As we all assemble more and more complex software from an ever growing number of free and open source software components, knowing what's in our code is a must for security, legal and operational reasons.
To deal with those new challenges a set of techniques and tools have emerged and are spanning topics from dependency management to software composition analysis (SCA). They should help you to determine which software dependencies are embedded in your project, where and how (directly or indirectly), as well as their origin, licensing, vulnerabilities, quality and other important attributes.
Are you contributing to a FOSS project that aims to make the lives of developers easier? You are looking for what's coming next to help you deal with your project's long list of dependencies? If so, come and join us at FOSDEM 2022 to share your techniques, experiences, and demo your FOSS tools to collaborate towards a better FOSS toolchain.
We are interested in demos, presentations and panel discussions on software composition analysis, dependencies management and related topics. If you want to make your talk a bit more in-theme with the conference at large, take a peek at what FOSDEM published from previous years. Also, keep in mind this event is about free and open source software, not proprietary code and data.
If you have any issues, please contact dependency-devroom-manager at fosdem.org. You can also send us a notification of your submission there.
Important dates:
- December 27th 2021: Deadline for submission of proposals
- December 28th 2021: You receive a notification that your presentation has been accepted or not
- December 31th 2021: Developer rooms publish complete schedules
- First two weeks of January: Period for recording and uploading talks by speakers
-
Dependencies and Tracing
- Tools that can analyze, resolve and trace dependencies
- Binary analysis that trace and guess the libraries compiled or minified in larger packages
- Build tracing and instrumentation for provenance and compliance
-
Matching
- Source and binary code matching to determine or verify code provenance based on indexes and similarities at the package, file or snippet levels.
-
Scanning
- Parsing and collecting dependency declarations and package manifests metadata
- Detecting and analyzing code licenses, copyright and other provenance clues
-
Vulnerabilities
- Discovering, cataloging, correlating and classifying vulnerabilities
- Finding vulnerabilities in code and dependencies
-
FOSS supply chain integrity
- Securing the FOSS supply chain at large
-
Software Bill of Materials
- Producing and Consuming SBoMs
- Translating between different SBoM formats
-
Other open source software composition and dependencies topics
- Combining origin with analysis of vulnerabilities
- Augmenting SCA data with manual curation
- Analysis automation and machine learning for compliance
- Code analysis workflows, integration and analysis scripting
- License compliance tooling, license compatibility automation
- Tooling project update
- Sharing your story of using SCA and dependency management tools
- Automating policies
- SCA combined with other techniques, such as static analysis
If you have some suggestions, if you are not sure you talk fit in the devroom theme feel free to post in the discussions section.
Since this is going to be a virtual event, we are planning to use the following structure:
The devroom will be organized in multiple sessions of 1:30 hour each.
Each session will group three presentations related to the same general topic followed by a live panel discussion and QA session with the presenters.
Each session will start by a 45 minutes segment with three short presentations, about 15 minutes each maximum.
These presentations must be pre-recorded ahead of time and uploaded three weeks before FOSDEM i.e., by January 14th 2022.
Then, in the second part of the session, the three speakers of this session will join for a 30 minutes live online panel on Jitsi for live Q&A and panel discussion moderated by one of the volunteer organizers of this devroom.
With this combination of shorter recorded talks and longer live Q&A panel discussions, we expect a more interactive and lively virtual devroom event.
Once your presentation is accepted, we will be there to help you to produce the pre-recorded content. Be ready to start recording right away the record will need to be uploaded two weeks before FOSDEM such that the volunteer organizers have enough time to get the ready. We will review the content to check that it has acceptable quality and make sure the content is correctly available in the FOSDEM system and ready for broadcast. On our FOSDEM day, you mus be available online during the whole session duration to answer participants questions received in the chat and participate in the live Jitsi session. Note that we will try to adjust your scheduling preference requests if possible, but in general the reference time zone for the event is Brussels time!
Please submit your proposals at https://penta.fosdem.org/submission/FOSDEM22 Deadline: December 27th 2021.
If you already have a Pentabarf account (for example as a result of having submitted a proposal in the past), make sure you use it to log in and submit your proposal. Do not create a new account if you already have one. Please provide a bit of information about yourself under Person -> Description -> Abstract. When you submit your proposal (creating an "Event" in Pentabarf), make sure you choose "Software composition and dependency management devroom" in the track drop-down menu. Otherwise your proposal might go unnoticed. Fill in at least a title and abstract for the proposed talk (note that abstract and full description will be concatenated).
What information are required:
- General: First and last name / Nickname (optional) / Picture
- Contact:
- email address
- mobile number (this is a very hard requirement as there will be no other reliable form of emergency communication on the day)
Create an event:
- On the General page: Event title (required) / Event subtitle (optional).
- Track: Select "Software composition and dependency management devroom"
- Event type: Lecture (talk)
- Persons: Add yourself as speaker with your bio.
- Description: Abstract (required) / Full Description (optional)
- Links: Add relevant links.
In order to encourage fair reuse and credits when sharing text from this material in other dev room activities: This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.