Webinar on Open Software Supply Chain Management: Armijn Hemel
Open Source in (Consumer) Electronics Supply Chains
Thursday, April 6, 2023. 13.00 - 14.30 CEST
Join us for the free online webinar with open source supply chain expert Armijn Hemel on April 6. He will provide a high level overview of electronics supply chains and will explain where these can fail in the context of software provenance. He will also briefly introduce some solutions that industry players are working on, both on the governance side, as well as tooling. The talk will be about 45 minutes followed by a Q&A. If you don't have time for the Q&A feel free to leave earlier. This talk is part of the webinar series The Ins and Outs of Open Software Supply Chain hosted on Thursdays in April and May.
This webinar took place on April 6, you can watch the recording here https://bbb.protagio.nl/playback/presentation/2.3/e156bbe10c5967b48f606f4ec5b14e818ba4877e-1680777009189
Failure in the supply chain and possible solutions
In the past two decades the (consumer) electronics industry has made a dramatic switch to open source software. These days nearly all Internet connected devices are running on some open source operating system, mostly Linux (including Android) and Zephyr (RTOS for resource-constrained devices). The way that these devices are made has led to a massive drop in price for end consumers, but the model has lead to corners being cut when it comes to determining and preserving software provenance. Many companies would not even know how to start and have no idea what they are shipping. This is leading to devices being shipped with old and vulnerable software unnecessarily, with the costs of those vulnerabilities being borne by the end consumers and not by the companies having made the decision to ship old and vulnerable software.
Armijn Hemel will provide a high level overview of electronics supply chains and will explain where these can fail in the context of software provenance. He will also briefly introduce some solutions that industry players are working on, both on the governance side, as well as tooling.
About Armijn Hemel
Armijn Hemel, MSc, is the owner of Tjaldur Software Governance Solutions. Mr Hemel studied computer science at Utrecht University, where he explored reproducible builds by building the first prototype of NixOS, a Linux distribution built around the Nix build system, where reproducibility and provenance is central. Since 2005 he has been focusing on open source license compliance and supply chain management in the (consumer) electronics industry, first on the license enforcement side as part of gpl-violations.org, but later (more effectively) as a consultant helping companies come into compliance, fight off copyright trolls and help improve processes. Mr Hemel has co-written academic research papers (MSR 2011, WCRE 2012, ASE 2014), made various open source tools for firmware reverse engineering and license compliance, and frequently talks at (industry) conferences about supply chain management in the (consumer) electronics industry. In the past he has served on the boards of NLUUG, as well as NixOS Foundation.
Webinar series: The Ins and Outs of Open Software Supply Chain
Armijn Hemel's talk will be the first in a series of webinars about open source supply chain management. The series will explore topics such as the software bill of materials, legal consequences, tooling, and the Cyber Resilience Act.
Other talks in this series:
- April 13: Philippe Ombredanne. [ watch recording ]
Topic: Tooling. - May 4: Carlo Piana & Alberto Pianon. [ watch recording ]
Topic: The importance of a Software Bill of Materials in light of the upcoming Cyber Resilience Act and product liability legislation in Europe. - May 11: Shane Martin Coughlan. [ watch recording ]
Topic: ISO standards and certification.
All episodes start at 13.00 at CEST (Amsterdam, Berlin, Rome).
Software Bill of Materials
The Software Bill of Materials (SBoM) is a critical component of open source software development. It is a list of all the components that make up a software product and provides important information about the licenses and dependencies of each component. In our webinars, we'll discuss how to create an SBOM and why it's important for your organization.
Tooling
We will also discuss tooling in the open source software supply chain. From automated testing to vulnerability scanning, we'll show you the tools that can help you streamline your development process and ensure that your software is secure.
Cyber Resilience Act
We'll also explore the Cyber Resilience Act, which aims to improve the security and resilience of software and services within the European Union. This Act could be of particular importance for organizations that use open source software in their products.
How to join
The online webinar series will take place on Thursdays on April 6, April 13, May 4 and May 11, 2023 at 13.00 - 14.30 CEST (Amsterdam, Berlin, Rome). Each talk will take about 45 minutes followed by a Q&A. If you don't have time for the Q&A feel free to leave earlier. Join us for these informative webinars to learn from experts in the field and connect with like-minded individuals. You can register for any or all of the webinar series by sending an e-mail to webinars@nlnet.nl.
The series will be in English and will be hosted on BigBlueButton, an open source webconferencing framework which is actively supported by NGI Zero to add end-to-end encrypted chat.
Related NGI projects
- Binary-analysis-ng improvements: BANG is a tool to analyse firmware and other binary files.
- FOSS Code Supply Chain Assurance: Mitigate attacks through software dependencies.
- Free Software Vulnerability Database: A resource to aggregate software updates.