Thank you to the folks at Sustain for providing the hosting account for CHAOSSCast!

CHAOSScast – Episode 109

In this episode of CHAOSScast, host Georg Link is joined by Cali Dolfi, Senior Data Scientist at Red Hat, and Brittany Istenes, FINOS Ambassador. The discussion delves into the importance of measuring open source community health and the role of Software Bill of Materials (SBOM) in ensuring software security and compliance. They talk about the rising threats in open source software, the need for standardizing SBOMs, and how organizations can leverage these tools to proactively manage risks and project health. Also, they touch on practical steps being taken at Red Hat and other organizations to address these challenges. Hit download now to hear more!

[00:00:21] Our guests introduce themselves and their backgrounds.

[00:01:55] Georg explains the rise of malicious packages (700%) and the risks of neglected open source components.

[00:04:36] What is a SBOM? Brittany explains SBOMs as a list of all software components and libraries in each application and automation and tooling adoption is discussed.

[00:06:08] Cali outlines the lack of consensus on SBOM fields and formats and advocates for including upstream repo links to assess project health. Brittany mentions companies being cautious about publicizing SBOMs due to IP concerns.

[00:09:12] Georg gives a historical overview about SBOMs began as tools for license compliance and how SBOMs now cover more including cybersecurity, post U.S. Executive Order 14028 (May 2021).

[00:15:51] Georg shares three pillars of SBOM strategy: License compliance, Security, and Project Health and how CHAOSS Metrics can be combined with SBOMs to move from reactive to proactive strategies.

[00:16:59] Brittany emphasizes risk analysis and good design from project inception and proactive open source strategies save effort later.

[00:18:43] Cali talks about using project health metrics and advocates for tracking maintainer activity, patch frequency, and project responsiveness.

[00:21:28] Brittany stresses internal engineering education on project health and risk and developer smush understand what makes a project “healthy.”

[00:22:55] Georg talks about how open source has evolved and details using CHAOSS metrics for risk assessment and CI/CD integration.

[00:27:36] Cali shares Red Hat’s efforts to define what makes a project vulnerable and how it’s focused on detecting and sunsetting unmaintained dependencies.

[00:31:37] Brittany emphasizes risk from version mismatches and misinterpreted CVEs and mentions a CHAOSS doc to read, “Metrics for OSS Viability” by Gary White.

[00:34:17] We end with Georg sharing some upcoming events: CHAOSScon North America, June 26 and Open Source Summit North America, June 23-25.

Value Adds (Picks) of the week:

*Panelist: *

Guests:

Cali Dolfi

Brittany Istenes

Links:

CHAOSS

CHAOSS Project X

CHAOSScast Podcast

[email protected]

Georg Link Website

Britany Istenes LinkedIn

Brittany Istenes GitHub

Cali Dolfi LinkedIn

State of the Software Supply Chain (Sonatype)

CHAOSScast Podcast-Episode 103: GrimoireLab at FreeBSD

CHAOSS Community: Metrics for OSS Viability by Gary White

CHAOSScon North America 2025, Denver, CO, June 26

Open Source Summit North America, Denver CO, June 23-25

Fintech Open Source (FINOS)

Cyber Resilience Act (European Commission)

Rising Threat: Understanding Software Supply Chain Cyberattacks And Protecting Against Them(Forbes)

Executive Order on Strengthening and Promoting Innovation in the Nation’s Cybersecurity (The White House)

Types of Software Bill of Material (SBOM) Documents

OpenSSF Scorecard

OSS Project Viability Starter (CHAOSS)

Show Me What You Got: Turning SBOMs Into Actions- Georg Link & Brittany Istenes

Special Guests: Brittany Istenes and Cali Dolfi.

Support CHAOSScast