The Open Source Security Foundation (OpenSSF) announced at the European Open Source Summit that they have the funding needed to implement SBOM Everywhere, with plans to bring the Software Bill of Materials (SBOM) to all programming languages and frameworks, starting with Python.
Its goal is to improve the resiliency and security of all open source software. And its first step towards the success of SBOM was to fund work on the Package Data Exchange (SPDX) Python library. Work on the project began on September 1.
According to the introduction, SPDX is the ISO standard describing SBOM. While Python already has an SPDX library, it is outdated due to lack of support. Josh Bressers, Anchore VP of Security and Kate Stewart SPDX Technical Lead, explained: “The SPDX python library needs to be updated to bring it into line with more modern SPDX releases; and the code to be made into something more maintainable to reduce community contributions. Difficulty. The SPDX python library doesn’t have volunteers with the proper skills or funding to do the job. However, OpenSSF does have the funding to make it happen.”
Once done, it will be much easier to create an SBOM for any Python program. Conversely, this will also strengthen your code security.
OpenSSF said that paying for code improvements does not mean that they will control the SPDX Python library, which is not their purpose; the relevant leadership decisions remain in the hands of the Python Software Foundation and founder/chairman Guido van Rossum. The reason for OpenSSF’s move is that the work of protecting all open source software “will benefit not just OpenSSF, but the entire open source community.”
Brian Behlendorf, general manager of OpenSSF, said that soon more languages will get the support they need, adding SBOM as part of their managed development pipeline. But this process will take time and is not expected to come soon.
#OpenSSF #brings #SBOM #SDPX #Python