S4E11: John Speed Meyers - Data Science & Software Supply Chain Security
Chris: I have been following your research for several years now, dating back to your role before Chainguard. As you have watched the conversation around Software Supply Chain Security unfold in the industry, do you feel like we're making positive headway?Chris: You have done a lot of research into software supply chain security, and of course SBOM's. One recent study you took a look at the quality of SBOM's in the OSS ecosystem, compared to say the NTIA defined minimum elements for SBOM. Can you tell us a bit about the study and implications of the findings?Chris: In addition to SBOM, we're seeing the emergence of VEX, can you speak a bit about its importance?Chris: I wanted to follow up about OSS, since it has become such a core aspect of the software supply chain conversation. I'm sure based on your studies you know the phrase dubbed Linus' Law, which states that "with enough eyeballs all bugs are shallow" but based on my research for writing a book recently, I realized that the overwhelming majority of OSS projects lack enough eyeballs. Do you think this is a challenge when we look at the widespread adoption of OSS?Chris: Can you tell us a bit about your next/current efforts for software supply chain security research?