Home Blog Page 116

SPDX: It’s Already in Use for Global Software Bill of Materials (SBOM) and Supply Chain Security

Author: Kate Stewart, VP of Dependable Systems, The Linux Foundation

In a previous Linux Foundation blog, David A. Wheeler, director of LF Supply Chain Security, discussed how capabilities built by Linux Foundation communities can be used to address the software supply chain security requirements set by the US Executive Order on Cybersecurity. 

One of those capabilities, SPDX, completely addresses the Executive Order 4(e) and 4(f) and 10(j) requirements for a Software Bill of Materials (SBOM). The SPDX specification is implemented as a file format that identifies the software components within a larger piece of computer software and metadata such as the licenses of those components. 

SPDX is an open standard for communicating software bill of material (SBOM) information, including components, licenses, copyrights, and security references. It has a rich ecosystem of existing tools that provides a common format for companies and communities to share important data to streamline and improve the identification and monitoring of software.

SBOMs have numerous use cases. They have frequently been used in areas such as license compliance but are equally useful in security, export control, and broader processes such as mergers and acquisitions (M&A) processes or venture capital investments. SDPX maintains an active community to support various uses, modeling its governance and activity on the same format that has successfully supported open source software projects over the past three decades.

The LF has been developing and refining SPDX for over ten years and has seen extensive uptake by companies and projects in the software industry.  Notable recent examples are the contributions by companies such as Hitachi, Fujitsu, and Toshiba in furthering the standard via optional profiles like “SPDX Lite” in the SPDX 2.2 specification release and in support of the SPDX SBOMs in proprietary and open source automation solutions. 

This de facto standard has been submitted to ISO via the Joint Development Foundation using the PAS Transposition process of Joint Technical Committee 1 (JTC1). It is currently in the enquiry phase of the process and can be reviewed on the ISO website as ISO/IEC DIS 5962.

There is a wide range of open source tooling, as well as commercial tool options emerging as well as options available today.  Companies such as FOSSID and Synopsys have been working with the SPDX format for several years. Open Source tools like FOSSology (source code Analysis),  OSS Review Toolkit (Generation from CI & Build infrastructure), Tern (container content analysis), Quartermaster (build extensions), ScanCode (source code analysis) in addition to the SPDX-tools project have also standardized on using SPDX for the interchange are also participating in Automated Compliance Tooling (ACT) Project Umbrella.  ACT has been discussed as community-driven solutions for software supply chain security remediation as part of our synopsis of the findings in the Vulnerabilities in the Core study, which was published by the Linux Foundation and Harvard University LISH in February of 2020.   

One thing is clear: A software bill of materials that can be shared without friction between different teams and companies will be a core part of software development and deployment in this coming decade. The sharing of software metadata will take different forms, including manual and automated reviews, but the core structures will remain the same. 

Standardization in this field, as in others, is the key to success. This domain has an advantage in that we are benefiting from an entire decade of prior work in SPDX. Therefore the process becomes the implementation of this standard to the various domains rather than the creation, expansion, or additional refinement of new or budding approaches to the matter.

Start using the SPDX specification here:https://spdx.github.io/spdx-spec/. Development of the next revision is underway, so If there’s a use case you can’t represent with the current specification, open an issue, this is the right window for input.   

To learn more about the many facets of the SPDX project see: https://spdx.dev/

The post SPDX: It’s Already in Use for Global Software Bill of Materials (SBOM) and Supply Chain Security appeared first on Linux Foundation.

Oracle Ampere A1 Compute tuning for advanced users

Advanced tuning techniques for Oracle Ampere A1 instances.

Click to Read More at Oracle Linux Kernel Development

Oracle Ampere A1 Compute tuning for advanced users

Advanced tuning techniques for Oracle Ampere A1 instances
Click to Read More at Oracle Linux Kernel Development

Free Course Explores WebAssembly Modules from the Cloud to the Edge

With our world being increasingly driven by apps and the microservices that support them, adoption of WebAssembly (Wasm) continues to accelerate. WebAssembly is a stack-based virtual machine that can greatly improve the performance and capabilities of websites and, despite the name, nearly any other kind of non-web platform you can imagine.

Besides making browsers much more powerful, this technology may extend beyond the scope of mere websites. It isn’t just for browsers; Wasm is currently being used in cloud, mobile, low-level networking, and edge-based environments.

This is why The Linux Foundation is today releasing a new, free, online training course, WebAssembly Actors: From Cloud to Edge (LFD134x). The course explores the portability, efficiency, and security of WebAssembly modules and how to leverage a number of open source frameworks to create distributed and seamlessly connected actors that can be deployed in a browser, on a laptop, in the cloud, on a Raspberry Pi, or practically anywhere.

This course is designed for developers who have built or are building microservices and have experienced a high degree of friction in cloud native application development. Developers looking to embrace the simplicity of Functions as a Service (FaaS) without the overhead of cloud providers or sacrificing the ability to experiment and test locally and in any other environment will gain significant value from this course.

Kevin Hoffman, the author of “Programming WebAssembly with Rust”, “Cloud Native Go”, and over a dozen books on various aspects of the .NET Framework, created this course. He has presented at a number of conferences and events over the past 2 years on WebAssembly, and at dozens of previous conferences on everything from .NET to Spring Boot to Redis and even at Apple’s WWDC.

The course is free to audit on edX.org for seven weeks, or a verified certification of completion is available for a fee, which includes a full year of course access. Enroll today and start improving your cloud native application development with Wasm!

The post Free Course Explores WebAssembly Modules from the Cloud to the Edge appeared first on Linux Foundation – Training.

Please Participate In Hyperledger’s 2021 Blockchain Brand Survey

Together with Linux Foundation Research, Hyperledger is conducting a survey to measure the market awareness and perceptions of Hyperledger and its projects relative to other blockchain platforms used in the technology industry, specifically identifying myths and misperceptions. Additionally, the survey seeks to help Hyperledger articulate the perceived time to production readiness for products and understand motivations for developers that both use and contribute to Hyperledger technologies.

  • Participants who complete the survey will receive a 50 percent discount on attendance to Hyperledger Global Forum, June 8-10, 2021
  • Please participate now; we intend to close the survey in early June. 
  • Privacy and confidentiality are important to us. Neither participant names, nor their company names, will be displayed in the final results. 
  • This survey should take no more than 20 minutes of your time.

Click here to access the Brand Survey

A beginner’s guide to creating redirects in an .htaccess file

Use the .htaccess file to manage web sites on shared web hosting platforms.
Read More at Enable Sysadmin

Analyzing cases for and against setting swap space on cloud instances

Analyzing cases for and against setting swap space on cloud instances

To swap or not to swap? That is the cloud question.
Major Hayden
Tue, 5/18/2021 at 2:28pm

Image

Photo by Rakicevic Nenad from Pexels

If you want to start an argument with a Linux user, ask about swap memory. Some praise it as a cushion or as a safety net while others disparage it as a crutch and a destroyer of system performance. Born in the 1960s, swap memory has evolved over the years on Linux to serve two essential functions:

Topics:  
Linux  
Linux Administration  
Cloud  
Read More at Enable Sysadmin

Enroll in Instructor-Led Training and You’ll Now Receive a Free Gift

We’ve heard from enrollees in our instructor-led training that they miss the Chomebook we previously provided with these course enrollments. So, effective immediately, we are offering you the chance to select a free gift if you enroll in one of our instructor-led training courses!

For those in the United States

Individuals in the USA who enroll in instructor-led training will be able to select from a variety of Linux-powered gifts from Best Buy. The options will change with time, but you should expect to be able to choose from things like:

Chomebooks
Android tablets
Fitness trackers
Smart watches
Smart speakers
And more!

After enrolling in your course, you will receive an email with a link where you’ll see all your options and can select the one that suits you best. 

For those outside the United States

Those outside the USA will receive a $300 refund on their course fees. This refund will be applied to the payment card used to purchase the training course. After much research, allowing our customers to use these funds to purchase something in their local market was more practical than trying to ship from the US and have to deal with long lead times, export restrictions and customs charges.

Click here to learn more about this great new benefit!

The post Enroll in Instructor-Led Training and You’ll Now Receive a Free Gift appeared first on Linux Foundation – Training.

7 Linux networking commands that every sysadmin should know

There are a few commands that should always be in your sysadmin toolbox. Get to know these 7 essential networking commands.
Read More at Enable Sysadmin

Enhancing Linux security with Advanced Intrusion Detection Environment (AIDE)

Part two of a multipart series covering Linux security.
Read More at Enable Sysadmin