SBOM Chaos and Software Sovereignty: The Hidden Challenges Facing Open Source with Stephanie Domas (Canonical)

Stephanie Domas, Canonical's Chief Security Officer, returns to What's in the SOSS to discuss critical open source challenges. She addresses the issues of third-party security patch versioning, the rise of software sovereignty, and how custom patches break SBOMs. Domas also explains why geographic code restrictions contradict open source principles and what the EU's Cyber Resilience Act (CRA) means for enterprises. She highlights Canonical's work integrating memory-safe components like sudo-rs into the next Ubuntu LTS. This episode challenges assumptions about supply chain security, software trust, and the future of collaborative development in a regulated world.

Chapters:
00:00 - Welcome
01:49 - Memory safety revolution
02:00 - Black Hat reflections
03:48 - The SBOM versioning crisis
06:23 - Semantic versioning falls apart
10:06 - Software sovereignty exposed
12:33 - Trust through transparency
14:02 - The insider threat parallel
17:04 - EU CRA impact
18:50 - The manufacturer gray area
21:08 - The one-maintainer problem
22:51 - Will regulations kill open source adoption?
24:43 - Call to action

Episode links:

Stephanie Domas LinkedIn pageCanonicalUbuntuOpenSSF Global Cyber Policy Working Group (CRA & policy/standards resources)WiTS Podcast #18 - Canonical’s Stephanie Domas and Security Insight from a Self-Described “Tinkerer”Get involved with the OpenSSFSubscribe to the OpenSSF newsletterFollow the OpenSSF on LinkedIn