[Air-L] Webinars on software supply chain

Wed Apr 12 05:12:19 PDT 2023

Dear all,

I don't know if this if of interest to everyone on this list, but I believe it is to quite a few. NLnet and NGI Zero/NGI Assure are organising a series of webinars on *Open Software Supply Chain management*. As the dependency of society on technology continues to increase in every possible direction, it is of the utmost importance to understand the dynamic life cycle of the free and open source building blocks that form the basis of pretty much all technology we use today - and how these can be kept safe and available.

Not only do we need to improve our understanding of how and where software is developed, maintained, built and deprecated at macro scale - but we also need to create mechanisms to ensure that building blocks are kept up to date, that different versions don't collide, FOSS packages from public repositories have not "bit-rotted" or even worse: have been tampered with by malicious actors as part of a "supply chain attack". There has been an increasing attention to the fact that with software "eating the world", a healthy and robust software ecosystem should be a key societal (and thus political) priority. But at the same time, we should do so with full understanding of the highly specific nature of "digital commons" - as the controversy surrounding the upcoming Cyber Resilience Act clearly proves.

In this series of webinars by leading experts such as Armijn Hemel (Tjaldur), Shane Coughlan (OpenChain), Carlo Piana (OSI), Alberto Pianon (FSFE) and Philippe Ombredanne (AboutCode) we look at software supply chains from different angles. What do modern electronics supply chains look like, how is provenance handled - and how *should* it be handled? What mechanisms do we have to verify the integrity of deployed code packages and detect abnormal code changes that may be signs of malicious modifications and possible attacks? Where do "Software Bill of Materials" come into play? And what is being done, and perhaps should be done from a legislative and governance point of view?

The entire webinar series is available free of charge, and will allow you a deep dive into the hidden world behind the software and hardware we use - and will help you get a clear understanding of how open source supply chains work, and a grasp of what the policy challenges are.

You can join the webinars via this BigBlueButton link:

https://bbb.protagio.nl/b/ron-qed-tog-gey

Next up in this four part webinar series is Philippe Ombredanne (a.o. https://aboutcode.org), who will give a talk this Thursday (April 13th 2023) from 13.00 - 14.30 on automated tooling to understand dependencies, handle vulnerabilities in an open and transparent manner.

Thursday April 13 // 13.00 - 14.30 CEST (Amsterdam, Berlin, Rome)

For more info see:

https://nlnet.nl/events/20230413/WebinarSoftwareSupplyChain-ep2

The other episodes in the webinar series on Open Software Supply Chain management are:

* Thursday May 4th 2023 // 13.00 - 14.30 CEST (Amsterdam, Berlin, Rome)

   - Speakers: Carlo Piana & Alberto Pianon.
   - Topic: The importance of a Software Bill of Materials in light of the upcoming Cyber Resilience Act and product liability legislation in Europe.
   - More info: https://nlnet.nl/events/20230504/WebinarSoftwareSupplyChain-ep3

* Thursday May 11th 2023 // 13.00 - 14.30 CEST (Amsterdam, Berlin, Rome)

   - Speaker: Shane Martin Coughlan
   - Topic: ISO standards and certification. (This talk was previously scheduled for April 27).
   - More info: https://nlnet.nl/events/20230511/WebinarSoftwareSupplyChain-ep4/index.html

The first episode with Armijn Hemel already took place on April 6th, with the topic of Open Source in (Consumer) Electronics Supply Chains. You can find the link to the recording here:

https://nlnet.nl/events/20230406/WebinarSoftwareSupplyChain

Looking forward to see you there!

The NLnet team

PS. This email is not digitally signed because the mailing list for some reason is configured such that it rejects mails that are.