Close

October 1, 2024

Joining forces for a secure open source software supply chain

The digital landscape is evolving, and with it, the responsibilities that come with creating, maintaining, and securing software. Landmark regulations like the European Cyber Resilience Act (CRA) are reshaping the way open-source software is used and governed. As these regulations set new standards, organizations must adapt to ensure compliance and security.

At Software Heritage, we believe that these changes present not only challenges but also opportunities to create a safer, more transparent open-source ecosystem. As the largest public archive of source code, supported by French research institute Inria and UNESCO, we’re a founding member of the Eclipse Foundation’s newly formed Open Regulatory Compliance Working Group (ORCWG). This group is dedicated to helping open-source projects navigate emerging regulatory requirements while ensuring that innovation and collaboration continue to thrive.

Why now: A new era of regulation

Over the past few years, regulations such as the Digital Services Act, Digital Markets Act, and the General Data Protection Regulation (GDPR) have introduced sweeping changes to the tech landscape.

The CRA, set to be in full force by the end of 2027, will also impact all software put on the market in Europe. It will require organizations to trace their software’s origins, manage vulnerabilities, and ensure that critical software components are properly documented. This highlights the need for strong tools and infrastructure to meet these requirements, which Software Heritage is equipped to provide.

Traceability and security with Software Heritage

Modern software development has often been compared to a Jenga tower. Each block is a component, and if one wobbles, the whole thing could crumble. Today, most software stacks are built on a foundation of external components, often open source. To ensure a secure system, it’s crucial to know exactly what those blocks are and where they came from.

Enter ‘Know Your Software (KYSW). Just as banks must identify their customers, developers need to understand their software’s components. To achieve complete traceability, every piece of software, from binary to source code, must be created, shared, validated, and tracked.

That’s where Software Heritage comes in. We’ve secured over 50 billion software artifacts through the Software Hash Identifier (SWHID) specification, guaranteeing long-term availability, ensuring integrity, and enabling traceability across the entire software ecosystem.

With new regulations come basic needs that become best practices: making source code publicly available, identifying precisely the versions with or without this or that known vulnerability, tracing the origin of software components, finding a reference place where to store qualified metadata, and more.

Contributing to the future of open-source security

Joining the ORCWG is just the next step in our mission to make software safer and more open. We’ve been actively engaged in discussions about securing the software supply chain for years, and the SWHID is part of the SPDX 2.2 specification and included in the 2021 report of the working group on Software Bill of Materials (SBOM) that NTIA launched in 2018.

ORCWG just launched but is already gearing up for a major challenge: building a blueprint for cybersecurity that aligns with CRA. ORCWG’s mission? To deliver a clear roadmap for open-source projects, helping them navigate the new security landscape.

Get involved

We’re in good company: key players from foundations and corporations are joining forces in this new working group, organized by the Eclipse Foundation. At launch time, members included Apache Software Foundation (ASF), Blender Foundation, Robert Bosch GmbH, CodeDay, The Document Foundation, FreeBSD Foundation, Matrix.org Foundation, NLnet Labs, Open Elements, OpenForum Europe, OpenInfra Foundation, Open Source Initiative (OSI), Open Source Robotics Foundation (OSRF), OWASP, Payara Services, The PHP Foundation, Python Software Foundation, Rust Foundation, SCANOSS and Siemens.

If you’d like to join us, there are plenty of ways to get involved from a mailing list to a Matrix chat, weekly office hours, webinars and repos. You can also apply to become a member.