-
Hi 👋
I'm Ian, working on behalf of Google and the [Open Source Security Foundation (OpenSSF)](https://openssf.org/) to help open source projects to improve their supply chain security.
After so…
-
We are now in Q4 of 2024, and [per SPEC0, it's time to drop support for Python 3.10](https://scientific-python.org/specs/spec-0000/#2024---quarter-4). We still support 3.9, so perhaps we should drop 3…
-
The first couple of pages of the layout wizard provide *common* software supply chain tool for versioning, building, quality assurance and packaging, for the user to choose from.
The tool collectio…
-
Hi - I'm writing from Ion Channel, a cybersecurity firm that monitors the software supply chain for U.S. critical infrastructure. In response to information on the escalating prevalence of software de…
-
Open Source is everywhere. It is in many proprietary codebases and community projects. For organizations and individuals, the question today is not whether you are or are not using open-source code, b…
-
Per #255 and the reference PR, support for v1 tarball was added, which steps in this direction. However, it does not include multiple blobs, or the original manifest or index, which the spec at https:…
-
Add support to score SBOM generated in SWID format
> SWID tags can be used as an SBOM, since they provide identifying information for a software
> component, a listing of files and cryptographic…
-
* https://en.wikipedia.org/wiki/List_of_software_package_management_systems
* https://en.wikipedia.org/wiki/Category:Software_distribution_platforms
* https://en.wikipedia.org/wiki/List_of_mobile_so…
-
Adding Pandoc version used in our tool as API endpoint info
Possible solutions:
- Add information RStudio IDE JSON https://www.rstudio.com/wp-content/downloads.json
- Add information in our JSO…
-
I love Ventoy but unfortunately there are numerous valid and serious concerns about it. I know uBlue cares about supply chain security so I figured I would call this out since it was brought to my att…