04.000 --> 07:12.000 There's a trend going on here of more and more attributes being added. 07:12.000 --> 07:15.000 And the ecosystem. 07:15.000 --> 07:21.000 Some people who need to write the tooling and who are writing the services. 07:21.000 --> 07:26.000 And have to update specifications to handle all these new metadata. 07:26.000 --> 07:31.000 We are throwing our hands in the air and say, you know, this kind of going. 07:31.000 --> 07:37.000 If every country is going to add their own metadata, this is going to explode. 07:37.000 --> 07:39.000 And it will be horrible. 07:39.000 --> 07:43.000 Because these open source ecosystems, all of them. 07:43.000 --> 07:47.000 They have a lot of constraints to work under. 07:47.000 --> 07:50.000 The ecosystem cannot break. 07:50.000 --> 07:53.000 They have to keep on being compatible. 07:53.000 --> 07:57.000 So people cannot upgrade tooling and make sure that it continues to work. 07:57.000 --> 08:00.000 We have to think about forwards and backwards compatibility. 08:00.000 --> 08:03.000 We have to make sure that any upgrades that happen. 08:03.000 --> 08:07.000 Among the users and the businesses out there that have used this tooling. 08:07.000 --> 08:10.000 That upgrades happen without any problems. 08:10.000 --> 08:16.000 And there's a lot of work around information and outreach to teach people at this time to upgrade. 08:16.000 --> 08:18.000 These are the new features. 08:18.000 --> 08:23.000 And all this happens with volunteer work. 08:23.000 --> 08:25.000 This is maybe not for you guys. 08:25.000 --> 08:26.000 You are at first them. 08:26.000 --> 08:28.000 You know this stuff on the other side of the camera. 08:28.000 --> 08:34.000 Maybe there are some regulators who are maybe not completely aware of this. 08:34.000 --> 08:40.000 So the reassure of ecosystem responses when somebody comes and asks at least in my community. 08:40.000 --> 08:46.000 If someone asks for a feature, they say, well, volunteer. 08:46.000 --> 08:53.000 Thank you for your thoughtful input and your contributions. 08:53.000 --> 08:59.000 So who's going to volunteer to make all of this? 08:59.000 --> 09:04.000 Maybe it's a little bit unfair to ask the regulators to do this. 09:04.000 --> 09:07.000 We do have a bunch of people who are involved already. 09:07.000 --> 09:09.000 So the ecosystem people we are all in there. 09:09.000 --> 09:11.000 And we have stuff to do. 09:11.000 --> 09:15.000 Standards people, yes, we know how this works. 09:15.000 --> 09:19.000 They are of the social way awesome stuff that's happening there. 09:19.000 --> 09:24.000 And we have now a new part of the new member and the regulators. 09:24.000 --> 09:27.000 The common fold we need features. 09:27.000 --> 09:32.000 Of course, they are not in the business of writing bug reports. 09:32.000 --> 09:35.000 They need to work on a different level. 09:35.000 --> 09:41.000 But in a sense, they are still part of the open source community could say. 09:41.000 --> 09:43.000 So here's the second question. 09:43.000 --> 09:45.000 Where do the aspects of attributes come from? 09:45.000 --> 09:46.000 Both are the three. 09:46.000 --> 09:49.000 ecosystem people about the technical fields. 09:49.000 --> 09:54.000 Standards people about the metadata, metadata and the other fields. 09:54.000 --> 09:58.000 And they're going to just about things that they feel is necessary. 09:58.000 --> 10:02.000 So we have no one who we can point at now. 10:02.000 --> 10:03.000 Awesome. 10:03.000 --> 10:04.000 This is cool. 10:04.000 --> 10:17.000 Now, I would like to do a little bit of a quick poll with you guys here. 10:17.000 --> 10:19.000 Can everybody see this? 10:19.000 --> 10:21.000 So this is a sign. 10:21.000 --> 10:22.000 I'm going to race. 10:22.000 --> 10:27.000 And when I race it, I want everybody to clap. 10:27.000 --> 10:29.000 Awesome. 10:29.000 --> 10:30.000 One more time. 10:30.000 --> 10:31.000 Brilliant. 10:31.000 --> 10:32.000 Okay. 10:32.000 --> 10:36.000 For those on the other side of the camera, this is what it sounds when everybody claps. 10:36.000 --> 10:41.000 Now, if you only the first door claps, now when I race it. 10:41.000 --> 10:44.000 And just you clap. 10:44.000 --> 10:45.000 Okay. 10:45.000 --> 10:50.000 So if everybody agrees me, you know, now know how this sounds. 10:50.000 --> 10:55.000 And if only one person agrees me with me, you know how that sounds on the other side of the camera. 10:55.000 --> 10:57.000 You can't make it on this is me. 10:57.000 --> 10:58.000 Can you see me? 10:58.000 --> 11:01.000 I know it's your mic. 11:01.000 --> 11:02.000 Yeah. 11:02.000 --> 11:04.000 Well, we'll hope. 11:04.000 --> 11:07.000 Let's see how this goes. 11:07.000 --> 11:09.000 So component attributes. 11:09.000 --> 11:14.000 Let's make a clap for each one of these is this useful. 11:14.000 --> 11:18.000 And I want to show the sign you make a clap. 11:18.000 --> 11:20.000 Prime me, component them. 11:20.000 --> 11:22.000 Version. 11:22.000 --> 11:23.000 Purpose. 11:23.000 --> 11:25.000 Supply a name. 11:25.000 --> 11:27.000 Security contact. 11:27.000 --> 11:29.000 Corporate notice. 11:29.000 --> 11:31.000 Licenses. 11:31.000 --> 11:33.000 Unique product idea. 11:33.000 --> 11:35.000 Cryptographic hash. 11:35.000 --> 11:38.000 Prime me, component file name. 11:38.000 --> 11:40.000 Not that much. 11:40.000 --> 11:41.000 Depends this. 11:42.000 --> 11:43.000 Everybody knows that. 11:43.000 --> 11:45.000 Depends the relationship. 11:45.000 --> 11:46.000 Yes. 11:46.000 --> 11:48.000 S bomb author. 11:48.000 --> 11:49.000 Fuel like that. 11:49.000 --> 11:51.000 Creation type sign. 11:51.000 --> 11:54.000 The format of the S bomb sign. 11:54.000 --> 11:56.000 Generation tool. 11:56.000 --> 11:57.000 Only a few. 11:57.000 --> 11:59.000 The location where you find it. 11:59.000 --> 12:01.000 Three people. 12:01.000 --> 12:03.000 Prime me, component. 12:03.000 --> 12:04.000 Wow. 12:04.000 --> 12:08.000 This is actually important because you refer to what. 12:08.000 --> 12:10.000 The component is referring to. 12:10.000 --> 12:12.000 Like this is we need that one. 12:12.000 --> 12:15.000 So if you didn't clap now, you need to read up. 12:15.000 --> 12:17.000 Sorry. 12:17.000 --> 12:19.000 S bomb release. 12:19.000 --> 12:21.000 Nobody knows what it means. 12:21.000 --> 12:23.000 serial number. 12:23.000 --> 12:24.000 Okay. 12:24.000 --> 12:25.000 Sure. 12:25.000 --> 12:27.000 We can want to detect changes between S bombs. 12:27.000 --> 12:29.000 Some of us are this type. 12:29.000 --> 12:30.000 S bomb types. 12:30.000 --> 12:32.000 There's a ecosystem. 12:32.000 --> 12:37.000 And then we have different S bombs at different places in the ecosystem. 12:37.000 --> 12:41.000 How about the stuff that opens or steward requires. 12:41.000 --> 12:45.000 And intended for commercial use. 12:45.000 --> 12:47.000 Three people. 12:47.000 --> 12:50.000 Who is the open source steward? 12:50.000 --> 12:51.000 Three. 12:51.000 --> 12:53.000 Security attestations. 12:53.000 --> 12:54.000 Five. 12:54.000 --> 12:55.000 Maybe six. 12:55.000 --> 12:56.000 Awesome. 12:56.000 --> 12:59.000 How about the manufacturing attributes from the cyber scene. 12:59.000 --> 13:04.000 In fact, they need to know what the confirmed assessment bodies. 13:05.000 --> 13:06.000 One person. 13:06.000 --> 13:09.000 They need a lead to the declaration of conformity. 13:09.000 --> 13:10.000 Five. 13:10.000 --> 13:11.000 Yeah. 13:11.000 --> 13:13.000 How about the support end date? 13:13.000 --> 13:14.000 Is that useful? 13:14.000 --> 13:16.000 How about the technical documentation? 13:16.000 --> 13:17.000 Yeah. 13:17.000 --> 13:18.000 Some of them like that. 13:18.000 --> 13:20.000 Authorised to pass sensitive. 13:20.000 --> 13:24.000 Not very attractive metadata fields here. 13:24.000 --> 13:26.000 It's too bad. 13:26.000 --> 13:30.000 How about special attributes for integrators in Germany? 13:30.000 --> 13:31.000 Like. 13:31.000 --> 13:33.000 The executable property. 13:33.000 --> 13:34.000 One person. 13:34.000 --> 13:36.000 The archive property. 13:36.000 --> 13:37.000 Nobody. 13:37.000 --> 13:39.000 Structured property. 13:39.000 --> 13:43.000 This is required by the BSI. 13:43.000 --> 13:50.000 To be included in S bombs that are delivered in German legislation. 13:50.000 --> 13:53.000 And it's published in September. 13:53.000 --> 13:56.000 Version 2.0. 13:56.000 --> 13:58.000 But still. 13:58.000 --> 14:01.000 Even if it's specific use cases. 14:01.000 --> 14:04.000 The tooling needs to support it. 14:04.000 --> 14:06.000 Because it comes from where firmware. 14:06.000 --> 14:08.000 The information needs to be stored. 14:08.000 --> 14:11.000 The metadata needs to be shown in the websites. 14:11.000 --> 14:12.000 It needs to be found. 14:12.000 --> 14:14.000 It needs to be indexed. 14:14.000 --> 14:16.000 All that stuff. 14:16.000 --> 14:17.000 This implies work. 14:17.000 --> 14:18.000 How about in India? 14:18.000 --> 14:22.000 The special attributes for the integrators in the international sector? 14:22.000 --> 14:26.000 They want to have known and known dependencies. 14:26.000 --> 14:27.000 Could be useful. 14:28.000 --> 14:31.000 What encryption is used? 14:31.000 --> 14:35.000 How about the frequency of updates? 14:35.000 --> 14:39.000 Access control information in the S bomb. 14:39.000 --> 14:41.000 One person likes that. 14:41.000 --> 14:43.000 Methods for accommodating errors. 14:43.000 --> 14:48.000 This is required from the Indian financial sector. 14:48.000 --> 14:49.000 Yeah. 14:49.000 --> 14:50.000 So that's. 14:50.000 --> 14:51.000 Yeah. 14:51.000 --> 14:52.000 No claps for that. 14:52.000 --> 14:54.000 So there's a point for me. 14:54.000 --> 14:59.000 In addition to giving your chance to move on a little bit at the end of a long day. 14:59.000 --> 15:04.000 So I'm not getting going to sleep. 15:04.000 --> 15:10.000 After the two days of intense fasting. 15:10.000 --> 15:14.000 There are also things there that are important. 15:14.000 --> 15:16.000 And here are some optional attributes. 15:16.000 --> 15:18.000 Nobody's asking for them. 15:18.000 --> 15:23.000 Who thinks a download location for where you got your architect is useful? 15:23.000 --> 15:24.000 Quite a lot. 15:24.000 --> 15:29.000 Who would think code combination would help you find security issues? 15:29.000 --> 15:30.000 Almost everybody. 15:30.000 --> 15:34.000 Who thinks that having a link to the code repository would be useful? 15:34.000 --> 15:35.000 Yes. 15:35.000 --> 15:36.000 Yes. 15:36.000 --> 15:39.000 Nobody asked for this. 15:39.000 --> 15:42.000 No more of the regulations to say this is important. 15:42.000 --> 15:43.000 This is not just a mismatch here. 15:43.000 --> 15:46.000 Which is super important that we are well. 15:46.000 --> 15:50.000 So I'm going to break a big rule here. 15:50.000 --> 15:53.000 I'm not going to ignore you. 15:53.000 --> 16:00.000 The audience and instead go to the camera and say, dear regulators, dear regulators. 16:00.000 --> 16:04.000 Welcome to the open source community. 16:04.000 --> 16:08.000 We are many, we're much more, many than you are. 16:08.000 --> 16:12.000 We are everywhere because open source is not a country phenomenon. 16:12.000 --> 16:14.000 It's a universal phenomenon. 16:14.000 --> 16:18.000 You can find open source people on all continents in Antarctica. 16:18.000 --> 16:23.000 You can find open source people in space everywhere. 16:23.000 --> 16:28.000 So of course, we'd like to support everyone. 16:28.000 --> 16:34.000 And when you as a regulator say, I want this and another regulator says, I want this other thing. 16:34.000 --> 16:40.000 And the third one, we have 200 and what's 30 countries on this country and each one of them would like their own special little thing. 16:40.000 --> 16:44.000 Because if it's special or they have a special need for their specificity. 16:44.000 --> 16:54.000 The ecosystems have to support all of it if it's going to be useful in your legislation, in your regulatory era. 16:54.000 --> 16:56.000 And that is not tenable. 16:56.000 --> 16:59.000 That's not useful because we are volunteers. 16:59.000 --> 17:03.000 We don't work for free. 17:03.000 --> 17:05.000 This is not the same thing. 17:05.000 --> 17:08.000 Volunteering is not the same thing as working for free. 17:09.000 --> 17:17.000 You share out of your own free will because you want to help somebody or you want to do something which you can be proud of or things like that. 17:17.000 --> 17:21.000 The set of motivations are outside of money usually and it has worked. 17:21.000 --> 17:27.000 We have 20 or 30 years of open source now and free software that has proven this model works. 17:27.000 --> 17:30.000 So you can play along with the model or think you can do better. 17:30.000 --> 17:35.000 I can hint to you now, it's better if you just become a part of the open source community. 17:35.000 --> 17:38.000 And do it all the way with it has worked. 17:38.000 --> 17:40.000 It's really good actually. 17:40.000 --> 17:47.000 So your contributions are welcome, well volunteered, but not all of them. 17:47.000 --> 17:53.000 So do like an ST and see their focus on the minimum of stuff. 17:53.000 --> 17:59.000 When an ST published their minimum elements, that was the right thing to do. 17:59.000 --> 18:05.000 They just found out well is the absolutely most necessary of metadata that is can be required. 18:05.000 --> 18:08.000 And we need for everything to be useful in function. 18:08.000 --> 18:12.000 And the CSR recently updated that list. 18:12.000 --> 18:15.000 Still good stuff, but please don't be creative. 18:15.000 --> 18:22.000 Because somebody else has to do the work unless you make pull requests and of course that would be awesome. 18:22.000 --> 18:25.000 But nobody expects that from you guys. 18:25.000 --> 18:28.000 So well volunteered. 18:29.000 --> 18:32.000 There is time for some questions and comments. 18:32.000 --> 18:34.000 There's all right. 18:34.000 --> 18:40.000 And before we stop completely, there are references. 18:40.000 --> 18:42.000 And thank you.