Alexos, makes an excellent point "who knows whether they have been changes from the upstream sources."
The is precisely why a consumer performs a supply chain risk assessment and one of the steps is to ascertain a "trust relationship" between the party that created/licenses a software product (Supplier) and an authorized signing party (Signer). A consumer needs to know that the signing party has been authorized by the original supplier of the product, which can be distributed on lots of different platforms, i.e. GitHub, app stores, etc. SCITT has identified three roles: Supplier, Authorized Signing Party and Distributor. They can all be the same party or each can be a different party. A trust relationship needs to be verifiable between a supplier and signing party. This enables any distributor to make a trusted software product available, and it's verifiably the same product based on the supplier/signer trust relationship, regardless of which distributor delivers the product. Thanks, Dick Brooks Active Member of the CISA Critical Manufacturing Sector, Sector Coordinating Council - A Public-Private Partnership Never trust software, always verify and report! <https://reliableenergyanalytics.com/products> T http://www.reliableenergyanalytics.com <http://www.reliableenergyanalytics.com/> Email: [email protected] <mailto:[email protected]> Tel: +1 978-696-1788 From: [email protected] <[email protected]> On Behalf Of Alexios Zavras Sent: Friday, January 27, 2023 4:37 AM To: [email protected]; [email protected]; [email protected] Subject: Re: [spdx-tech] Package Supplier clarification I am very much in favor or Rose's use of the "distributor" as "supplier" (in Dick's wording). It all depends on what "package" we're talking about. Taking OpenSSL as an example: * If we're talking about openssl-3.0.7.tar.gz downloaded from openssl.org or their GitHub repo, the Package Supplier should be "OpenSSL" * If, on the other hand, we're talking about openssl_3.0.7-1ubuntu1_amd64.deb that was installed via apt(1) from the upstream repository, the Package Supplier should be "Ubuntu" (or Canonical). After all, who knows whether they have been changes from the upstream sources. Therefore, for packages coming from a Linux distribution, for example, I believe that Package Suppler should the distribution. Similarly, when I do pip install somemodule this gets downloaded from PyPi. I have no way of knowing whether it was uploaded there from the original project (with presence in somemodule.org, for example) or someone else. The only thing I can safely say was that it was "supplied" by "PyPi". -- zvr From: [email protected] <mailto:[email protected]> <[email protected] <mailto:[email protected]> > On Behalf Of Dick Brooks Sent: Thursday, 26 January, 2023 21:51 To: [email protected] <mailto:[email protected]> ; [email protected] <mailto:[email protected]> Subject: Re: [spdx-tech] Package Supplier clarification Rose, IMO, the SPDX Package Supplier is the same as Supplier Name within the NTIA minimum elements (attached) Three roles are coming into view on the IETF SCITT initiative: * Supplier (original creator of the software product/component) * Authorized Signing Party (A party that is authorized to sign an artifact) * Distributor (app stores, package managers, GitHub) A single entity may serve in all 3 roles, or each role may be served by separate entities. There's also another role, "Vendor" - this would be System Integrators that are delivering software products as part of an all-inclusive solution for a consumer. The consumer role is always present. This is all still very much under discussion within SCITT. Thanks, Dick Brooks Active Member of the CISA Critical Manufacturing Sector, Sector Coordinating Council - A Public-Private Partnership Never trust software, always verify and report! <https://reliableenergyanalytics.com/products> T http://www.reliableenergyanalytics.com <http://www.reliableenergyanalytics.com/> Email: [email protected] <mailto:[email protected]> Tel: +1 978-696-1788 From: [email protected] <mailto:[email protected]> <[email protected] <mailto:[email protected]> > On Behalf Of Rose Judge via lists.spdx.org Sent: Thursday, January 26, 2023 3:19 PM To: [email protected] <mailto:[email protected]> Subject: [spdx-tech] Package Supplier clarification Hello, I was reading a thread about Package Supplier field clarification from late last year and was hoping to get even further clarification as we add this information to Tern's SPDX documents. Regarding Sebastian's reply here <https://lists.spdx.org/g/Spdx-tech/message/4815> which says Red Hat would be the supplier of RHEL packages -- would we use the entity/owner of the package manager as the package supplier? For example, packages installed via "apt install" = "Organization: Ubuntu" package supplier? And packages installed via pip would be "Organization: PyPI" for the supplier; packages installed using apk = "Organization: Alpine" supplier, etc? Thanks in advance, Rose Intel Deutschland GmbH Registered Address: Am Campeon 10, 85579 Neubiberg, Germany Tel: +49 89 99 8853-0, www.intel.de <http://www.intel.de> Managing Directors: Christin Eisenschmid, Sharon Heck, Tiffany Doon Silva Chairperson of the Supervisory Board: Nicole Lau Registered Office: Munich Commercial Register: Amtsgericht Muenchen HRB 186928 -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#4945): https://lists.spdx.org/g/Spdx-tech/message/4945 Mute This Topic: https://lists.spdx.org/mt/96551804/21656 Group Owner: [email protected] Unsubscribe: https://lists.spdx.org/g/Spdx-tech/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
