[00:00.000 --> 00:15.640]  So we're in the last stages of a Q&A. Are there questions that people have had during
[00:15.640 --> 00:22.800]  the day that they want to bring up and they didn't quite get to? Okay, we've got one question.
[00:23.120 --> 00:42.320]  So the question is what's the difference between Cyclone DX and SPDX? So I'd say that the Cyclone DX
[00:42.320 --> 00:48.560]  is focusing at the package level alone and at the metadata at the package level for the most
[00:48.680 --> 00:56.240]  part. Okay, SPDX can do the package level data and it can also look at the source files or in
[00:56.240 --> 01:02.200]  parts of source file snippets. So there's a different mental model underneath it. So at the
[01:02.200 --> 01:06.160]  package level, they are pretty much functionally equivalent and you should be able to interchange
[01:06.160 --> 01:12.160]  between the two. And there's work going on to help people interchange between the two. The
[01:12.160 --> 01:17.240]  challenge becomes is for your use cases, if you want something quick up, that's, you know,
[01:17.280 --> 01:23.240]  there's one solution. I think SPDX can do the same thing, but there's tooling and what you need.
[01:23.240 --> 01:30.080]  So it's a function of ecosystems and what your end goals are. I and some of the others that
[01:30.080 --> 01:35.520]  we're working here, we care about going towards safety, not just security. And we need that level
[01:35.520 --> 01:39.200]  of information. Others, if they're just going for the packages, that's a good starting point.
[01:39.200 --> 01:46.720]  I think one of the people I was working with in the SBOMS stuff a couple years ago said SBOMS
[01:46.720 --> 01:50.800]  are diamonds. There's a difference between industrial and engagement rings. All are good,
[01:50.800 --> 01:57.640]  though. I'll add value. So I will keep it at that. I know I can go into a lot more details of things,
[01:57.640 --> 01:58.920]  but that's not here.
[01:58.920 --> 02:03.920]  The product on DX has different components, so it has things like libraries and operating systems.
[02:03.920 --> 02:11.040]  That's actually in SPDX 2.3. We put it in there so we could round trip. Okay, go for it. Next question.
[02:11.040 --> 02:18.960]  We've got a lot of Cyclone DX people on here, too. Don't worry.
[02:42.040 --> 02:51.200]  We tried. It failed. So to summarize for the people online is it's a great chance we'll be getting
[02:51.200 --> 02:57.360]  the two standards to converge at some point in the future. We've been trying for two years. It's
[02:57.360 --> 03:09.120]  failed. Yeah, the audience, Elio is pointing out KDE versus GNOME. We have a long history of having
[03:09.120 --> 03:18.480]  multiple solutions for things in there. Yeah. The market will decide. The market will decide.
[03:18.480 --> 03:24.280]  The market has got to decide. Yeah, it's still happening today. The market didn't say anything.
[03:24.280 --> 03:25.280]  We're still having it.
[03:25.280 --> 03:31.040]  Those of you who are old enough to remember videotapes and stuff like that, the two standards,
[03:31.040 --> 03:38.080]  the best standard, lost because it was easier. The other one was easier to adopt. So it'll be
[03:38.240 --> 03:46.320]  not good. So you're telling us we shouldn't be putting effort and going into becoming an
[03:46.320 --> 03:51.040]  international standard. Is that what you're telling me? And we should just go and hack and put something
[03:51.040 --> 04:05.040]  out there and go. It needs major adopters, somebody major to adopt it. Microsoft?
[04:06.000 --> 04:08.000]  Yeah, it's already majorly adopted.
[04:08.000 --> 04:10.000]  Thank you, Clay.
[04:10.000 --> 04:14.000]  Prevent the market driver to not adopt it.
[04:14.000 --> 04:16.000]  Right.
[04:16.000 --> 04:18.000]  Prevent the market driver to adopt it.
[04:18.000 --> 04:20.000]  We should not prevent the market driver to adopt it.
[04:20.000 --> 04:22.000]  Yeah.
[04:22.000 --> 04:26.000]  Okay, next question.
[04:26.960 --> 04:28.960]  Next question.
[04:28.960 --> 04:34.960]  How is that specification process working? Is it just a good number of questions?
[04:34.960 --> 04:44.960]  We actually, so from the SPDX spec side, we have a variety of issues in GitHub.
[04:44.960 --> 04:48.960]  But realistically, the discussions happen on the mailing list and in the meetings.
[04:48.960 --> 04:54.960]  And at this point in time, the model is pretty close to done. I think the last issue was
[04:54.960 --> 04:58.960]  the entity issue, which we've talked about a little bit today.
[04:58.960 --> 05:06.960]  And so right now we are actively prototyping out serializations of that model to make sure we haven't forgotten something.
[05:06.960 --> 05:12.960]  And so you will, I don't think he's here, but there's some, there's other people there.
[05:12.960 --> 05:14.960]  Go ahead.
[05:14.960 --> 05:20.960]  The answer was about the SPDX version three, if that was the question.
[05:20.960 --> 05:26.960]  No, no, no. The question was general about how do we, how do we do specifications?
[05:26.960 --> 05:30.960]  Right. So, yeah, as Kate mentioned, there is a mailing list.
[05:30.960 --> 05:34.960]  There are GitHub repos and there is weekly phone calls, phone calls.
[05:34.960 --> 05:36.960]  Yeah. Okay.
[05:36.960 --> 05:38.960]  Weekly online meetings where we discuss all these things.
[05:38.960 --> 05:40.960]  The participation is open. We're welcome.
[05:40.960 --> 05:42.960]  Anyone is welcome?
[05:42.960 --> 05:44.960]  Yeah, please.
[05:44.960 --> 05:50.960]  We also have special interest working groups that are focusing on specific topics. We call them profiles.
[05:50.960 --> 05:58.960]  And so we have a build profile working group. We've got the defects working group that's working on the security profile.
[05:58.960 --> 06:02.960]  So Thomas is here. He leads that one if you're interested in that topic.
[06:02.960 --> 06:12.960]  We've got a AI working group that's focusing on AI applications models as well as they're also doing the work on defining the data set profile.
[06:12.960 --> 06:18.960]  And we have the safety profile that Nicole is working on as well.
[06:18.960 --> 06:20.960]  So we have groups of people.
[06:20.960 --> 06:22.960]  And there's also licensing.
[06:22.960 --> 06:24.960]  Of course, there's also licensing. Yes.
[06:24.960 --> 06:28.960]  So what we're trying to do is make sure the spec becomes more modular.
[06:28.960 --> 06:34.960]  So if you don't care about licensing or you just want to carry about the components and relationships, that information is there.
[06:34.960 --> 06:38.960]  And you don't have to carry the other stuff with you.
[06:38.960 --> 06:42.960]  This was feedback we have gotten and the community listened.
[06:42.960 --> 06:48.960]  And so we've gone through a very major effort of reshaping the spec to make this possible.
[06:48.960 --> 06:50.960]  Go.
[06:50.960 --> 06:52.960]  Interesting.
[06:52.960 --> 06:54.960]  What about IoT?
[06:54.960 --> 06:56.960]  Because that's where...
[06:56.960 --> 06:58.960]  IoT?
[06:58.960 --> 07:02.960]  Yes. Does IoT not need a thing because it's got specific market...
[07:02.960 --> 07:04.960]  Small...
[07:04.960 --> 07:08.960]  Actually, no.
[07:08.960 --> 07:10.960]  IoT is already handled.
[07:10.960 --> 07:12.960]  It's been handled for a long time.
[07:12.960 --> 07:16.960]  This whole SPDX came out of the embedded space.
[07:16.960 --> 07:18.960]  And it's one of the most developed profiles.
[07:18.960 --> 07:22.960]  Yachto is basically building systems that work in that space.
[07:22.960 --> 07:24.960]  Zephyr is an IoT operating system.
[07:24.960 --> 07:28.960]  And builds all these S-bombs today.
[07:28.960 --> 07:30.960]  Automatically. Which is how it should be.
[07:30.960 --> 07:32.960]  I'm going to make that bomb score a little chip set.
[07:32.960 --> 07:34.960]  Yep.
[07:34.960 --> 07:36.960]  Easy.
[07:36.960 --> 07:38.960]  There. Just use it.
[07:38.960 --> 07:40.960]  Okay.
[07:40.960 --> 07:42.960]  I just not seen that.
[07:42.960 --> 07:44.960]  Well, no, like...
[07:44.960 --> 07:46.960]  I feel that coming all the way through.
[07:46.960 --> 07:50.960]  Josh has been to have this available now for a year and a half to two years.
[07:50.960 --> 07:54.960]  And it's a question of getting it out there and letting people know it's there
[07:54.960 --> 07:56.960]  and letting people turn the option on.
[07:56.960 --> 07:58.960]  This is where why...
[07:58.960 --> 08:00.960]  For those on the call, my bad,
[08:00.960 --> 08:02.960]  it was a question of what about IoT?
[08:02.960 --> 08:06.960]  And realistically, I think IoT is actually one of our bare spots.
[08:06.960 --> 08:08.960]  We also operate in the IoT space.
[08:08.960 --> 08:10.960]  Yes.
[08:10.960 --> 08:14.960]  In our era, our presentation of today was about
[08:14.960 --> 08:18.960]  how to make a very reliable bomb with all the metadata,
[08:18.960 --> 08:20.960]  information, provenance, and assurance
[08:20.960 --> 08:24.960]  that the source code matches the actual code that goes into binary
[08:24.960 --> 08:30.960]  and to have approves and auditable process all the way through.
[08:30.960 --> 08:34.960]  So for us, it's just as in a piece of software.
[08:38.960 --> 08:40.960]  And get access to the software.
[08:40.960 --> 08:43.960]  Like I said, to some of the points from the last panel,
[08:43.960 --> 08:45.960]  we need reproducible builds. This is part of it.
[08:45.960 --> 08:47.960]  One of the things I really like about what's happening in the Yachto space
[08:47.960 --> 08:49.960]  is all of their builds are reproducible already,
[08:49.960 --> 08:52.960]  and then they have the summary information from the S-bombs.
[08:52.960 --> 08:56.960]  And so, like, you know, if your Chinese kid has a Yachto build associated with it,
[08:56.960 --> 08:59.960]  you should be able to get everything you need.
[08:59.960 --> 09:04.960]  Well, to chime in,
[09:04.960 --> 09:08.960]  actually one of the worst ADAK we have in the space
[09:08.960 --> 09:11.960]  is with the drivers and firmware
[09:11.960 --> 09:14.960]  and proprietary blobs that came from there.
[09:14.960 --> 09:16.960]  Therein lies the problem.
[09:16.960 --> 09:19.960]  So we are trying to only, it's not up to us,
[09:19.960 --> 09:27.960]  but to start from, those who are more effective in providing source code
[09:27.960 --> 09:30.960]  and all the information possible for having a full stack open source,
[09:30.960 --> 09:35.960]  not just until the solar pad stuff is there.
[09:36.960 --> 09:39.960]  Yeah, there's also work going on to reach out
[09:39.960 --> 09:42.960]  and starting to like the CHIPS Alliance group.
[09:42.960 --> 09:44.960]  And so when bandwidth starts to permit,
[09:44.960 --> 09:47.960]  we get a little bit farther on on the 3.0 out to the door.
[09:47.960 --> 09:51.960]  There are people there that are interested in actually looking at starting to summarize
[09:51.960 --> 09:57.960]  the silicon and the, quite frankly, board information,
[09:57.960 --> 10:00.960]  because at the heart of it all, it's files.
[10:00.960 --> 10:03.960]  I think I can see lots of things going forward.
[10:03.960 --> 10:04.960]  Yeah.
[10:04.960 --> 10:12.960]  There's a lot of kids out there with unknown TCP stacks, et cetera.
[10:12.960 --> 10:17.960]  Okay, there's a lot of kids out there with unknown pedigree to put it,
[10:17.960 --> 10:19.960]  it's a simple thing.
[10:19.960 --> 10:25.960]  If we are to make, you know, and everyone's worry about cyber vulnerabilities
[10:25.960 --> 10:27.960]  and hackers and stuff like that,
[10:27.960 --> 10:35.960]  how are we as a community trying to help people address that weakness?
[10:35.960 --> 10:38.960]  Because I think we know how to go forward,
[10:38.960 --> 10:44.960]  but actually I've got a little sensor that may be in quite a difficult environment to change,
[10:44.960 --> 10:47.960]  but I don't know what it is and I don't know what my risk profile is
[10:47.960 --> 10:49.960]  and how my risk profile is changing.
[10:49.960 --> 10:54.960]  So how am I going to find that when I've no idea what's in that chip?
[10:54.960 --> 11:01.960]  So no easy answer, but this is the reason we have a class called Analyzed
[11:01.960 --> 11:04.960]  where you're basically trying to work your way through binaries and images
[11:04.960 --> 11:07.960]  to understand what might be there and you're mining it.
[11:07.960 --> 11:10.960]  There's a couple of tools out there already.
[11:10.960 --> 11:12.960]  I think there's more that will probably show up.
[11:12.960 --> 11:20.960]  Binary Analysis Nick Generation, I think Livermore Labs has another tool that they're working on.
[11:21.960 --> 11:26.960]  But this is a general question about adoption, right?
[11:26.960 --> 11:28.960]  We're all talking about S-bombs.
[11:28.960 --> 11:33.960]  The people in this room have heard lots about S-bombs and they understand it.
[11:33.960 --> 11:36.960]  But again, in order to gain wide adoption,
[11:36.960 --> 11:40.960]  it's always the chicken and egg program that was mentioned before, right?
[11:40.960 --> 11:45.960]  So we should start asking for S-bombs and producing S-bombs
[11:45.960 --> 11:55.960]  and people will get used to seeing S-bombs and it was mentioned as an example.
[11:55.960 --> 12:01.960]  Maybe GitHub can be persuaded to make S-bombs easy or whatever.
[12:01.960 --> 12:07.960]  All these things obviously take time and we all have to work on that.
[12:07.960 --> 12:09.960]  Sorry, go ahead.
[12:09.960 --> 12:18.960]  Do any chip providers provide S-bombs for hardware blocks that have software counterparts in firmware yet?
[12:18.960 --> 12:20.960]  So the question for those on the thing is,
[12:20.960 --> 12:27.960]  do any hardware providers provide S-bombs for their firmware blocks that...
[12:27.960 --> 12:29.960]  Sorry, say it again.
[12:29.960 --> 12:34.960]  For the hardware blocks that have software counterparts in firmware?
[12:34.960 --> 12:38.960]  For the hardware blocks that have software counterparts in firmware.
[12:39.960 --> 12:46.960]  I think you might see some of it coming out of some of the open stuff from ARM
[12:46.960 --> 12:50.960]  and some of the stuff from RISC-5 when they're having add-on units.
[12:50.960 --> 12:53.960]  Some of those may start to become visible.
[12:53.960 --> 12:55.960]  But I do not know specifics.
[12:55.960 --> 12:57.960]  Do you know specifics, Alexios?
[12:57.960 --> 13:01.960]  Okay, I've just seen discussions in those areas.
[13:01.960 --> 13:06.960]  One of the extensions that we're looking for,
[13:06.960 --> 13:10.960]  as predicts in the future, is to extend towards hardware.
[13:10.960 --> 13:17.960]  So we can more easily, in the same format or whatever you want to call it,
[13:17.960 --> 13:20.960]  we can capture information about hardware.
[13:20.960 --> 13:27.960]  And the issue that you point is in between hardware blocks and software blocks
[13:27.960 --> 13:30.960]  and hardware blocks containing software and firmware and all this stuff.
[13:31.960 --> 13:36.960]  I'll also say that my view is, firmware is just another type of software.
[13:46.960 --> 13:48.960]  The comments made that medical device.
[13:52.960 --> 13:55.960]  Just pointing out that New York Presbyterian and S-bombs stuff,
[13:55.960 --> 13:57.960]  the medical device area is making more progress.
[14:00.960 --> 14:02.960]  Daggerboard is a project.
[14:03.960 --> 14:05.960]  Go ahead, Thomas.
[14:31.960 --> 14:35.960]  Okay, I'll start and then let others chime in.
[14:39.960 --> 14:43.960]  Governments have an influence with the regulatory authorities,
[14:43.960 --> 14:45.960]  the regulatory authorities are part of government.
[14:46.960 --> 14:49.960]  With the plethora of information that's in software,
[14:49.960 --> 14:52.960]  I'm really happy that the FDA is expecting to have S-bombs.
[14:52.960 --> 14:55.960]  And it didn't get yanked out of the legislation.
[14:56.960 --> 14:58.960]  I think anything that has critical infrastructure,
[14:58.960 --> 15:03.960]  we should be expecting to know that S-bombs can be produced by the people who care about them.
[15:03.960 --> 15:06.960]  And we'll consume them and look at them and do the analysis.
[15:06.960 --> 15:09.960]  Because if we want the world to be a safer place,
[15:09.960 --> 15:11.960]  we need to get rid of the opacity here.
[15:11.960 --> 15:13.960]  And we actually have to get the transparency in.
[15:13.960 --> 15:15.960]  That's my view.
[15:15.960 --> 15:17.960]  So I think some of the things I'm seeing in Europe,
[15:17.960 --> 15:20.960]  some of the things I'm seeing in other countries like Japan and so forth,
[15:20.960 --> 15:22.960]  art is starting to expect that level of transparency.
[15:22.960 --> 15:24.960]  And I think it's helpful.
[15:28.960 --> 15:31.960]  I think in that space there's a lot of good to be done
[15:31.960 --> 15:34.960]  and a lot of damage that can be done.
[15:34.960 --> 15:36.960]  Because speaking of CRA,
[15:36.960 --> 15:40.960]  the request for having a full S-bomb
[15:40.960 --> 15:43.960]  or full traceability of software and stuff
[15:43.960 --> 15:45.960]  so that you know what component is there
[15:45.960 --> 15:48.960]  and if there's vulnerabilities and stuff is good.
[15:48.960 --> 15:51.960]  But at the same time they put burdens
[15:51.960 --> 15:57.960]  and simply disregard whatever the requirements of an open source project is
[15:57.960 --> 16:01.960]  and they can destroy and poison the world that they try to.
[16:01.960 --> 16:04.960]  So it's a double S store.
[16:10.960 --> 16:13.960]  And I think it's another sort of thing about fitness for purpose,
[16:13.960 --> 16:15.960]  for software.
[16:15.960 --> 16:17.960]  You know, I've heard things, you know,
[16:17.960 --> 16:22.960]  the Sale of Goods Act basically does it do what you're expected to do.
[16:22.960 --> 16:25.960]  And you know, certainly the large organizations
[16:25.960 --> 16:29.960]  where you're paid more than $10 to create a system,
[16:29.960 --> 16:32.960]  basically you expect the system to work
[16:32.960 --> 16:34.960]  most of the time and pretty reliably.
[16:34.960 --> 16:36.960]  And actually then to say,
[16:36.960 --> 16:39.960]  okay, but I've built it on Microsoft Windows
[16:39.960 --> 16:42.960]  just to choose a third party proprietary software.
[16:42.960 --> 16:44.960]  That's got bugs, yes?
[16:44.960 --> 16:47.960]  But you know, getting an understanding to understand
[16:47.960 --> 16:50.960]  working together with government
[16:50.960 --> 16:52.960]  because a lot of these big contracts that have the problems
[16:52.960 --> 16:54.960]  are government contracts
[16:54.960 --> 16:56.960]  because the defence or infrastructures
[16:56.960 --> 16:58.960]  basically for people to work together and recognize
[16:58.960 --> 17:00.960]  rather than have a big stick,
[17:00.960 --> 17:02.960]  basically how can we work together
[17:02.960 --> 17:05.960]  to basically to make industry better
[17:05.960 --> 17:09.960]  and can custom end users understand what they have to do
[17:09.960 --> 17:11.960]  as well as what we as providers have to do.
[17:11.960 --> 17:15.960]  And I think it's getting that balance right.
[17:18.960 --> 17:20.960]  I'd like to ask,
[17:20.960 --> 17:23.960]  is do you know about an existing current time
[17:23.960 --> 17:25.960]  as born generation working group
[17:25.960 --> 17:30.960]  because I couldn't find anything in that area?
[17:30.960 --> 17:35.960]  I only found two tools that are for Kubernetes specific,
[17:35.960 --> 17:38.960]  but no other information.
[17:38.960 --> 17:40.960]  The question was,
[17:40.960 --> 17:42.960]  I've heard the question this time, excellent.
[17:42.960 --> 17:46.960]  So I think we're starting to see that there's one tool
[17:46.960 --> 17:48.960]  that sort of advertises itself in that way
[17:48.960 --> 17:50.960]  that I'm aware of.
[17:50.960 --> 17:52.960]  I think this is an area that will seem worth things
[17:52.960 --> 17:55.960]  starting to emerge in this next year
[17:55.960 --> 17:58.960]  on the runtime and monitoring of systems with S-bombs.
[17:58.960 --> 17:59.960]  What?
[17:59.960 --> 18:01.960]  There's J-bombs, isn't there?
[18:01.960 --> 18:04.960]  Yeah, but there's more ecosystems than Java.
[18:05.960 --> 18:08.960]  I think that on this continent,
[18:08.960 --> 18:10.960]  you said about Kubernetes,
[18:10.960 --> 18:12.960]  people are going to focus on where they need it.
[18:12.960 --> 18:14.960]  There's more than one tool, yeah.
[18:14.960 --> 18:15.960]  Okay.
[18:17.960 --> 18:18.960]  Any other?
[18:18.960 --> 18:20.960]  Do you want to start that generation?
[18:20.960 --> 18:21.960]  Yeah.
[18:21.960 --> 18:22.960]  Okay.
[18:22.960 --> 18:23.960]  Good job.
[18:23.960 --> 18:25.960]  And who are you?
[18:25.960 --> 18:26.960]  Nick.
[18:26.960 --> 18:27.960]  Go for it.
[18:27.960 --> 18:30.960]  Maybe a question back to the cycle here.
[18:30.960 --> 18:32.960]  Oh, dear.
[18:33.960 --> 18:35.960]  Something positive.
[18:35.960 --> 18:39.960]  Something positive about the Cyclone DX and SPDX formats.
[18:39.960 --> 18:42.960]  I was wondering if maybe we,
[18:42.960 --> 18:45.960]  rather than waiting for the market to destroy one or the other,
[18:45.960 --> 18:47.960]  I don't like this too much,
[18:47.960 --> 18:50.960]  but wouldn't proper tooling for conversion,
[18:50.960 --> 18:54.960]  comparison, yeah, I was wondering what the state of this.
[18:54.960 --> 18:55.960]  Okay.
[18:55.960 --> 18:58.960]  So there are two tools out there right now today,
[18:58.960 --> 19:01.960]  and all help is welcome to harden them up.
[19:01.960 --> 19:05.960]  In the SPDX repo, there's a CDX to SPDX tool,
[19:05.960 --> 19:07.960]  and in the Cyclone DX, there's a Cyclone,
[19:07.960 --> 19:10.960]  there's an SPDX to Cyclone DX tool.
[19:10.960 --> 19:13.960]  Both of these tools are there.
[19:13.960 --> 19:14.960]  We've been working,
[19:14.960 --> 19:17.960]  and the reason we put out the 2.3 release of SPDX
[19:17.960 --> 19:19.960]  is so we could have some of the fields
[19:19.960 --> 19:22.960]  to help round trip between the two formats.
[19:22.960 --> 19:26.960]  So SPDX put out a whole release to try to be compatible.
[19:26.960 --> 19:27.960]  Okay.
[19:28.960 --> 19:30.960]  And we'll keep the fields,
[19:30.960 --> 19:31.960]  and we'll try to, you know, like I say,
[19:31.960 --> 19:32.960]  we want to make sure we're compatible,
[19:32.960 --> 19:34.960]  at least on the minimum subset.
[19:34.960 --> 19:36.960]  Hopefully more.
[19:36.960 --> 19:40.960]  And I think the other important piece to recognize about that
[19:40.960 --> 19:44.960]  was actually the communities got together
[19:44.960 --> 19:50.960]  to inspect the specs and see what kind of data loss
[19:50.960 --> 19:52.960]  happened from one way to the other,
[19:52.960 --> 19:56.960]  and we had like this big table in Austin, I think.
[19:56.960 --> 19:57.960]  Yeah.
[19:57.960 --> 19:58.960]  Yeah, we were...
[19:58.960 --> 19:59.960]  Waiting to do it.
[19:59.960 --> 20:03.960]  Yeah, like the engineers talking to each other
[20:03.960 --> 20:06.960]  completely civilized and nicely,
[20:06.960 --> 20:09.960]  and well, some progress is getting down there.
[20:09.960 --> 20:10.960]  Yeah.
[20:10.960 --> 20:11.960]  Yeah.
[20:11.960 --> 20:13.960]  No, it is, like I say, round tripping,
[20:13.960 --> 20:16.960]  and we're going to have an ecosystem right now
[20:16.960 --> 20:18.960]  where we have multiple,
[20:18.960 --> 20:23.960]  and so ingestion and transformation is going to be necessary.
[20:23.960 --> 20:25.960]  I think that's just going to be our reality.
[20:26.960 --> 20:29.960]  Any other questions?
[20:29.960 --> 20:31.960]  Well, oh, one more.
[20:31.960 --> 20:32.960]  Okay.
[20:32.960 --> 20:35.960]  We can't double open or double open.
[20:35.960 --> 20:37.960]  Yeah, question about double open.
[20:37.960 --> 20:39.960]  We can say some words about that.
[20:39.960 --> 20:41.960]  Okay, Thomas.
[20:41.960 --> 20:43.960]  Thomas, why don't you just get up here?
[20:43.960 --> 20:44.960]  Yeah.
[20:44.960 --> 20:47.960]  That way I don't have to try to get that all the way to you.
[20:47.960 --> 20:49.960]  The thing.
[20:49.960 --> 20:51.960]  Double open, go for it.
[20:51.960 --> 20:53.960]  Double open for people who don't know double open.
[20:53.960 --> 20:56.960]  Double open is managed by a Finnish law firm
[20:56.960 --> 21:01.960]  that basically came together.
[21:01.960 --> 21:03.960]  So basically in Germany,
[21:03.960 --> 21:05.960]  there was poor COVID long time,
[21:05.960 --> 21:07.960]  which a lot of the things that are now being discussed
[21:07.960 --> 21:09.960]  were discussed in a smaller group inside of Germany
[21:09.960 --> 21:12.960]  way beginning because we stumbled upon each other.
[21:12.960 --> 21:13.960]  And along the way,
[21:13.960 --> 21:16.960]  basically we stumbled upon some fins that happened to,
[21:16.960 --> 21:19.960]  I don't know how, but lawyers, lawyers.
[21:19.960 --> 21:23.960]  And so basically they had similar use cases
[21:23.960 --> 21:24.960]  where they were like,
[21:24.960 --> 21:26.960]  oh, hang on, we want to do Jokto stuff,
[21:26.960 --> 21:29.960]  but the Jokto tooling is actually not there.
[21:29.960 --> 21:33.960]  So, and what they luckily did is they started collaborating with us
[21:33.960 --> 21:35.960]  over on the Oort side,
[21:35.960 --> 21:37.960]  and also, well, it's not only Oort,
[21:37.960 --> 21:39.960]  we had for use there and all stuff.
[21:39.960 --> 21:41.960]  We were like, hey, guys, don't reinvent the wheel.
[21:41.960 --> 21:43.960]  That's a lot of other companies do.
[21:43.960 --> 21:45.960]  So what they actually did is they said,
[21:45.960 --> 21:46.960]  okay, we do the Jokto stuff,
[21:46.960 --> 21:48.960]  which was none of the people in the German side knew Jokto.
[21:48.960 --> 21:49.960]  Well, they know Jokto,
[21:49.960 --> 21:52.960]  but we didn't have enough resources to actually build a tooling for it.
[21:52.960 --> 21:54.960]  So they started working on basically saying,
[21:54.960 --> 21:57.960]  okay, we do the Jokto stuff for a pilot with one of our,
[21:57.960 --> 21:58.960]  with their kind of clients.
[21:58.960 --> 22:01.960]  And then basically they bolted it on to Oort
[22:01.960 --> 22:03.960]  for the rest of like the license compliance
[22:03.960 --> 22:05.960]  where they do the notice generation,
[22:05.960 --> 22:06.960]  the policies and all the other stuff.
[22:06.960 --> 22:09.960]  So yeah, double open is a, I haven't spoken,
[22:09.960 --> 22:11.960]  with COVID we kind of lost touch,
[22:11.960 --> 22:14.960]  but I know they're still active and they're still doing things.
[22:14.960 --> 22:18.960]  Does it talk about, if they started to merge these things
[22:18.960 --> 22:19.960]  and the main Jokto,
[22:19.960 --> 22:21.960]  technically people say that yes,
[22:21.960 --> 22:24.960]  but what I saw is not exactly the result of the work,
[22:24.960 --> 22:28.960]  but a mixture of things that they cannot guarantee that this,
[22:28.960 --> 22:32.960]  but they're still using the separate scanners and other parts.
[22:32.960 --> 22:33.960]  Yeah.
[22:33.960 --> 22:36.960]  So they're basically, again, like Oort and the other stuff,
[22:36.960 --> 22:38.960]  it's users that have problems.
[22:38.960 --> 22:41.960]  And instead of basically just inventing their own wheel,
[22:41.960 --> 22:44.960]  basically they all came together with other users.
[22:44.960 --> 22:45.960]  So that's, I said,
[22:45.960 --> 22:48.960]  there's a massive group in Germany
[22:48.960 --> 22:50.960]  that has been working together
[22:50.960 --> 22:52.960]  and then the Finns got involved
[22:52.960 --> 22:54.960]  and then now we have people from the Netherlands involved
[22:54.960 --> 22:55.960]  and now we have people from French.
[22:55.960 --> 22:58.960]  So it's spreading, sliding out of all over
[22:58.960 --> 23:00.960]  because most of it is funded from like,
[23:00.960 --> 23:02.960]  I'm mostly in Opposite Program Officers
[23:02.960 --> 23:05.960]  and Opposite Program Officers are usually too small
[23:05.960 --> 23:07.960]  and they're racially running into,
[23:07.960 --> 23:09.960]  well, quite enough, I have a talk on Wednesday
[23:09.960 --> 23:11.960]  at Open State of Open about this,
[23:11.960 --> 23:14.960]  is that basically, hey, how can you do things at speed,
[23:14.960 --> 23:18.960]  at scale, while still staying compliant
[23:18.960 --> 23:22.960]  and still keeping your developers somewhat happy?
[23:22.960 --> 23:24.960]  And this is really where we,
[23:24.960 --> 23:26.960]  again, I keep track of,
[23:26.960 --> 23:27.960]  people are really scared,
[23:27.960 --> 23:31.960]  I currently have 142 compliance and asthma solutions
[23:31.960 --> 23:33.960]  that all around the world I keep track of.
[23:33.960 --> 23:37.960]  Whether in the US, China, Japan, I keep track of all of them,
[23:37.960 --> 23:38.960]  it's such a big mess.
[23:38.960 --> 23:41.960]  And then we said users, well, we can't do,
[23:41.960 --> 23:43.960]  we'll build it ourselves
[23:43.960 --> 23:45.960]  because still a lot of tools.
[23:45.960 --> 23:47.960]  So yeah, if you are building an asthma tool
[23:47.960 --> 23:50.960]  and please reach out to Kate, Alex,
[23:50.960 --> 23:53.960]  and we will probably redirect you
[23:53.960 --> 23:55.960]  where other people with similar problems
[23:55.960 --> 23:57.960]  are already building stuff.
[23:57.960 --> 23:59.960]  And if you have internal asthma tooling
[23:59.960 --> 24:03.960]  and you need to help open sourcing that,
[24:03.960 --> 24:05.960]  that's kind of what I do for work.
[24:05.960 --> 24:07.960]  So open sourcing internal project,
[24:07.960 --> 24:08.960]  I'm very good at that.
[24:08.960 --> 24:09.960]  I have even lobbied,
[24:09.960 --> 24:11.960]  I went to visit several companies,
[24:11.960 --> 24:13.960]  did presentations to executives
[24:13.960 --> 24:16.960]  on why it was a good thing to open source their asthma tooling.
[24:16.960 --> 24:19.960]  And this is why we actually have now a four-off tooling
[24:19.960 --> 24:22.960]  because basically we convince people to open source it.
[24:22.960 --> 24:24.960]  The more you open source it, the more we learn it.
[24:24.960 --> 24:26.960]  So actually, funnily enough, most people don't know it,
[24:26.960 --> 24:27.960]  but the ORT people,
[24:27.960 --> 24:28.960]  we read the Psychonomics Code
[24:28.960 --> 24:30.960]  and the Psychonomics folks, they read the ORT code.
[24:30.960 --> 24:32.960]  And all of the asthma people and compliance people,
[24:32.960 --> 24:33.960]  they actually meet.
[24:33.960 --> 24:35.960]  Don't they read the SPDX code?
[24:35.960 --> 24:38.960]  I don't need to read it because I know where you know it.
[24:38.960 --> 24:40.960]  Whenever a new tool comes out,
[24:40.960 --> 24:42.960]  we read the source code of the other tool
[24:42.960 --> 24:44.960]  to figure out if there's anything useful in there
[24:44.960 --> 24:47.960]  or we point out like, hey, you haven't thought about this.
[24:47.960 --> 24:52.960]  Because as I said, making package analysis is insanely complex
[24:52.960 --> 24:56.960]  and the difference between asthma comes from experience.
[24:56.960 --> 24:59.960]  And I have been doing this for seven plus years
[24:59.960 --> 25:00.960]  with the Club in Germany
[25:00.960 --> 25:03.960]  and we produce probably more than a million as bombs
[25:03.960 --> 25:05.960]  with all of the comes by.
[25:05.960 --> 25:07.960]  We're talking about companies that have like,
[25:07.960 --> 25:09.960]  we're talking about a Bosch.
[25:09.960 --> 25:12.960]  That's like a half a million employees
[25:12.960 --> 25:14.960]  and God knows how many projects.
[25:16.960 --> 25:19.960]  Okay, well, I think we're just about done.
[25:19.960 --> 25:20.960]  Okay.
[25:20.960 --> 25:21.960]  Oh, time's up?
[25:21.960 --> 25:22.960]  Okay.
[25:22.960 --> 25:24.960]  Well, I just want to say thank you everyone
[25:24.960 --> 25:26.960]  for being here today.
[25:26.960 --> 25:28.960]  And thank you for the last...
[25:28.960 --> 25:31.960]  First ever S-bomb dev room, you've been part of it.
[25:31.960 --> 25:33.960]  And thank you for staying to the end
[25:33.960 --> 25:35.960]  and for the last questions.
[25:35.960 --> 25:37.960]  Much appreciated.
[25:37.960 --> 25:39.960]  APPLAUSE