Dear list members,
TL;DR Expose your ideas to plenty of security experts and actively
invite a constructive type of bashing.
As the defects list is a relatively new list, please allow me to start
by introducing a cautious observation to the mix. I have to highlight
that I am voicing my personal *subjective perception* from my point of
view, which I definitely do *not* consider to be hard *facts*:
From my point of view, the amount of unwarranted bashing and what
sometimes can even appear as - I am applying the next word with great
care - "gaslighting" seems to be continuously increasing. Analogously,
blog posts, tweets, podcasts, and magazine articles appear to become
increasingly popular channels to advertise certain approaches and
solutions as "superior".
Unfortunately, what I subjectively highlight and name here as
advertising and unwarranted bashing via these channels has the potential
to drown out established approaches or solutions and worse - standards
developed and reviewed by large amounts of various domain experts over
years. Even more unfortunately, the increasingly popular channels used
to float such statements can be out-of-band for whole peer groups of
experts, which potentially renders them completely oblivious to these
activities at times when they are actually needed the most.
Sometimes, an expert takes note of a bad case of gaslighting (and I
recommend to take the time to quickly digest the email linked below -
the context becomes apparent via the references listed at the bottom of it):
https://mailarchive.ietf.org/arch/msg/cose/8ywbcUy-YQZUh0JF4W5Tto1dCvg/
Before that individually perceived background (and that cherry-picked
example), my careful recommendation would be to pro-actively reach out
to established bodies that include well-known groups of experts in
regular intervals and invite bashing - of the constructive kind.
Personally I think, if bashing takes on the form of deliberately invited
and constructive criticism, that is very beneficial when trying to
create solutions that are literally in support of "the nation's
cybersecurity". I would actually be worried, if corresponding proposals
are not "bashed" (by a critical mass of security experts).
Viele Grüße,
Henk
On 09.02.22 22:13, Dick Brooks wrote:
Dale Peterson interview.
FYI: There’s no shortage of SPDX bashing out there claiming SPDX doesn’t
support vulnerability reporting.
https://unsolicitedresponse.libsyn.com/tom-alrich-on-all-things-sbom
<https://unsolicitedresponse.libsyn.com/tom-alrich-on-all-things-sbom>
Listen around the 8 minute mark.
These are the words of the NTIA Energy POC leader. Clearly biased.
SPDX V 2.3 will shut down these boisterous claims from those that bash
SPDX.
Thanks,
Dick Brooks
*/Never trust software, always verify and report!
<https://reliableenergyanalytics.com/products>/* ™
http://www.reliableenergyanalytics.com
<http://www.reliableenergyanalytics.com/>
Email: [email protected]
<mailto:[email protected]>
Tel: +1 978-696-1788
*From:* [email protected] <[email protected]> *On
Behalf Of *Thomas Steenbergen
*Sent:* Tuesday, February 8, 2022 8:10 PM
*To:* Thomas Steenbergen <[email protected]>;
[email protected]; [email protected]
*Subject:* Re: [spdx-defects] SPDX Defects (Vulnerabilities) Profile call
Hi everyone,
Based on people submitting their availability to the doodle poll
<https://doodle.com/poll/9752zbs29fn6ch77?utm_source=poll&utm_medium=link>
the best time to meet for weekly SPDX Defects meeting is on Wednesday at:
* 8 - 9 PM CET (Amsterdam / Paris)
* 1 - 2 PM CST (Chicago)
* 2 - 3 PM EST (New York)
* 1 AM - 12 PM PST (San Francisco)
* 4 AM - 5 AM JST (Seoul / Tokyo)
I will shortly send out a re-occurring meeting invite to everyone on
thespdx-defects <https://lists.spdx.org/g/spdx-defects> mailing list -
our next meeting will be on _February 16^th _.
One of the first agenda topics will be to discuss making it possible to
link to security vulnerability information in SPDX 2.3 to offer a
solution until SPDX 3.0 is ready.
Regards,
Thomas
------------------------------------------------------------------------
*From:*Thomas Steenbergen on behalf of Thomas Steenbergen
<[email protected] <mailto:[email protected]>>
*Sent:* Tuesday, January 25, 2022 6:49 PM
*To:* [email protected] <mailto:[email protected]>
<[email protected] <mailto:[email protected]>>;
[email protected] <mailto:[email protected]>
<[email protected] <mailto:[email protected]>>
*Cc:* [email protected] <mailto:[email protected]>
<[email protected] <mailto:[email protected]>>
*Subject:* SPDX Defects (Vulnerabilities) Profile call
Hi all,
I would like to start a new weekly meeting series to continue the work
on the SPDX Defects profile - the new profile in SPDX 3.0 to exchange
defects information including security vulnerabilities.
If you are interested, in participating in this profile please join
spdx-defects mailinglist <https://lists.spdx.org/g/spdx-defects> and
fill in below linked doodle so I can learn which day of the week and
time works best for everyone to schedule the weekly call.
https://doodle.com/poll/9752zbs29fn6ch77?utm_source=poll&utm_medium=link
<https://doodle.com/poll/9752zbs29fn6ch77?utm_source=poll&utm_medium=link>
Regards,
Thomas
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#4370): https://lists.spdx.org/g/Spdx-tech/message/4370
Mute This Topic: https://lists.spdx.org/mt/89031871/21656
Group Owner: [email protected]
Unsubscribe: https://lists.spdx.org/g/Spdx-tech/unsub [[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-
