VA can't keep track of it's software licenses

35 views
Skip to first unread message

K.S. Bhaskar

unread,
Apr 14, 2026, 4:09:04 PM (4 days ago) Apr 14
to Hardhats

One more reason to go open source!

Regards
- Bhaskar

Alvin Marcelo

unread,
Apr 14, 2026, 7:36:06 PM (4 days ago) Apr 14
to hard...@googlegroups.com
Thanks for sharing KS -- This is very informative - 

But even with the shift to FOSS, won't the VA still be hard-pressed to maintain its software bill of materials?

Are there policies and frameworks (I guess cybersecurity?) that will compel practitioners to maintain a registry/SBOM?

You cannot protect what you do not know - 

alvin





--
--
http://groups.google.com/group/Hardhats
To unsubscribe, send email to Hardhats+u...@googlegroups.com

---
You received this message because you are subscribed to the Google Groups "Hardhats" group.
To unsubscribe from this group and stop receiving emails from it, send an email to hardhats+u...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/hardhats/5b6f33dc-8bb6-439c-9a80-e6186e737488n%40googlegroups.com.


--
This e-mail, together with any attachments, is intended for the named recipients only and is confidential. It may also be privileged or otherwise protected by law. If you have received it in error, please notify the sender immediately by reply e-mail and delete it and any attachments from your system. You may not copy or disclose its contents to anyone.

Nancy Anthracite

unread,
Apr 15, 2026, 8:08:46 AM (3 days ago) Apr 15
to hard...@googlegroups.com, 'Alvin Marcelo' via Hardhats

At least for the licenses for Iris for VistA, it would end that issue if they went FOSS.


--

Nancy Anthracite


On Tuesday, April 14, 2026 7:35:45 PM Eastern Daylight Time 'Alvin Marcelo' via Hardhats wrote:

> Thanks for sharing KS -- This is very informative -

>

> But even with the shift to FOSS, won't the VA still be hard-pressed to

> maintain its software bill of materials?

>

> Are there policies and frameworks (I guess cybersecurity?) that will compel

> practitioners to maintain a registry/SBOM?

>

> You cannot protect what you do not know -

>

> alvin

>

>

>

>

>

> On Wed, Apr 15, 2026 at 4:09 AM K.S. Bhaskar <ksbh...@gmail.com> wrote:

>

> >

> > https://docs.house.gov/meetings/VR/VR08/20260325/119102/HHRG-119-VR08-20260325-SD002.pdf

> >

> > One more reason to go open source!

> >

> > Regards

> > - Bhaskar

> >

> > --

> > --

> > http://groups.google.com/group/Hardhats

> > To unsubscribe, send email to Hardhats+u...@googlegroups.com

> >

> > ---

> > You received this message because you are subscribed to the Google Groups

> > "Hardhats" group.

> > To unsubscribe from this group and stop receiving emails from it, send an

> > email to hardhats+u...@googlegroups.com.

> > To view this discussion visit

> > https://groups.google.com/d/msgid/hardhats/5b6f33dc-8bb6-439c-9a80-e6186e737488n%40googlegroups.com

K.S. Bhaskar

unread,
Apr 15, 2026, 11:29:50 AM (3 days ago) Apr 15
to Hardhats
Tracking software bills of materials is different from tracking licenses. If you have software package X, you only need to track the BoM once, even if it is used in a thousand places. If you have proprietary licenses, you have to track all thousand. Yes, software BoMs also need to be tracked, and it's a lot simpler to track the BoM of a FOSS package than a proprietary package.

Regards
- Bhaskar
Reply all
Reply to author
Forward
0 new messages