(tooling-docs) branch main updated: Move cve-process.md to advisory-process.md and update with feedback (#9)

[wave]

This is an automated email from the ASF dual-hosted git repository.

wave pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/tooling-docs.git


The following commit(s) were added to refs/heads/main by this push:
     new 77ff235  Move cve-process.md to advisory-process.md and update with 
feedback (#9)
77ff235 is described below

commit 77ff23522d601ea6de4dc567fd906f8752c5c93d
Author: Sean B. Palmer <s...@miscoranda.com>
AuthorDate: Tue Feb 4 23:04:38 2025 +0200

    Move cve-process.md to advisory-process.md and update with feedback (#9)
---
 apache-trusted-release/advisory-process.md | 9 +++++++++
 apache-trusted-release/cve-process.md      | 7 -------
 2 files changed, 9 insertions(+), 7 deletions(-)

diff --git a/apache-trusted-release/advisory-process.md 
b/apache-trusted-release/advisory-process.md
new file mode 100644
index 0000000..c4f4e8d
--- /dev/null
+++ b/apache-trusted-release/advisory-process.md
@@ -0,0 +1,9 @@
+# Security Advisory Process "Phase"
+
+When security advisories are announced there needs to be co-ordination between 
Security tooling such as cveprocess.apache.org and the ATR.
+
+For every impacted release with an SBOM we could link SBOMs to advisories.
+
+Per @raboof: "SBOMs should ideally be immutable metadata for release artifacts 
and not touched afterwards. There are various 'SBOM-adjacent' formats to link 
SBOMs/artifacts to advisories, though ([notably 
VDR](https://cwiki.apache.org/confluence/display/SECURITY/How+to+publish+an+advisory))
 and we definitely might want to publish those in the future"
+
+> Note: whether this is an explicit phase or not depends on integration 
discussions with the security team. [Current feedback from 
Arnout](https://the-asf.slack.com/archives/C049WADAAQG/p1738673273324409) is 
that we should defer this feature for now.
diff --git a/apache-trusted-release/cve-process.md 
b/apache-trusted-release/cve-process.md
deleted file mode 100644
index c848fa7..0000000
--- a/apache-trusted-release/cve-process.md
+++ /dev/null
@@ -1,7 +0,0 @@
-# Update SBOMs - CVE Process "Phase"
-
-When CVEs are announced there needs to be co-ordination between Security's 
cveprocess.apache.org and the ATR.
-
-For every impacted release with an SBOM the SBOMs will need to be updated.
-
-> Note: whether this is an explicit phase or not depends on integration 
discussions with the security team.


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tooling.apache.org
For additional commands, e-mail: dev-h...@tooling.apache.org