This is in response to the growing requirement for a "Software Bill Of Materials". The current trend is to require ALL references to ALL software used anywhere in your source tree or requried to run your code.
Europe has the EU Cyber Resilience Act. The U.S. has an Executive Order. https://bell-sw.com/blog/u-s-and-eu-regulations-are-demanding-a-software-bill-of-materials-sbom/ So, for example, if you use automake you need to provide a tree entry for automake as well as all of the trees that automake requires. Similar entries are required for X, Latex, tar, and other tools. Changing a tool or version requires updating the SBOM. Replacing X11 with Wayland would require a new subtree for Wayland as well as the old X11 as the repo still has an old X11 version available in history. It should be clear why there are 18068 entries in their SBOM. There are "recognized formats" for including and storing the SBOM. With enough pressure on Microsoft, the owner of github, I expect they will requires an SBOM on all repositories in the near future. Tim (NOTE: the following seems wildly off-topic but you need to understand why things like SBOMs are vital. It is not enough to write free code these days. The code you write is dangerous.) This all seems ridiculous to any software developer. But if you use an old version of some HTML thing to create your book PDF it is entirely possible that your software is responsible for including a bug that brings down the power network, banking infrastructure, or other vital services. It takes a very long time to figure out that MathCAD used your code to create an image that contains malware that infects every computer that displays the image. (I spent a decade doing cyber-security and malware research.) The world is at war right now, you just don't see it. For example, https://therecord.media/cosmicenergy-malware-russia-critical-infrastructure-power-grid or another example https://msrc.microsoft.com/blog/2024/01/microsoft-actions-following-attack-by-nation-state-actor-midnight-blizzard/ and even software that can cause physical damage that could take a year to repair https://www.wired.com/story/how-30-lines-of-code-blew-up-27-ton-generator/ You could be responsible for destroying worldwide shipping. https://community.mis.temple.edu/mis5214sec005spring2021/files/2020/03/MIS5214_Unit8_CaseStudy2_Maersk.pdf It's not you, right? You're just using Latex (an attack vector) to convert to PDF (an attack vector) and include text in the image (an attack vector) which will create an image (an attack vector) that will be displayed on the homepage (an attack vector). Surely you checked the SBOM against the known attack vectors versions to ensure you're not including malware, right? Nah, images are harmless. On Saturday, July 6, 2024 at 8:07:26 AM UTC-4 oldk1331 wrote: > Some updates: > > 1. Attribution: > > In the "About" window of MathCAD, it points to a local html page, > which points to www.ptc.com/support/go/open-source-software, > which requires login to see! After login, it points to a > 1MB spreadsheet PTC_All_Use_Of_OSS.xlsx, FriCAS is shown > as the 3373-th item. > > (There's 18086 items in total. This is not just MathCAD > dependencies, but all PTC products. Also one open source > project can corresponds to multiple lines in this spreadsheet.) > > 2. License: > > Grep can't find even "BSD" or "GPL" in the installation directory. > Only one mention of "MIT" in "font-awesome.css". > > I guess they are getting away from including open source licenses > by some fine details in > > https://www.ptc.com/en/documents/legal-agreements/on-premise-license-agreements > > - Qian > > On 7/3/24 18:19, Qian Yun wrote: > > MathCAD, since version Prime 6 (in 2019), uses FriCAS as its > > symbolic engine, replacing mupad/maple. > > > > I took a look at its latest version Prime 10 (in 2024), and > > found that it bundles [2] a copy of fricas-1.3.2 (released in 2017) > > with sbcl-1.4.2, with additional 82 NRLIB directory [3] > > (which means 82 new domains), around 4600 signatures, [4] > > which determined by their names, most are wrapper functions. > > > > Well, generally this feels a bit strange on multiple levels: > > 1. they use such an old version > > 2. they don't send bugs or upstream fixes to us > > > > - Qian > > > > [1] https://en.wikipedia.org/wiki/Mathcad > > [2] The checksums of *daase are the same as fricas-1.3.2-full.tar.bz2 > > [3] they are loaded by ")lib" in initial input file. > > [4] grep SIGNATURE *NRLIB/index.KAF | wc > -- You received this message because you are subscribed to the Google Groups "FriCAS - computer algebra system" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/fricas-devel/9f141d94-5d3f-4a8c-971c-69fdf9d50c4bn%40googlegroups.com.
