ElaCon 2025

The world runs on open source software (OSS), a nearly-invisible public good that enables nearly all internet-connected systems. It is now widely understood that vulnerabilities & backdoors in OSS libraries create public risk, which has led world governments to "get involved" in OSS in various ways. For example, new EU regulation aims to encourage responsible upstream participation in order to improve cybersecurity in the marketplace, and many governments now require some degree of disclosure of the composition of software (i.e., the SBOM) in order to mitigate supply chain risks.

However, two interdependent technical flaws remain unaddressed by current tools: (1) software composition cannot be accurately calculated retroactively, and (2) human-readable software identifiers (e.g., name+version+vendor) are the primary key of SBOMs, and are dangerously imprecise at the scale of OSS. These two factors create an unmanageable risk for governments.

Addressing this requires a foundational shift in how software is built -- we must start calculating software composition at build time, and recording composition with intrinsic identifiers in addition to human-readable names. We must also do this without burdening the OSS community with additional costs, or else any such requirement will remain unmet.

In this talk, I will show that we are close to a solution and how you can help.