Episode 410

Episode 410 - Package identifiers are really hard

Open Source Security · Open Source Security

January 8, 202431m 52s

Audio is streamed directly from the publisher (traffic.libsyn.com) as published in their RSS feed. Play Podcasts does not host this file. Rights-holders can request removal through the copyright & takedown page.

Original episode page

Show Notes

Josh and Kurt talk about package identifiers. We break this down in the context of an OpenSSF response to a CISA paper on software identifications. The identifiers that get all the air time are purl, CPE, SWID, and OmniBOR. This is a surprisingly complex problem space. It feels easy, but it's not.

Show Notes

OpenSSF CISA response
purl
CPE
OmniBOR
SWID

← All episodes of Open Source Security