Rose,
Thanks for keeping these topics in front of everyone. They need to be discussed and well understood. Thanks, Dick Brooks Active Member of the CISA Critical Manufacturing Sector, Sector Coordinating Council - A Public-Private Partnership Never trust software, always verify and report! <https://reliableenergyanalytics.com/products> T http://www.reliableenergyanalytics.com <http://www.reliableenergyanalytics.com/> Email: [email protected] <mailto:[email protected]> Tel: +1 978-696-1788 From: Rose Judge <[email protected]> Sent: Friday, January 27, 2023 12:36 PM To: Zavras, Alexios <[email protected]>; [email protected]; [email protected] Subject: Re: [spdx-tech] Package Supplier clarification Thanks Dick and Alexios. This is helpful! From: Zavras, Alexios <[email protected] <mailto:[email protected]> > Date: Friday, January 27, 2023 at 1:40 AM To: [email protected] <mailto:[email protected]> <[email protected] <mailto:[email protected]> >, Rose Judge <[email protected] <mailto:[email protected]> >, [email protected] <mailto:[email protected]> <[email protected] <mailto:[email protected]> > Subject: RE: [spdx-tech] Package Supplier clarification !! External Email I am very much in favor or Rose's use of the "distributor" as "supplier" (in Dick's wording). It all depends on what "package" we're talking about. Taking OpenSSL as an example: * If we're talking about openssl-3.0.7.tar.gz downloaded from openssl.org or their GitHub repo, the Package Supplier should be "OpenSSL" * If, on the other hand, we're talking about openssl_3.0.7-1ubuntu1_amd64.deb that was installed via apt(1) from the upstream repository, the Package Supplier should be "Ubuntu" (or Canonical). After all, who knows whether they have been changes from the upstream sources. Therefore, for packages coming from a Linux distribution, for example, I believe that Package Suppler should the distribution. Similarly, when I do pip install somemodule this gets downloaded from PyPi. I have no way of knowing whether it was uploaded there from the original project (with presence in somemodule.org, for example) or someone else. The only thing I can safely say was that it was "supplied" by "PyPi". -- zvr From: [email protected] <mailto:[email protected]> <[email protected] <mailto:[email protected]> > On Behalf Of Dick Brooks Sent: Thursday, 26 January, 2023 21:51 To: [email protected] <mailto:[email protected]> ; [email protected] <mailto:[email protected]> Subject: Re: [spdx-tech] Package Supplier clarification Rose, IMO, the SPDX Package Supplier is the same as Supplier Name within the NTIA minimum elements (attached) Three roles are coming into view on the IETF SCITT initiative: * Supplier (original creator of the software product/component) * Authorized Signing Party (A party that is authorized to sign an artifact) * Distributor (app stores, package managers, GitHub) A single entity may serve in all 3 roles, or each role may be served by separate entities. There's also another role, "Vendor" - this would be System Integrators that are delivering software products as part of an all-inclusive solution for a consumer. The consumer role is always present. This is all still very much under discussion within SCITT. Thanks, Dick Brooks Active Member of the CISA Critical Manufacturing Sector, Sector Coordinating Council - A Public-Private Partnership Never trust software, always verify and report! <https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Freliablee nergyanalytics.com%2Fproducts&data=05%7C01%7Crjudge%40vmware.com%7C1d6261007 0bd401d229c08db004a936d%7Cb39138ca3cee4b4aa4d6cd83d9dd62f0%7C0%7C0%7C6381040 92542473729%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJB TiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=YvkisiClshW0sTFEcQZnnfDHWV% 2B02zYvaRewzWZ%2FkAw%3D&reserved=0> T http://www.reliableenergyanalytics.com <https://nam04.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.reliab leenergyanalytics.com%2F&data=05%7C01%7Crjudge%40vmware.com%7C1d62610070bd40 1d229c08db004a936d%7Cb39138ca3cee4b4aa4d6cd83d9dd62f0%7C0%7C0%7C638104092542 473729%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6I k1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=HeUihDt6%2FlnZg%2BFVMx9ky6PPCKrv 2dMReDk9wsQFPeU%3D&reserved=0> Email: [email protected] <mailto:[email protected]> Tel: +1 978-696-1788 From: [email protected] <mailto:[email protected]> <[email protected] <mailto:[email protected]> > On Behalf Of Rose Judge via lists.spdx.org Sent: Thursday, January 26, 2023 3:19 PM To: [email protected] <mailto:[email protected]> Subject: [spdx-tech] Package Supplier clarification Hello, I was reading a thread about Package Supplier field clarification from late last year and was hoping to get even further clarification as we add this information to Tern's SPDX documents. Regarding Sebastian's reply here <https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.spd x.org%2Fg%2FSpdx-tech%2Fmessage%2F4815&data=05%7C01%7Crjudge%40vmware.com%7C 1d62610070bd401d229c08db004a936d%7Cb39138ca3cee4b4aa4d6cd83d9dd62f0%7C0%7C0% 7C638104092542473729%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2l uMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=28nOu4Yr0AO4lU2959 gK7Y9%2FlQeUsiZSUst75AhrdSA%3D&reserved=0> which says Red Hat would be the supplier of RHEL packages -- would we use the entity/owner of the package manager as the package supplier? For example, packages installed via "apt install" = "Organization: Ubuntu" package supplier? And packages installed via pip would be "Organization: PyPI" for the supplier; packages installed using apk = "Organization: Alpine" supplier, etc? Thanks in advance, Rose Intel Deutschland GmbH Registered Address: Am Campeon 10, 85579 Neubiberg, Germany Tel: +49 89 99 8853-0, www.intel.de <https://nam04.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.intel. de%2F&data=05%7C01%7Crjudge%40vmware.com%7C1d62610070bd401d229c08db004a936d% 7Cb39138ca3cee4b4aa4d6cd83d9dd62f0%7C0%7C0%7C638104092542473729%7CUnknown%7C TWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0% 3D%7C3000%7C%7C%7C&sdata=e1iBaPDFULl36jW%2Fx9LZmHAPs0laJ6%2FlUP3Wz%2FlsdBc%3 D&reserved=0> Managing Directors: Christin Eisenschmid, Sharon Heck, Tiffany Doon Silva Chairperson of the Supervisory Board: Nicole Lau Registered Office: Munich Commercial Register: Amtsgericht Muenchen HRB 186928 !! External Email: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender. -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#4947): https://lists.spdx.org/g/Spdx-tech/message/4947 Mute This Topic: https://lists.spdx.org/mt/96551804/21656 Group Owner: [email protected] Unsubscribe: https://lists.spdx.org/g/Spdx-tech/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
