Every organization or committee that designs a logo should be legally required to have at least one teenager on the board to prevent accidental goatse or other inadvertent blunders.
The standard is for software to report its own EOL / EOS status. The website you linked is the opposite direction - it's aggregating that status for a certain set of software.
I think it will take a while for people to realize this effort looked great, but wasn't the right approach. Or no silver bullet, at least.
The presentation with a simple diagram that combines this data with an sbom to yield "information" gives me navel gazing vibes of UML being the future of coding.
Just as architecture didn't equate to well designed and maintainable software, I fear this initiative won't fix horribly outdated and vulnerable deployments. Software life cycle, deprecation, abandonment, supply chains are mostly a process problem, standards and technology won't fix that.
It doesn't force someone who already wasn't checking their dependencies for CVEs / maintained-ness to start doing that. It does make someone who *was* doing that be able to show they're doing that in some standard way.
In other words it doesn't force you to add an SBOM + EOX checker step to your CI pipeline. But if your compliance auditor wants you to check your dependencies, adding such a standardized step makes it easier to satisfy the auditor.
JEDEC has long maintained an EOL/EOS standard for semiconductors. This was a big part of a previous PM gig. Sounds boring, and it was. But having a process kept us out of serious hot water.
I think the only large projects that presently take SBOMs seriously are Nix, Guix, and Go (non-cgo). Bootstrapping is non-trivial, but at least builds are reproducible and can be compared against existing binaries.
"Oh, just write plain C". Which compiler do you mean? GCC? LLVM/clang? On top of what OS/kernel? What firmware? Etc.
Hackbraten|9 months ago
Every organization or committee that designs a logo should be legally required to have at least one teenager on the board to prevent accidental goatse or other inadvertent blunders.
genter|9 months ago
T3OU-736|9 months ago
Arnavion|9 months ago
repelsteeltje|9 months ago
The presentation with a simple diagram that combines this data with an sbom to yield "information" gives me navel gazing vibes of UML being the future of coding.
Just as architecture didn't equate to well designed and maintainable software, I fear this initiative won't fix horribly outdated and vulnerable deployments. Software life cycle, deprecation, abandonment, supply chains are mostly a process problem, standards and technology won't fix that.
Arnavion|9 months ago
In other words it doesn't force you to add an SBOM + EOX checker step to your CI pipeline. But if your compliance auditor wants you to check your dependencies, adding such a standardized step makes it easier to satisfy the auditor.
wallrat|9 months ago
wpollock|9 months ago
mud_dauber|9 months ago
feldrim|9 months ago
rollcat|9 months ago
"Oh, just write plain C". Which compiler do you mean? GCC? LLVM/clang? On top of what OS/kernel? What firmware? Etc.