NLnet and NGI Zero/NGI Assure are organising a series of webinars on *Open Software Supply Chain management*. As the dependency of society on technology continues to increase in every possible direction, it is of

utmost importance to understand the dynamic life cycle of the free and open source building blocks that form the basis of pretty much all technology we use today - and how these can be kept safe and available.

Not only do we need to improve our understanding of how and where software is developed, maintained, built and deprecated at macro scale - but we also need to create mechanisms to ensure that building blocks are kept up to date, that different versions don't collide, FOSS packages from

All, attached some info on a series of webinars on the supply chain management organized by the NLnet colleagues, which I think could be of interest to the wg. Recordings of the two past webinars are available online (s. link further down). Also further down you'll details on the two upcoming ones. Enjoy and have a nice weekend! Marcos the public

repositories have not "bit-rotted" or even worse: have been tampered with by malicious actors as part of a "supply chain attack". There has been an increasing attention to the fact that with software "eating the world", a healthy and robust software ecosystem should be a key societal (and thus political) priority. But at the same time, we should do so with full understanding of the highly specific nature of "digital commons" - as the controversy surrounding the upcoming Cyber Resilience Act clearly proves.

In this series of webinars by leading experts such as Armijn Hemel (Tjaldur), Shane Coughlan (OpenChain), Carlo Piana (OSI), Alberto Pianon (FSFE) and Philippe Ombredanne (AboutCode) we look at software supply chains from different angles. What do modern electronics supply chains look like, how is provenance handled - and how *should* it be handled? What mechanisms do we have to verify the integrity of deployed code packages and detect abnormal code changes that may be signs of malicious modifications and possible attacks? Where do "Software Bill of Materials" come into play? And what is being done, and perhaps should be done from a legislative and governance point of view?

The entire webinar series is available free of charge, and will allow you a deep dive into the hidden world behind the software and hardware we use - and will help you get a clear understanding of how open source supply chains work, and a grasp of what the policy challenges are.

You can join the webinars via this BigBlueButton link:

https://bbb.protagio.nl/b/ron-qed-tog-gey

The other episodes in the webinar series on Open Software Supply Chain management are:

* Thursday May 4th 2023 // 13.00 - 14.30 CEST (Amsterdam, Berlin, Rome)

- Speakers: Carlo Piana & Alberto Pianon. - Topic: The importance of a Software Bill of Materials in light of the upcoming Cyber Resilience Act and product liability legislation in Europe. - More info: https://nlnet.nl/events/20230504/WebinarSoftwareSupplyChain-ep3

* Thursday May 11th 2023 // 13.00 - 14.30 CEST (Amsterdam, Berlin, Rome)

- Speaker: Shane Martin Coughlan - Topic: ISO standards and certification. (This talk was previously scheduled for April 27). - More info: https://nlnet.nl/events/20230511/WebinarSoftwareSupplyChain- ep4/index.html

The first episode with Armijn Hemel already took place on April 6th, with

-- the

topic of Open Source in (Consumer) Electronics Supply Chains. You can find the link to the recording here:

https://nlnet.nl/events/20230406/WebinarSoftwareSupplyChain/index.html

Looking forward to see you there!

the NLnet team