The Dale Peterson podcast comments are also worth reading: https://www.linkedin.com/posts/dale-peterson-s4_tom-alrich-on-all-things-sbom-activity-6897264598605545472-9ZLA
I'm sending this information so that people will be aware of some prevailing attitudes about SPDX, as expressed by Tom Alrich in the interview, and some of the commenters who view the SBOM market as a Rugby Match for mindshare. My company processes both SPDX and CycloneDX SBOM's, although we only generate SPDX SBOM's and we will support CycloneDX VEX and whatever the SPDX community settles on for vulnerability reporting. CSAF VEX didn't make the cut. My message to everyone: Just be aware of how some people sharing their public opinion of SPDX as you continue your work. Don't give people a reason to reject SPDX as a viable SBOM format for Executive Order 14028. Thanks, Dick Brooks Never trust software, always verify and report! ™ http://www.reliableenergyanalytics.com Email: [email protected] Tel: +1 978-696-1788 -----Original Message----- From: [email protected] <[email protected]> On Behalf Of Dick Brooks Sent: Wednesday, February 9, 2022 6:16 PM To: 'Henk Birkholz' <[email protected]>; [email protected]; [email protected]; 'Kate Stewart' <[email protected]>; 'Gary O'Neall' <[email protected]> Subject: Re: [spdx-tech] [spdx-defects] SPDX Defects (Vulnerabilities) Profile call >> Expose your ideas to plenty of security experts and actively invite a >> constructive type of bashing. IMO, There's a big difference between honest/open technical debate and bashing. Honest/open technical debate leads to consensus solutions (and running code) - bashing is divisive and intended to cause harm. IMHO, the podcast is an example of bashing, and not representative of an open/honest technical discussion, but we each must decide for ourselves. I've also made my opinion known to Dale Peterson as well, the host. https://www.linkedin.com/feed/update/urn:li:activity:6897264598605545472/?commentUrn=urn%3Ali%3Acomment%3A(activity%3A6897264598605545472%2C6897295042223177728) My hope is that members of the defects initiative will adopt a professional, respectful, collaborative and collegial technical debate to address the open issues that were identified during the DocFest. Every proposed solution for V 2.3 should stand "under the arch" and microscope. Thanks, Dick Brooks Never trust software, always verify and report! ™ http://www.reliableenergyanalytics.com Email: [email protected] Tel: +1 978-696-1788 -----Original Message----- From: Henk Birkholz <[email protected]> Sent: Wednesday, February 9, 2022 5:57 PM To: [email protected]; [email protected]; 'Kate Stewart' <[email protected]>; 'Gary O'Neall' <[email protected]>; Dick Brooks <[email protected]> Subject: Re: [spdx-defects] SPDX Defects (Vulnerabilities) Profile call Dear list members, TL;DR Expose your ideas to plenty of security experts and actively invite a constructive type of bashing. As the defects list is a relatively new list, please allow me to start by introducing a cautious observation to the mix. I have to highlight that I am voicing my personal *subjective perception* from my point of view, which I definitely do *not* consider to be hard *facts*: From my point of view, the amount of unwarranted bashing and what sometimes can even appear as - I am applying the next word with great care - "gaslighting" seems to be continuously increasing. Analogously, blog posts, tweets, podcasts, and magazine articles appear to become increasingly popular channels to advertise certain approaches and solutions as "superior". Unfortunately, what I subjectively highlight and name here as advertising and unwarranted bashing via these channels has the potential to drown out established approaches or solutions and worse - standards developed and reviewed by large amounts of various domain experts over years. Even more unfortunately, the increasingly popular channels used to float such statements can be out-of-band for whole peer groups of experts, which potentially renders them completely oblivious to these activities at times when they are actually needed the most. Sometimes, an expert takes note of a bad case of gaslighting (and I recommend to take the time to quickly digest the email linked below - the context becomes apparent via the references listed at the bottom of it): > https://mailarchive.ietf.org/arch/msg/cose/8ywbcUy-YQZUh0JF4W5Tto1dCvg > / Before that individually perceived background (and that cherry-picked example), my careful recommendation would be to pro-actively reach out to established bodies that include well-known groups of experts in regular intervals and invite bashing - of the constructive kind. Personally I think, if bashing takes on the form of deliberately invited and constructive criticism, that is very beneficial when trying to create solutions that are literally in support of "the nation's cybersecurity". I would actually be worried, if corresponding proposals are not "bashed" (by a critical mass of security experts). Viele Grüße, Henk On 09.02.22 22:13, Dick Brooks wrote: > Dale Peterson interview. > > FYI: There’s no shortage of SPDX bashing out there claiming SPDX > doesn’t support vulnerability reporting. > > https://unsolicitedresponse.libsyn.com/tom-alrich-on-all-things-sbom > <https://unsolicitedresponse.libsyn.com/tom-alrich-on-all-things-sbom> > > Listen around the 8 minute mark. > > These are the words of the NTIA Energy POC leader. Clearly biased. > > SPDX V 2.3 will shut down these boisterous claims from those that bash > SPDX. > > Thanks, > > Dick Brooks > > */Never trust software, always verify and report! > <https://reliableenergyanalytics.com/products>/* ™ > > http://www.reliableenergyanalytics.com > <http://www.reliableenergyanalytics.com/> > > Email: [email protected] > <mailto:[email protected]> > > Tel: +1 978-696-1788 > > *From:* [email protected] <[email protected]> *On > Behalf Of *Thomas Steenbergen > *Sent:* Tuesday, February 8, 2022 8:10 PM > *To:* Thomas Steenbergen <[email protected]>; > [email protected]; [email protected] > *Subject:* Re: [spdx-defects] SPDX Defects (Vulnerabilities) Profile > call > > Hi everyone, > > Based on people submitting their availability to the doodle poll > <https://doodle.com/poll/9752zbs29fn6ch77?utm_source=poll&utm_medium=l > ink> the best time to meet for weekly SPDX Defects meeting is on > Wednesday at: > > * 8 - 9 PM CET (Amsterdam / Paris) > * 1 - 2 PM CST (Chicago) > * 2 - 3 PM EST (New York) > * 1 AM - 12 PM PST (San Francisco) > * 4 AM - 5 AM JST (Seoul / Tokyo) > > I will shortly send out a re-occurring meeting invite to everyone on > thespdx-defects <https://lists.spdx.org/g/spdx-defects> mailing list - > our next meeting will be on _February 16^th _. > > > One of the first agenda topics will be to discuss making it possible > to link to security vulnerability information in SPDX 2.3 to offer a > solution until SPDX 3.0 is ready. > > Regards, > > Thomas > > ---------------------------------------------------------------------- > -- > > *From:*Thomas Steenbergen on behalf of Thomas Steenbergen > <[email protected] <mailto:[email protected]>> > *Sent:* Tuesday, January 25, 2022 6:49 PM > *To:* [email protected] <mailto:[email protected]> > <[email protected] <mailto:[email protected]>>; > [email protected] <mailto:[email protected]> > <[email protected] <mailto:[email protected]>> > *Cc:* [email protected] <mailto:[email protected]> > <[email protected] <mailto:[email protected]>> > *Subject:* SPDX Defects (Vulnerabilities) Profile call > > Hi all, > > I would like to start a new weekly meeting series to continue the work > on the SPDX Defects profile - the new profile in SPDX 3.0 to exchange > defects information including security vulnerabilities. > > If you are interested, in participating in this profile please join > spdx-defects mailinglist <https://lists.spdx.org/g/spdx-defects> and > fill in below linked doodle so I can learn which day of the week and > time works best for everyone to schedule the weekly call. > > https://doodle.com/poll/9752zbs29fn6ch77?utm_source=poll&utm_medium=li > nk > <https://doodle.com/poll/9752zbs29fn6ch77?utm_source=poll&utm_medium=l > ink> > > Regards, > > Thomas > > -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#4372): https://lists.spdx.org/g/Spdx-tech/message/4372 Mute This Topic: https://lists.spdx.org/mt/89031871/21656 Group Owner: [email protected] Unsubscribe: https://lists.spdx.org/g/Spdx-tech/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
