What's in the SOSS? An OpenSSF Podcast SBOM Chaos and Software Sovereignty: The Hidden Challenges Facing Open Source with Stephanie Domas (Canonical)
9 snips
Nov 19, 2025 In this engaging discussion, Stephanie Domas, Chief Security Officer at Canonical, delves into the pressing challenges of open source, including the complexities of third-party security patching and the implications of the EU Cyber Resilience Act. She highlights the importance of SBOMs and the risks posed by software sovereignty and geographic code restrictions. Domas also emphasizes the need for transparency in building trust and addresses the dangers of relying on single maintainers. Join her call to action for collaborative solutions in the OpenSSF!
AI Snips
Chapters
Transcript
Episode notes
Ubuntu Adds sudo‑rs For Safety
- Canonical will include sudo‑rs, a Rust implementation of sudo, in the next Ubuntu LTS to boost memory safety.
- Stephanie Domas highlights this as part of replacing core components with memory‑safe alternatives.
SBOM Versioning Crisis
- SBOMs face a versioning crisis as third-party security patches break semantic versioning and confuse vulnerability scanners.
- Stephanie Domas warns that custom, un-upstreamed patches will make SBOM version numbers unreliable for risk decisions.
Semantic Versioning Assumptions Fail
- Semantic versioning assumes upstream-managed patches, but external patch vendors break that assumption.
- This divergence can misrepresent a component's true security posture to downstream users.